Analysis Overview
Threat Level: Known bad
The file https://youtube.com was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
Modifies Installed Components in the registry
Drops startup file
Drops desktop.ini file(s)
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in Windows directory
Drops file in Program Files directory
Suspicious use of FindShellTrayWindow
Runs net.exe
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Enumerates system info in registry
Modifies registry class
Suspicious use of SendNotifyMessage
Checks processor information in registry
Modifies Internet Explorer settings
Modifies Internet Explorer Protected Mode
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer start page
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-21 07:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-21 07:24
Reported
2024-03-21 07:32
Platform
win7-20240221-en
Max time kernel
147s
Max time network
267s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Explorer.EXE | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "6,1,7601,17514" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,7601,17514" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Locale = "*" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Version = "6,1,7601,17514" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,7601,17514" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username = "Guest" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "EN" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "EN" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username = "123" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "1,1,1,9" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Locale = "*" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "1,1,1,9" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Version = "6,1,7601,17514" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "en" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "EN" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "en" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "EN" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "6,1,7601,17514" | C:\Windows\Explorer.EXE | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Guest\Desktop\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\Documents\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1001\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\Contacts\desktop.ini | C:\Program Files (x86)\Windows Mail\WinMail.exe | N/A |
| File opened for modification | C:\Users\123\Desktop\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Users\123\Videos\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\Downloads\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\Videos\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\Desktop\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\Contacts\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-501\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\Favorites\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\Searches\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File created | C:\Users\123\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| File opened for modification | C:\Users\123\Links\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\Pictures\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\Documents\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Users\Guest\Music\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\Favorites\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\Searches\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\Videos\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\Pictures\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Users\Guest\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Users\Guest\Favorites\Links for United States\desktop.ini | C:\Windows\System32\mctadmin.exe | N/A |
| File opened for modification | C:\Users\Guest\Pictures\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\Searches\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\Links\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\Music\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\Documents\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-501\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\Links\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\Favorites\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\Documents\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\123\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Users\Guest\Videos\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Guest\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\Explorer.EXE | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\V: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\System32\regsvr32.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\unregmp2.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\123\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Control Panel\Desktop\Wallpaper = "C:\\Users\\Guest\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Control Panel\Desktop\Wallpaper = "C:\\Users\\Guest\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\123\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" | C:\Windows\System32\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP | C:\Windows\System32\ie4uinit.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP | C:\Windows\System32\ie4uinit.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Windows\System32\rundll32.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | N/A |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Windows\System32\rundll32.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Explorer.EXE | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\runonce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\runonce.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Explorer.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Explorer.EXE | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\runonce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\runonce.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Explorer.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\System32\ie4uinit.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\International\Scripts\20\IEFixedFontName = "DokChampa" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\SOFTWARE\Microsoft\Internet Explorer\Main | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = e0c05f64617bda01 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\International\Scripts\28\IEPropFontName = "Euphemia" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\International\Scripts\28\IEFixedFontName = "Euphemia" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\34 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a700000000002000000000010660000000100002000000032f80314d6dd0a58cf3eaa1aa798f4e65f5b6f5ecba909a3ccaf70591c448af5000000000e800000000200002000000051a1de38abdf50be6f4bcb941d923f1091dae54efd0b5ade24135f8639d776e820000000f46e841e346ce077767f280651ca915b4bd6394ce6846b151bd8541ed3b2f25640000000c3e529085e628248a137e37ce1eb2b4cf578f608a9f7cfbc95951a4467394d385d222d7db1bc1ab3c584e9c29bc92acf56eaf3a7316e896f4217134d68acdcf4 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\International\Scripts\5\IEPropFontName = "Times New Roman" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\International\Scripts\29 | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\17 | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\International\Scripts\9 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\International\Scripts\37\IEPropFontName = "Khmer UI" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\38\IEFixedFontName = "MV Boli" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\10\IEPropFontName = "Mangal" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\30\IEPropFontName = "Microsoft Yi Baiti" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\39\IEFixedFontName = "Mongolian Baiti" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\SOFTWARE\Microsoft\Internet Explorer\Document Windows | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\International\Scripts\6\IEPropFontName = "Times New Roman" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\Document Windows\height = 00000000 | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\23 | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\29 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\36\IEFixedFontName = "Myanmar Text" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\Desktop\General | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\Document Windows | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\Settings\Anchor Color Visited = "128,0,128" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\International\Scripts\6 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\International\Scripts\21\IEPropFontName = "Microsoft Himalaya" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\Main\Cache_Update_Frequency = "Once_Per_Session" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\11\IEFixedFontName = "Shonar Bangla" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\Main\Show_StatusBar = "yes" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\Main\Show_URLToolBar = "yes" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\International\Scripts\9\IEPropFontName = "Times New Roman" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\24\IEFixedFontName = "MS Gothic" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\35\IEFixedFontName = "Estrangelo Edessa" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\Main\Do404Search = 01000000 | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\SOFTWARE\Microsoft\Internet Explorer\New Windows | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\Main\Show_URLinStatusBar = "yes" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\Setup | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\IntelliForms | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\International\Scripts\30\IEFixedFontName = "Microsoft Yi Baiti" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\Security\Safety Warning Level = "Query" | C:\Windows\System32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\International\Scripts\38\IEPropFontName = "MV Boli" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\6\IEFixedFontName = "Courier New" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\7\IEPropFontName = "Sylfaen" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\36\IEPropFontName = "Myanmar Text" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\LowRegistry | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\25 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\Main\Save_Session_History_On_Exit = "no" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\International\Scripts\34\IEPropFontName = "Iskoola Pota" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\Desktop\General | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\International\Scripts\37\IEFixedFontName = "Khmer UI" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "yes" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName = "Times New Roman" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\International\Scripts\21\IEFixedFontName = "Microsoft Himalaya" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\Main\UseClearType = "no" | C:\Windows\System32\ie4uinit.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1001\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141" | C:\Windows\System32\ie4uinit.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 | C:\Windows\system32\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" | C:\Windows\system32\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager | C:\Windows\system32\winlogon.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.AudioCD\Shell\Play\Command | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/mpg | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.aiff | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.aiff\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/avi | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.adts\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wav\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.m2t | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wm | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wm | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.DVR-MS\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mov\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mp2v | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/mpg | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501_Classes\Local Settings | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.midi\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wpl | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.m2ts\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.midi | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-mpeg2a | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.asx | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Enqueue\command | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.tts\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.WTV\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mms\shell\open\command | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/vnd.dlna.adts | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.m2t | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DVD | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-mp3 | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-mpeg2a | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mpe | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Enqueue | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.au\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.WMD\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/mp4 | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.DVR-MS\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mpv2 | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.midi | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mpeg\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.3gp2 | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.adt | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.m3u | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wmd | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-wav | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mod\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mpg | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mid\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\ShellEx\ContextMenuHandlers | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mp4 | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-501_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PromotedIconCache = "{7820NR76-23R3-4229-82P1-R41PO67Q5O9P},{7820NR75-23R3-4229-82P1-R41PO67Q5O9P},{7820NR74-23R3-4229-82P1-R41PO67Q5O9P},{7820NR73-23R3-4229-82P1-R41PO67Q5O9P}" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mp4v\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.cda\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-mplayer2 | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-mpegurl | C:\Windows\System32\unregmp2.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://youtube.com
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5959758,0x7fef5959768,0x7fef5959778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1360,i,556629430505787730,14103422523834587013,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1360,i,556629430505787730,14103422523834587013,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1360,i,556629430505787730,14103422523834587013,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1360,i,556629430505787730,14103422523834587013,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1360,i,556629430505787730,14103422523834587013,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1516 --field-trial-handle=1360,i,556629430505787730,14103422523834587013,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1312 --field-trial-handle=1360,i,556629430505787730,14103422523834587013,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3548 --field-trial-handle=1360,i,556629430505787730,14103422523834587013,131072 /prefetch:8
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\net.exe
net user /add 123 123
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add 123 123
C:\Windows\system32\net.exe
net user /add Admin 123
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user /add Admin 123
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\userinit.exe
C:\Windows\system32\userinit.exe
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
C:\Program Files (x86)\Windows Mail\WinMail.exe
"C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE
C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
C:\Windows\System32\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll,Install
C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -UserConfig
C:\Windows\System32\ie4uinit.exe
C:\Windows\System32\ie4uinit.exe -ClearIconCache
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE
C:\Windows\System32\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll,Install
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x1402f7688,0x1402f7698,0x1402f76a8
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x1402f7688,0x1402f7698,0x1402f76a8
C:\Windows\System32\ickr0a.exe
"C:\Windows\System32\ickr0a.exe"
C:\Program Files\Windows Sidebar\sidebar.exe
"C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
C:\Windows\SysWOW64\runonce.exe
C:\Windows\SysWOW64\runonce.exe /Run6432
C:\Windows\System32\mctadmin.exe
"C:\Windows\System32\mctadmin.exe"
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\userinit.exe
C:\Windows\system32\userinit.exe
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
C:\Program Files (x86)\Windows Mail\WinMail.exe
"C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE
C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
C:\Windows\System32\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll,Install
C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -UserConfig
C:\Windows\System32\ie4uinit.exe
C:\Windows\System32\ie4uinit.exe -ClearIconCache
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE
C:\Windows\System32\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll,Install
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\123\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x1402f7688,0x1402f7698,0x1402f76a8
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\123\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x1402f7688,0x1402f7698,0x1402f76a8
C:\Windows\System32\ickr0a.exe
"C:\Windows\System32\ickr0a.exe"
C:\Program Files\Windows Sidebar\sidebar.exe
"C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
C:\Windows\SysWOW64\runonce.exe
C:\Windows\SysWOW64\runonce.exe /Run6432
C:\Windows\System32\mctadmin.exe
"C:\Windows\System32\mctadmin.exe"
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | youtube.com | udp |
| NL | 142.250.179.174:443 | youtube.com | tcp |
| NL | 142.250.179.174:443 | youtube.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| NL | 142.250.179.206:443 | www.youtube.com | tcp |
| NL | 142.250.179.206:443 | www.youtube.com | tcp |
| NL | 142.250.179.206:443 | www.youtube.com | tcp |
| NL | 142.250.179.206:443 | www.youtube.com | tcp |
| NL | 142.250.179.206:443 | www.youtube.com | tcp |
| NL | 142.250.179.206:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.179.196:443 | www.google.com | udp |
| NL | 142.250.179.196:443 | www.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| US | 192.178.49.3:443 | beacons.gcp.gvt2.com | tcp |
| US | 192.178.49.3:443 | beacons.gcp.gvt2.com | tcp |
| US | 192.178.49.3:443 | beacons.gcp.gvt2.com | udp |
| US | 192.178.49.3:443 | beacons.gcp.gvt2.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\favicon[1].ico
| MD5 | f2a495d85735b9a0ac65deb19c129985 |
| SHA1 | f2e22853e5da3e1017d5e1e319eeefe4f622e8c8 |
| SHA256 | 8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d |
| SHA512 | 6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\re26ad0\imagestore.dat
| MD5 | a7adfe333170fea400f3e5c9362f004c |
| SHA1 | 7b0b2346ca0383d7c2f361f5bf3b66befdc5586b |
| SHA256 | c398ccd48256fd396df750fb48a6a106c495815f25842280640dc7c3cb44137c |
| SHA512 | a0fb0e5e4f0e683ffdd7d2f43e8e9319caed31b41bc6f71843d8900848caef24d17bb20ae4c90c1236e3bd4b08c88f26a39a1aa81a4a34aa650b66fdf8b1ccc1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a828dd5669b87b28631e8f8db1d6f9d9 |
| SHA1 | 756d02f6c481d9c1ac7cb451b4b7e5987af4ef50 |
| SHA256 | 6d5d08093465fbc5bf39b7485476726c7a548db3b848d513f28cd31ec1b97aaa |
| SHA512 | ca63019d1fee74cd6941dfb5dc0de20092b78c589b96c851d0614f58b6f41e3d7f55c81de0b71c0b3296529b46d4fa9e18d187015fdcaa3d137cb6553d05758f |
C:\Users\Admin\AppData\Local\Temp\Cab20BB.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar20BE.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\Tar21EC.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0ad5e0fcdab71a4460e2d85f5efb9436 |
| SHA1 | 090111a5f36994e6ba52a653784da891a4f12060 |
| SHA256 | 947a57f5dd5cc7f8c24299192fffb62e7a433ac3a2e5e21b42d07dc8ce282882 |
| SHA512 | c5009e6b24e4f6c9090dad382be06134098da5eef0b58cf4ae9c5bdcb56ab9365d2059c7bde146179c24633383e20c36f112714e9aad93e37629de4b66530a50 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 462cede5d65f97dcffad279faa70cebe |
| SHA1 | c0ad0825b79e555936be08d80fd407a55c3544f9 |
| SHA256 | ffb4f090c76a6d7c5bf46d57620b746b15ed231dad0056899290dd8fadd238a2 |
| SHA512 | e39a412264cd063a68741e98383e5da63b6880a6bdf5ce909e01d393df24a175413c1ce84ebf28b295eca3b33c216f11ae464a250799f7af5aaaf6b6382a5a2f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e60e696218576c96975d3720f5905829 |
| SHA1 | c08176071f87e52c7d6c3e195f30795956aa3d56 |
| SHA256 | 609a8081406a7ef0e5b67338b134931df52999c40b5ea1875bedab4b2c327a52 |
| SHA512 | 9f9cfdb8dfd19bcd209be2421d69a27722aa3de0d7cf9296f81c22fa2815a7b8b8421c7007efdcda798800205cd74131ac68dec3e21b828fabbee52dd14bd609 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 43346d268317774515a0b6a652cd2160 |
| SHA1 | 6dfa8ab020d5f2ef2245cefb79c359ca5c03b7ab |
| SHA256 | cf94080c694dbfa9602a70998e187a78d52fc438eabd192bfe7f2208743b0bb3 |
| SHA512 | fa6213fc3c4028c224869b68b2c7bc27a65a8849d390747fdc92fa3ceadebcb9c8060485efa7c9abb45e309a852486e23429c03b5be6c5f69e98c597a017e067 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7bbc1a6beaca0b51b4716051913bb79f |
| SHA1 | 363e69d566921551f7588e0f50f5941bf1951323 |
| SHA256 | 5a4ad97ba48725bfe064aef80aac2539fe4b4b217860dc5ecd89de8cce4d86f0 |
| SHA512 | 5ac3565da2a5847d9f21702f977f2d8cec4fd2809fd4eabbef68d3014ef8839ad7c4b901d6d5fbef1a8d0fa94824a8b150cf3983a333dc943972eb73e487493e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 39cea2efe1d8e57dcac0a284692c2102 |
| SHA1 | 68e13e70eed3436c9dafefba74d2f201ef2b0fce |
| SHA256 | 965c1bfd6320fef1d6f7cb8f368a2479c757f74a2555b5f032baf2fa11d5dde3 |
| SHA512 | 605e25fc82a82a079920f5c9313c63fc6fe5d57d1430e6235dcf1e07f361005a160d7654b56657d603c384379bb6c83a3b5a66cf19d5a65491b27fca2755e5a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b62c234e6638f43af342f5d93a86165f |
| SHA1 | d6b881df4f2bc5c4ddfb5461a6686ee1f3e96004 |
| SHA256 | 562532886784a7fd451149630aed20524568ba0deded8211ae508fa1aed92554 |
| SHA512 | 35a253507216513446e21fbcfd598aa153a8d0473fd490fe99e96d451faebd3ba40a970a4f4d909c7847eb986f4bf6d342d30758ef9e61b5244d7ae1aee7160a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 02ccefc5625a1e5d0ce47525d499aa91 |
| SHA1 | b16baf6d89fd2c04a601fd646dc77fcfb66466c2 |
| SHA256 | 5db853edb960ff852c213a503ff68cc0fa264312dfb493011f388b0762c31b66 |
| SHA512 | e2641442d845107fe7f2ee9ab7aa6209b85df3119a65f4902da85df0547355a6b9cd998fcc88e628a86ebe3d3112754d9b299075069b4cc3a4a4874255185277 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c2799cf0825edd92599a11e03b7728b1 |
| SHA1 | c98dfae685af167f7eda422a0f505b0c1f9ed9cf |
| SHA256 | 40920c5c53f70d364a1d94548d664f120d3a5c957656030bd48a15a2f88ff372 |
| SHA512 | 0fe7fbc0074be7519b8c016a6a03b70429ae76e9a83bc66c9fe0a67edee9c2bd28670bd7dcac0f0fce8529b54e533c6cd756eedd8e15962594b085b0c8ad4c58 |
\??\pipe\crashpad_2732_BVDGYYBWLDVLXNDP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | d56ed809e2c06cd91a98f6936a4d16a2 |
| SHA1 | 306b96bab623b385ee35423e2f2b7360ecc45b19 |
| SHA256 | 11dacca6bf330f4b628c50fc0d5a268fe35d4890b7543b64d738a17ec818e674 |
| SHA512 | 3bba310545d22c4d1a98a5356e3dac4f4e587c124e755dbf871de39a9d693f678f7621c1254afdcc8e78d4a0a34fa7025cf6bd42fd615ec185fa1c56f7af4837 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | cdf5b438de0baa3d775fe5c7b47cf50e |
| SHA1 | 21e1d256573a2979cbbc57c7e647a18f3857a755 |
| SHA256 | fab156e4fb69fedaeb6393baf79e8ff5e2737383751c0417190805f6e518060a |
| SHA512 | b0eac8dda552b9ebe85cc8f9fa639a33a02c09cb380f01476f128d32924a193f3468ab1b365dfc6ace0c9854193ef3f9023f24ee8e83f878e1fe2b1d4cf38a0a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | ac89a852c2aaa3d389b2d2dd312ad367 |
| SHA1 | 8f421dd6493c61dbda6b839e2debb7b50a20c930 |
| SHA256 | 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45 |
| SHA512 | c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | 8d5aebdbbd069437ddd6590d0d82978f |
| SHA1 | 0de77fabf85694f8d4231c459c3f23a93635df3e |
| SHA256 | 759d23a8939d75a11c288177750a0c65386701f0f32317cde97713321fac1578 |
| SHA512 | 3a902ae9506a49dc8ab14e31840d79d4e5f09a366192a38713d05a27be670a7d9a869d494f2bf2fe23e1b318911b150a1df09134d37274b0e50040cd7e2de874 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_A2CFFC3C54D475112D9FC5039EB0095F
| MD5 | 374a14ed24302a0b127b302634b9410a |
| SHA1 | 368398a0822d7e3910311487e7aaacc69be440e8 |
| SHA256 | 4d18dc5be9e11a11436200f9d375851cf4036135f8f69819e5f904f5141e923f |
| SHA512 | 35f714025926c3db0f617122c4797aa730111589c8c4cd638a6446861a7dd6870c7095e3908c7a5da14deaaf048a59c99155179441324c125902fd6f05ddf474 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_A2CFFC3C54D475112D9FC5039EB0095F
| MD5 | 93b61014ed791b16918246413e0c69d9 |
| SHA1 | 5dfee4036bab59691610ba1ac1761ad47a26df84 |
| SHA256 | 9c662b6be4acd12bda5d4596ff5c0cf44bd03f7479eb87e4a55e458923624d25 |
| SHA512 | 1738538d449a02210bfcdea0b5233f4b2397eaf855130a2828d04f64a930f819fa2d6341142d28617f50574e3f99b720dbc6bea9c5f4ac3669aa914136feb825 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_08872284D8414653D8A6B617C1164F2D
| MD5 | 0e05c68c22d9522eb7fc12b1a0fac493 |
| SHA1 | c6d8361cc171f2257a8aa76201e7b26e0875f74e |
| SHA256 | 5e1c8b0d1723c99e4119324b51988e920fb9af19507df28fef615470066c109e |
| SHA512 | 9fa8d0ff9799af5d189fcc5eae1badc01ec599e6d50be8089ab74c188839ca420b7a7473a9b4b265f88898b6612791472d13c76017ef8d3157f2312902d8c8b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_08872284D8414653D8A6B617C1164F2D
| MD5 | c57146ee5a4276bee56a6ff917067ad5 |
| SHA1 | 6818a1cd6a4dd52de9e628b22413e2700879cbae |
| SHA256 | 00e194daca2d61a1c4b5b3ec109add81f01a84ce2aca9d7e5cd15def6a565e17 |
| SHA512 | a237107b23463f56f8d912191e58ed004ba2fb4eac1333fb2b1a46be581f781fe06d531d1d1f684645ddf15e70be463cd56e57f75dcfe9323c1e8fdfc4c48be7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Temp\~DF6650F16BC0E8BC0C.TMP
| MD5 | 23fcb1146c5d3bcbdc7b1de6f9ae46a3 |
| SHA1 | e656e2e394132b66d086d6fd3fa16adda1b9c487 |
| SHA256 | 7a3c71b559fd3dc56202da12a8d4df934714116e58d12a714d08e15a0fbbec44 |
| SHA512 | 63b97a7c6e4f0604793f4dd283614b435a6a6192e0fc0fe8af0213a3083dd5d8d82b9f40add9032fdd09fa2f6819f6c7f2e5de81dd55f526f7ec27e4bcd8a5d1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFf76ae39.TMP
| MD5 | d344425066e70f582c6f283c6f17bc87 |
| SHA1 | 4fa2497d5aae7e981ab6435fa537203fd43cc45d |
| SHA256 | de5ba4f32ac30dd19fd9dd7885c379ca295560c0ea8e1c4242298e11ce7eadde |
| SHA512 | 1b8845d9b36c0eee3cfc077981309acd1b360cc3b980b8e7309ad6b3dbc519773f8bb03c5f1b4865940f4f3f60a892333dc0c8167b42308d76318462d0ee4e44 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3d3067aaf399bf2cc05fc007614ea9af |
| SHA1 | 949544859ec23bc957d4fae6293f4023ec57a0ed |
| SHA256 | 99c1b92db7e8194a37dc9b8a06295ea3a5b9270d5ddab9c253200ff5c7a01f7f |
| SHA512 | ecce79ece337e53573c7b505c6c4401614784c39c48b25cac5702afa733456feb911056a8a6f14366224a0922c7c6576d58c1e3a5a2e0fc3dd273837ae31072e |
memory/1716-659-0x0000000002B30000-0x0000000002B31000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-501\desktop.ini
| MD5 | a526b9e7c716b3489d8cc062fbce4005 |
| SHA1 | 2df502a944ff721241be20a9e449d2acd07e0312 |
| SHA256 | e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066 |
| SHA512 | d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88 |
C:\Users\Guest\Contacts\Guest.contact
| MD5 | cf8760462ff58d0b57372025e1d55d4d |
| SHA1 | 0fe5643ec1a0cd6011334a5ba3870ca9f485989c |
| SHA256 | ab2f29a641684acfcbd3729f8fc22f97ff15f7ce7d3c56f92115d30e35cc7ae9 |
| SHA512 | 96f099555d8a74704e4781d09d0873ff3ece33099d3d8f21a1a208111b324b51906fecc6ba13ab1d7c6f3ef30d93afa8e5bf2432a1f12663768d5106ccacb9ff |
memory/2760-684-0x0000000002160000-0x0000000002170000-memory.dmp
memory/2760-690-0x00000000023D0000-0x00000000023E0000-memory.dmp
C:\Users\Guest\AppData\Local\Microsoft\Windows Mail\edb.log
| MD5 | 4ec991351eaee0d8b413a752fe8c0c09 |
| SHA1 | 6933da360350ec7a1002eed810255f85d68e6048 |
| SHA256 | b5f909771319393ed49517a50d7397bb12893e6da3a6a2928a2c3d775794e999 |
| SHA512 | bfda80ff6c9e0190f7d62509088d8b10fd346c3fabc61a191e9284831b31877b0054d124d7e35f2c18229ee7adccf78a7baefa6cc26580c609fe83504d5ce7b6 |
memory/2760-703-0x00000000022A0000-0x00000000022A1000-memory.dmp
memory/2760-705-0x0000000002280000-0x0000000002282000-memory.dmp
memory/2760-708-0x0000000002280000-0x0000000002282000-memory.dmp
memory/2760-716-0x0000000002750000-0x0000000002752000-memory.dmp
memory/2760-718-0x0000000002340000-0x0000000002342000-memory.dmp
memory/2760-726-0x0000000002340000-0x0000000002342000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c96fda79bc967c8a1798afde9a576e0e |
| SHA1 | 93ffd3e58bb40009c28136f45381efe49b391abb |
| SHA256 | 4a528e9095d71deaa7d96c51aa955c53be765aed60c51327ee68259e89212429 |
| SHA512 | 89ce7e57999da15cf638a901a977c7ac97d1547ef56c85fb32e226bbf5f9fee5a87778262c9a5077e6111471998bafadfa4c34975910df70133b481a3328437d |
memory/2760-790-0x0000000002B20000-0x0000000002B22000-memory.dmp
memory/2760-791-0x0000000002B10000-0x0000000002B11000-memory.dmp
memory/2760-794-0x00000000021F0000-0x00000000021F1000-memory.dmp
memory/2760-798-0x00000000021C0000-0x00000000021C2000-memory.dmp
memory/2760-800-0x0000000001FC0000-0x0000000001FC1000-memory.dmp
C:\Users\Guest\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Guest\Contacts\desktop.ini
| MD5 | eefa7f76ff11a5ec21bb777b798ac46c |
| SHA1 | 2e7a65ea8427d13a92ea159a5b8859ff99d2a836 |
| SHA256 | 840b46ed74821b5b61ca9ddc51a91cfe9151d11a494c89f183fadc02a78ac8ae |
| SHA512 | 111301e33c0b33c154ffff274db5eb167de0ddb4e769cab9a2d9fcd2882e6192053149abbcb00d17ae5f7661bafecc1111aff2025c89d07b247633bbccb0e3ef |
C:\Users\Guest\Videos\desktop.ini
| MD5 | 50a956778107a4272aae83c86ece77cb |
| SHA1 | 10bce7ea45077c0baab055e0602eef787dba735e |
| SHA256 | b287b639f6edd612f414caf000c12ba0555adb3a2643230cbdd5af4053284978 |
| SHA512 | d1df6bdc871cacbc776ac8152a76e331d2f1d905a50d9d358c7bf9ed7c5cbb510c9d52d6958b071e5bcba7c5117fc8f9729fe51724e82cc45f6b7b5afe5ed51a |
C:\Users\Guest\Desktop\desktop.ini
| MD5 | 9e36cc3537ee9ee1e3b10fa4e761045b |
| SHA1 | 7726f55012e1e26cc762c9982e7c6c54ca7bb303 |
| SHA256 | 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026 |
| SHA512 | 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790 |
C:\Users\Guest\Pictures\desktop.ini
| MD5 | 29eae335b77f438e05594d86a6ca22ff |
| SHA1 | d62ccc830c249de6b6532381b4c16a5f17f95d89 |
| SHA256 | 88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4 |
| SHA512 | 5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17 |
C:\Users\Guest\Favorites\desktop.ini
| MD5 | 881dfac93652edb0a8228029ba92d0f5 |
| SHA1 | 5b317253a63fecb167bf07befa05c5ed09c4ccea |
| SHA256 | a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464 |
| SHA512 | 592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810 |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
| MD5 | a2d31a04bc38eeac22fca3e30508ba47 |
| SHA1 | 9b7c7a42c831fcd77e77ade6d3d6f033f76893d2 |
| SHA256 | 8e00a24ae458effe00a55344f7f34189b4594613284745ff7d406856a196c531 |
| SHA512 | ed8233d515d44f79431bb61a4df7d09f44d33ac09279d4a0028d11319d1f82fc923ebbc6c2d76ca6f48c0a90b6080aa2ea91ff043690cc1e3a15576cf62a39a6 |
C:\Users\Guest\Contacts\desktop.ini
| MD5 | 449f2e76e519890a212814d96ce67d64 |
| SHA1 | a316a38e1a8325bef6f68f18bc967b9aaa8b6ebd |
| SHA256 | 48a6703a09f1197ee85208d5821032b77d20b3368c6b4de890c44fb482149cf7 |
| SHA512 | c66521ed261dcbcc9062a81d4f19070216c6335d365bac96b64d3f6be73cd44cbfbd6f3441be606616d13017a8ab3c0e7a25d0caa211596e97a9f7f16681b738 |
C:\Users\Guest\Music\desktop.ini
| MD5 | 06e8f7e6ddd666dbd323f7d9210f91ae |
| SHA1 | 883ae527ee83ed9346cd82c33dfc0eb97298dc14 |
| SHA256 | 8301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68 |
| SHA512 | f7646f8dcd37019623d5540ad8e41cb285bcc04666391258dbf4c42873c4de46977a4939b091404d8d86f367cc31e36338757a776a632c7b5bf1c6f28e59ad98 |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
| MD5 | 17d5d0735deaa1fb4b41a7c406763c0a |
| SHA1 | 584e4be752bb0f1f01e1088000fdb80f88c6cae0 |
| SHA256 | 768b6fde6149d9ebbed1e339a72e8cc8c535e5c61d7c82752f7dff50923b7aed |
| SHA512 | a521e578903f33f9f4c3ebb51b6baa52c69435cb1f9cb2ce9db315a23d53345de4a75668096b14af83a867abc79e0afa1b12f719294ebba94da6ad1effc8b0a3 |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
| MD5 | 764bcd12f24f7fa8fa5887f720a19179 |
| SHA1 | 5c8348269c4161726f49fe257f0bf1d9179489dd |
| SHA256 | d3cdda5c91a4998c77a697056ab5b3f23f44483de31714d3a069e4a67055c518 |
| SHA512 | 581d7c9076f036482ea5b116fbc179e402f2264239c1f118af3fc9c2914eb23583b770f3d9e6f8d03c9017ee24a3d88873d547bb0d200017de72121c41dec160 |
C:\Users\Guest\Documents\desktop.ini
| MD5 | ecf88f261853fe08d58e2e903220da14 |
| SHA1 | f72807a9e081906654ae196605e681d5938a2e6c |
| SHA256 | cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844 |
| SHA512 | 82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms
| MD5 | 5abae4f285adfd0378040cdb60f1f4f8 |
| SHA1 | 3b57259a762b87e017f38dc8b0c43cf2b781e40d |
| SHA256 | f26b8176cc8088c2f08b4ccd083e06d94e808c28368c8f3a22c09ca09a728cb6 |
| SHA512 | f479c55584ead1e11188704b6741bd9988eef4dd49831dea8a6df80356586630e2d1d381a600ff251fe935a7d8209c458b9f3e622d0a4a57e2ac1304638fc224 |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini
| MD5 | 002cb3bc84b775c84dfa495939f423cd |
| SHA1 | fc65ff02b75d6f8b3df1ed25bf7855a3f90100f9 |
| SHA256 | 8507affd027720f2c0298bd6ca2bdf7da78bfe53c7b2bca72206e2280441879b |
| SHA512 | 4c6f49ad94ec6b0019aa44697f50c84b788c8c17411ead74a00b3d9597e24e900bda3c043fd7d43be9f32b529fde784e8c6814b9f0ad4564fc44af9592db3e70 |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
| MD5 | 0ff56a4620c3221ff64ec61a3a0d3033 |
| SHA1 | 3a45320be12b585dcdc5ab2af5ea1455b2c919a1 |
| SHA256 | 0b0a65accca705494739d03b6c2ea769c78cd0eee996bc95b0c6ebc0941f4b1a |
| SHA512 | 962a340efeb6d18c85e5872997eebb83374e114be088689690ba438f0db8e2e4df6c24713a35cfaec518f58d5322cf9617638ea55ff279a9d161c4fdf9af74f6 |
C:\Users\Guest\Downloads\desktop.ini
| MD5 | 3a37312509712d4e12d27240137ff377 |
| SHA1 | 30ced927e23b584725cf16351394175a6d2a9577 |
| SHA256 | b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3 |
| SHA512 | dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05 |
C:\Users\Guest\Searches\desktop.ini
| MD5 | 8e11566270550c575d6d2c695c5a4b1f |
| SHA1 | ae9645fad2107b5899f354c9144a4dfc33b66f9e |
| SHA256 | 1dc14736f6b0e9b68059324321acc14e156cd3a2890466a23bf7abf365d6c704 |
| SHA512 | a9fc4b17d75f85ae64315ba94570cb5317b5510c655d3d5c8fb44091ea37f31e431e99ed5308252897bdd93c34e771bf80f456c4873ef0aa58ca9bbb2e5ff7e0 |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms
| MD5 | 55ed2371b3ca6aa7b9496b4eda761771 |
| SHA1 | c5193178e19f3915d98ef0c420b70a7b1eb967b3 |
| SHA256 | 988f56504a0f75a7faca9ec3fb02fa8b3d60611c9b546c5e02713be410722c79 |
| SHA512 | 6ac70e44a19e2994839ae5a0912531482414b138dd7c9286526331027f188e2e359c6b95266209b0a84485b169df023a0dfcf7d01dfe12a6a61acb1d788e0fa8 |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
| MD5 | 7f1698bab066b764a314a589d338daae |
| SHA1 | 524abe4db03afef220a2cc96bf0428fd1b704342 |
| SHA256 | cdb11958506a5ba5478e22ed472fa3ae422fe9916d674f290207e1fc29ae5a76 |
| SHA512 | 4f94ad0fe3df00838b288a0ef4c12d37e175c37cbf306bdb1336ff44d0e4d126cd545c636642c0e88d8c6b8258dc138a495f4d025b662f40a9977d409d6b5719 |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini
| MD5 | 548b310fbc7a26d0b9da3a9f2d604a0c |
| SHA1 | 1e20c38b721dff06faa8aa69a69e616c228736c1 |
| SHA256 | be49aff1e82fddfc2ab9dfffcb7e7be100800e3653fd1d12b6f8fa6a0957fcac |
| SHA512 | fa5bb7ba547a370160828fe720e6021e7e3a6f3a0ce783d81071292739cef6cac418c4bc57b377b987e69d5f633c2bd97a71b7957338472c67756a02434d89f1 |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
| MD5 | 5547a64ee3681b1fca07111e73dcc51a |
| SHA1 | 0b16a54ccb7c0284df649594e006ca96e07ac296 |
| SHA256 | c6a3db953cc63f23aa5ff66de5fc6b483f6a1106cf1f77cbd73617b2c4340e0e |
| SHA512 | 21a6b9b2c578ea8d0bfb22c1b37b0dde47395ec958fa5c73eafeb8b865080db132e565c7e8ce2ab1d2e934f414e23b820f3ff3571a7d737453f3ace76d11cc25 |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms
| MD5 | 800d484f3e9ee8ec3c87e1e10d02ebd8 |
| SHA1 | aa1f57a10f2f0a58cbbbb20565fb48b164f20620 |
| SHA256 | f32acdf92f67c45c901df3e094b6931b3b64896f543ed3d6044312899dc6648e |
| SHA512 | 1ef38644cb6641286f6778cca23cfdfabb3aeab0ae0fe5517ebdd35039586cea611a709f0a8dd70a0453178f804905456078023011fbc4fb154ca2520ca32af5 |
C:\Users\Guest\Saved Games\desktop.ini
| MD5 | b441cf59b5a64f74ac3bed45be9fadfc |
| SHA1 | 3da72a52e451a26ca9a35611fa8716044a7c0bbc |
| SHA256 | e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311 |
| SHA512 | fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3 |
C:\Users\Guest\Links\desktop.ini
| MD5 | 98470d9bd7fba55a0c303065f9c4f9be |
| SHA1 | 5303b190e29ba48332f7c90a832ef08af5a1953d |
| SHA256 | 3830022d5d7ef2ae2ca0a2b6ad73f0d4716b49bf7eeeaa87b618988d531b7c72 |
| SHA512 | 134e072c3600bbb3c724c2700da399a14ba5b907153969362b3dbff32c480d39e7f5ecceebc9122a5a27265410557a16eb6bf82c9b635b90ef1fa0ae9efb849c |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms
| MD5 | 38797b1889a7f2a404c980702fc1ef07 |
| SHA1 | 3014120e961f0e94a27d5ea5fa2283a5b825dcb0 |
| SHA256 | 41400da089d644e32c2ed5ccc7f7ca17c833a3c17c82bbedbdec6d9e910aa1a4 |
| SHA512 | 0b533b5a126f57fca0d073e5c28b2b46964ff52df61b978c60729ea30348b3752d3053a37933959099fbfafea0efea17c7cdde5740e8603f1cf60219d7d21792 |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
| MD5 | 453249f95d75eb5e450eb91fa755e1c8 |
| SHA1 | 3e200e187e8cd21d3d1976ea0f7356626254de18 |
| SHA256 | 01bef150c18e377a57843965d55f18f0b5cb3fa867c5ab30f1e67eacd6ece48a |
| SHA512 | 6125ffc1ab457bc1ba957c78c2a89ca54060c1969c4a981acf71025a1d79760159816d5fc36e351429de3bb5820e755b9bc22386f3d6892bfdf3da67d86f157c |
C:\Users\Guest\Searches\desktop.ini
| MD5 | 089d48a11bff0df720f1079f5dc58a83 |
| SHA1 | 88f1c647378b5b22ebadb465dc80fcfd9e7b97c9 |
| SHA256 | a9e8ad0792b546a4a8ce49eda82b327ad9581141312efec3ac6f2d3ad5a05f17 |
| SHA512 | f0284a3cc46e9c23af22fec44ac7bbde0b72f5338260c402564242c3dd244f8f8ca71dd6ceabf6a2b539cacc85a204d9495f43c74f6876317ee8e808d4a60ed8 |
C:\Users\Guest\Links\desktop.ini
| MD5 | f458374ae40c626735132badbc5b0370 |
| SHA1 | 3d65ce3308dd1e4bdc2edb5f082aa6d15984d08f |
| SHA256 | c053541e6dfaebf133f0e0c6712d42e9905de896814d4c10b8e728f0345700c7 |
| SHA512 | e076d1f2a20fae037dd2dd7197d20b41687c9652d2e42e3c567806a0775a2a5427b3c481dc502315c5bfdf58cde908ee89e073e0124393972211ff5375f454e0 |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini
| MD5 | f107d0270e21a2fe91099fdc15918d44 |
| SHA1 | dabc2f24f4a4e90053743166e5c4175dcf2b2d2d |
| SHA256 | eb315c9d165b4916e3b00e4d148b53a6c03a2f0694a6a8821d98e76f935ca6a8 |
| SHA512 | b5d51c0d6abe99121d4f4f1d236def4260b7d5c26c501d7735eba4f58e2597db0e89b2b1df16545e49fc39649806e5305efb912328541bdd31c01ff3d2bda49c |
C:\Users\Guest\Links\desktop.ini
| MD5 | ae182d8fd390c2e0bc51c1112e45083d |
| SHA1 | e1fad8c1e1be945d43dc821c86e664a1f086527c |
| SHA256 | 682e279e358f6f1e7f23fe0495fab79af06344343c086dce0b42adc2fe751ddf |
| SHA512 | 2684b180e60a0f6f4b6ae2507c6da0766673b2d1e874d500ce8fc9c98a95717a3804aeecac8ed52e767ab0781ab1ec17d6330cf4a785bb0fc4860c4ee239cb0c |
C:\Users\Guest\Links\desktop.ini
| MD5 | de8858093993987d123060097a2bad66 |
| SHA1 | 0a89e87ba46538cb73aff1a47e4dc0bcfb4760d5 |
| SHA256 | 4c0d757717dec80eca8c6cbbfdda4706eb38fbbb7624933d5429dafc7bb9f0ec |
| SHA512 | fa348ac4025b599f460cb831338ce010dde8fba87587a6d078d6d594a30fee87ed112e412078c10604553f326cc7bd7627ae93b0e3d8a60cfeda0720cad29f4c |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
| MD5 | e4e50dfa455b2cbe356dffdf7aa1fcaf |
| SHA1 | c58be9d954b5e2dd0e5efa23a0a3d95ab8119205 |
| SHA256 | 9284bd835c20f5da3f76bc1d8c591f970a74e62a7925422858e5b9fbec08b927 |
| SHA512 | bef1fad5d4b97a65fec8c350fe663a443bc3f7406c12184c79068f9a635f13f9127f89c893e7a807f1258b45c84c1a4fc98f6bd6902f7b72b02b6ffbc7e37169 |
C:\Users\Guest\AppData\Local\Temp\RGI5CD0.tmp
| MD5 | 3006752a2bcfeda0f75d551ea656b2ef |
| SHA1 | b7198fc772be6d6261ed4e76aca3998e8f7a7bdb |
| SHA256 | dfd64231860c732dced3dc78627a7844a08d5d3e4cd253fd81186bae33cc368a |
| SHA512 | 3fcfa7c8f46220852dc7efef5b29caba86825d0461a35559f26dbb2540c487b92059713f42fe1082a00a711d83216db012835673e1c54120ffa079e154950854 |
C:\Users\Guest\AppData\Local\Temp\RGI5D32.tmp
| MD5 | a828b8c496779bdb61fce06ba0d57c39 |
| SHA1 | 2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda |
| SHA256 | c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d |
| SHA512 | effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea |
C:\Users\Guest\Favorites\Links\Web Slice Gallery.url
| MD5 | 873c8643cbbfb8ff63731bc25ac9b18c |
| SHA1 | 043cbc1b31b9988d8041c3d01f71ce3393911f69 |
| SHA256 | c4ad21379c11da7943c605eadb22f6fc6f54b49783466f8c1f3ad371eb167466 |
| SHA512 | 356b13b22b7b1717ded0ae1272b07f1839184e839132f3ab891b5d84421e375d4fc45158c291b46a933254f463c52d92574ce6b15c1402dfb00ee5d0a74c9943 |
C:\Users\Guest\Favorites\Links\Web Slice Gallery.url
| MD5 | ad93eaac4ac4a095f8828f14790c1f8c |
| SHA1 | f84f24c4ca9d04485a0005770e3ef1ca30eede55 |
| SHA256 | 729111c923821a7ad0bb23d1a1dea03edbf503cd8b732e2d7eb36cf88eaa0cac |
| SHA512 | f561b98836233849c016227a3366fcf8449db662f21aecd4bd45eb988f6316212685ce7ce6e0461fb2604f664ed03a7847a237800d3cdca8ba23a41a49f68769 |
C:\Users\Guest\AppData\Local\Temp\www5FA3.tmp
| MD5 | c2858b664c882dcce6042c40041f6108 |
| SHA1 | 52eeaa0c7b9d17a8f56217f2ac912ba8fdc5041a |
| SHA256 | b4a6fb97b5e3f87bcd9fae49a9174e3f5b230a37767d7a70bf33d151702eff91 |
| SHA512 | 51522e67f426ba96495be5e7f8346e6bb32233a59810df2a3712ecd754a2b5d54d0049c8ea374bd4d20629500c3f68f40e4845f6bb236d6cca7d00da589b2260 |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
| MD5 | da288dceaafd7c97f1b09c594eac7868 |
| SHA1 | b433a6157cc21fc3258495928cd0ef4b487f99d3 |
| SHA256 | 6ea9f8468c76aa511a5b3cfc36fb212b86e7abd377f147042d2f25572bf206a2 |
| SHA512 | 9af8cb65ed6a46d4b3d673cea40809719772a7aaf4a165598dc850cd65afb6b156af1948aab80487404bb502a34bc2cce15c502c6526df2427756e2338626062 |
C:\Users\Guest\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
| MD5 | 1b14b59be7a7c5b177569447adbaf27e |
| SHA1 | 1f9cd29328fb4008d5ec305378af19aa5a3f6aec |
| SHA256 | b743ed23437e2fe31d0dbfb46736395a00aa6dbc95a900ab44c96fc2edb5da99 |
| SHA512 | 5e992ff1b5d7839fd70e4b895ebf184b4072a6bd8876ca5b5a8acbbf314d495c699b338889cd826fd89c8eb6e491df96a00c29ad5e8a8b4ab626bbcee5a1304e |
C:\Users\Guest\AppData\Local\Microsoft\Windows Mail\edb.chk
| MD5 | ec47b92b30820a2154853820f3c147dd |
| SHA1 | ba1dff987d02c7b1437c5bea86cd6d507adf56cf |
| SHA256 | ea8fdd3c1f41351e6c962ae57b3ce5eb96da18f692091d579ce730d0acde5661 |
| SHA512 | 35a0c2bc0e7ea5842c63e21617e3660a8eabe8ababb1dd19e1ab1851225b997994626ed446122fccb6e569947da2d54bad9b1a210a77aa8df98b8c46448c96b8 |
C:\Users\Guest\AppData\Local\Microsoft\Windows Mail\edb.log
| MD5 | 61a50a51057c4f9b3f2020ac75b98e9e |
| SHA1 | eeb6af2bc16ec37c0702ddd7eb863c1234cd39ee |
| SHA256 | 5f77fd056bfdc559545657bd1e6c4d49e3bb7f5aeefd2485b9abd534a12927e9 |
| SHA512 | 0895b84fae050ad3a4afef1aa68cfe65a0897a05b5b01f2d0060244827bdb6d4b79d31c6f408b58e90434e748a809a4d99cacd4ff6911a8215ba5045f9bdb7f7 |
memory/2948-1309-0x0000000002710000-0x0000000002712000-memory.dmp
memory/2948-1312-0x0000000002750000-0x0000000002751000-memory.dmp
memory/2948-1319-0x0000000002420000-0x0000000002422000-memory.dmp
memory/2948-1321-0x0000000002320000-0x0000000002321000-memory.dmp
C:\Users\Guest\AppData\Local\Temp\wmsetup.log
| MD5 | 013a39303abaf58f49a0770a3d9fd200 |
| SHA1 | 08ce956b530cbb37a9d6dbf8afe990b3f98e1ba9 |
| SHA256 | 8a96d97b06e9506b2c4654fac66bc9b818ae84079d67faf17e99f99621aa79b0 |
| SHA512 | 888fdf9ee1ea27cd5706d90089b719235d2ee908cc0f2f4d3f23709dfdd33ce3ddf9ea906f137614b1894c7a37deaa86220c44bf88fec9926a2a54169624bb5b |
C:\Users\Guest\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb
| MD5 | 87f209891567e5b3e08f0ce31161f6f7 |
| SHA1 | ad0556b5c6ab8f46bb936d85d8fda46279a668ac |
| SHA256 | 6f0045839ec2e236598407b59d612b16083027d7bdd62d3f28559262f8385394 |
| SHA512 | b2c833bbb2b4d7a369fd6aafbb373fbf1b526ec56b11ba97e85c02766effa23433ab77d7478b664123d7ae46d5befea472104729a6c7991c98467b9010c9da7e |
C:\Users\Guest\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
| MD5 | cff056b332297fe1edd5c3c9555b1539 |
| SHA1 | d49ba5a3260830e4958d60cbc33cc88252851ecf |
| SHA256 | 965869e48fad8e3ba87fc96f0e9396b0acbbb3351a22e2bc1977fe9a985d0c69 |
| SHA512 | 2aa257b9b2efbd2b08f858be551ac59796e635a4a745b3da3db3fc3963c76dc1cc5650d97bf985e5f6df487d8ae2f4feb1b4296901963fcbd6e3108786b61ed0 |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
| MD5 | 3381de0819a206a37ce337daa7c6e94b |
| SHA1 | ede5b9e222db69686ba99c884f9e16070b79ac43 |
| SHA256 | 260f53c23ce8994b2e40c2e00f33624ab3cf6819f8a1a242ab9b320711a030d1 |
| SHA512 | 2eec1df74af0ef71862289c73a3332a5bd92acfead75c830c29e761f53116c182e62d739f084e4bd8e599e193810f2d9d63b9ac8cef94ee969cf7556d408afb2 |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms
| MD5 | cbf9edc8b193a525ee92b0562140474b |
| SHA1 | 1c724cf4bc695e6c14595f3abe359c6f28c9da61 |
| SHA256 | 0047634902be29f1cb1c448b11d93bf5b80464585c913e9eea5d4e585ff22120 |
| SHA512 | c390a697ce9cd806a97bebfcd588460537fc88af2ffb48a50edac5e8a82ef3d8b877408cf474d8783e136c4f9615f4848d35e263950a4b3cfe018bfb1edb39b6 |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms
| MD5 | c3fd10e87ea099ebc3e48323aac4093b |
| SHA1 | cd9b70acc1dd87830a2f942ce0332468cb5d5983 |
| SHA256 | ecae9ec37da7e372bc3e7990d60c249ae5c7ccbfe3465b4c7c40d4cd624dedfb |
| SHA512 | 34fecdd3e82ea8f2e9c1f53aaa385497ddd84f94fd807560579e8ade35a2abdc714c62272cb335bfe3427a0fd670efb942dbc4e102ac23f9ad63f74e6f570e2f |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms
| MD5 | 2e72e0d0d62cfd945b205cf0e45c178a |
| SHA1 | fbd065a8eafde6b456c49a621c9c725f9147b433 |
| SHA256 | 234bf975ca997c8f9dcd52c726cc756c205ed073d714677b1fadc0da267e37f7 |
| SHA512 | fa38647d32ac322521c9a720ca74576c00ee8312ca12847ad6b1a0a08087342f806122880d75c8164630f18ec56e8d3187817a14436f02c338259e7ee3c93e3a |
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms
| MD5 | b47a90804f73cbcd3cba9f3021b7db87 |
| SHA1 | 1521c2421343dc3b35d15251ed50c86cfe988fa1 |
| SHA256 | 0dcba3e83b892922bdb7a520f9f675f9f8f5b5d62949c4b3bd911d404723ed5e |
| SHA512 | 0addfb5298121e58777a7f3e7e227bb79a8478dc0db39652e2632deefc445c12d6c7cb1667d28faadc360cfa3c6c2e84d6f662c4dead4aa974e6c5349e66bce5 |
C:\Users\Guest\Searches\Everywhere.search-ms
| MD5 | 0fa26b6c98419b5e7c00efffb5835612 |
| SHA1 | d904d6683a548b03950d94da33cdfccbb55a9bc7 |
| SHA256 | 4094d158e3b0581ba433a46d0dce62f99d8c0fd1b50bb4d0517ddc0a4a1fde24 |
| SHA512 | b80a6f2382f99ca75f3545375e30353ed4ccd93f1185f6a15dbe03d47056dad3feea652e09440774872f5cba5ef0db9c023c45e44a839827a4b40e60df9fd042 |
C:\Users\Guest\Searches\Indexed Locations.search-ms
| MD5 | b6acbeb59959aa5412a7565423ea7bab |
| SHA1 | 4905f02dbef69c830b807a32e9a4b6206bd01dc6 |
| SHA256 | 99653a38c445ae1d4c373ee672339fd47fd098e0d0ada5f0be70e3b2bf711d38 |
| SHA512 | 0058aa67ae9060cb708e34cb2e12cea851505694e328fd0aa6deba99f205afaffdf86af8119c65ada5a3c9b1f8b94923baa6454c2d5ab46a21257d145f9a8162 |
C:\Users\Guest\Links\RecentPlaces.lnk
| MD5 | 0025c3a7d7c4e90e58332958b00d83c4 |
| SHA1 | 01dd4fdb260f66923004acb5a874111a9d14da38 |
| SHA256 | 36db348143da1b5c16b9074940e85761950ee30b533b7ca75924f2f4ef6b253b |
| SHA512 | b5631c94bad794541d16f2fa3a02018f4b34b680b63a9f3b6a3da4329216567a7ba9ceb8d4bd18165b0e55142f42e039f160ec675c0946237c276de1a6e642c4 |
C:\Users\Guest\Links\Downloads.lnk
| MD5 | 43b4159c2c13b8c31900b01c5c41b896 |
| SHA1 | d7295cda2cf6393d735861a85344f9ce22cc2fbc |
| SHA256 | 58096777816526a1bb0a71baca2ad67ca1ebbcf76e6c4eb23ac562e1f7d7b7dd |
| SHA512 | 6cfa8309891f55f2bf48789b33543f61baa075f054958704ba2cad405f43ac858cac2b187c24c806acddae38de43fa0d341a238eac129b562a4db89454291532 |
C:\Users\Guest\AppData\Local\Temp\chrome_installer.log
| MD5 | b4602974ce66a23282af69e741475fba |
| SHA1 | 8e58e0746cc69c130621c7f04b63eecc620022a8 |
| SHA256 | 202817e66cc1949da6f6f8b4f5fe01523d6a4ec47966d721989cf8874db57309 |
| SHA512 | 3257fd27cc2deb1106a5bd476e466d7e5b854dddf818d85b428d2e1bd3832dcd3356dad9d3084d6b97ab8841e35d15ff10fa879474e3b5eb4a3c3c2e9d73a5f4 |
C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 1bc4d637193cea461ac737a7b801852f |
| SHA1 | d4dbcf7c198595e6cc50daa0706ce652624a19b2 |
| SHA256 | ea01d357f4d5ed2f857bd1a3d74a32018e3d616080f894057888287de5ea8361 |
| SHA512 | 58fd60fd3b96f2e97b4da69d1d01478c261018432a1907d6ec7f2fddda2455f17acb394390865dc3d152d582e821322d9ae82d663e22fd67cbc305cebcc4b7dc |
C:\Users\Guest\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
| MD5 | 1c61dc21f9b83172d65be1e94b79026f |
| SHA1 | 7324473ddda64b87c299bf6e3b9e9aff53f7fd74 |
| SHA256 | 8e920d7893b682a049f6a5097f880d915dc2d7bf8bc87ae558cd7f14466d5d1b |
| SHA512 | 9660cde4d7606826c2fb6623460a2a286339970256e677c8abf8189fd1d58e0284c024bbf5c0bf539189dafa3e8d5269c1e0f7e3717891f2ae4771634731bbd8 |
C:\Users\Guest\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
| MD5 | 9a1b13fd914dd7054b83bc1760c99ab8 |
| SHA1 | 340c37602b11cd3cb9ae681d09bfc4c81f733742 |
| SHA256 | 7f0a9cc0be951d60d6c8e60d1a612bfa65fa390020d7c0c80f212ba2a47a4aa3 |
| SHA512 | 50d48a348c71fb9e89ab01e59fe599b692a1701f19d2c9de6ae09678e0a44ba95020b1989f9c776edcacacc5f2b2b348b0f31aa28c04850e69e47cda6dcaf88e |
C:\Users\Guest\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
| MD5 | 47b2e1c4ddd5fa161f4e7314222d7a29 |
| SHA1 | f8e0a57ad324aa0ce6eafcbee54361cfc3fac7a4 |
| SHA256 | 20b9ba1869ed5d109962522c7c9a09e2675c457edd780f3723d33f9b40475772 |
| SHA512 | 07c8e9fcc6441c45540ced17802aea9fc84197733cc13af77516813c3beb346ae2748445ae99318309cbdc2da8e69e622dd91e658b7e9ba27d424eae6f5acf1b |
C:\Users\Guest\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
| MD5 | e5a8eb64419f6d85a1b7aed2152616c2 |
| SHA1 | f5d94f8953bb235e35fccec0ea4f14ba69443081 |
| SHA256 | 5266b08d0c1bf229ec5eafdb6dae2a4849b6b394694d34033453cf8a379725a7 |
| SHA512 | 7c304bc842c81d3b5cff745d34b038a2a867063c65e502f4155439ba0642e8b0643f9b7254f74e85d5b150c134836b9e398a0dcb192550d97dfd431c3d93f1f6 |
C:\Users\Guest\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk
| MD5 | ec77a2174738e4fe2e6bbeee4607dcb9 |
| SHA1 | 09b350589ffc28fb0f096c49d758e0e01a585847 |
| SHA256 | 7cf2f8c5ccc684f80b2286460b977478f7f6478d0b6794c7f371ea1657ab6b2e |
| SHA512 | a3a89f501504e24fa37da13949a8bab2ee2639f2e2f226545d66609803c3353ed06782b20fb91550a20e889522e3c4ceeafb3281bd58c0e831ffceebfec5a9c4 |
C:\Users\Guest\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini
| MD5 | e0fd7e6b4853592ac9ac73df9d83783f |
| SHA1 | 2834e77dfa1269ddad948b87d88887e84179594a |
| SHA256 | feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122 |
| SHA512 | 289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55 |
C:\Users\Guest\Favorites\Links for United States\desktop.ini
| MD5 | 43732b12dc5e0c37046900fa2a1f0df8 |
| SHA1 | dcaaf6b16847f4ff66788aa1416c137e62361d0f |
| SHA256 | e8e187d06caeb619b7a60d6fd4d1f4e9d70f5a232b02826ce3ebef56246f942b |
| SHA512 | 578126bec9b73a8d55da85f4f9fd8d91b21c1b25314c706cfbd5efee5a869e85514423f0d437709c9888dc98fdd9f9778444430419d3316113d2b13540a458ed |
C:\Users\Guest\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms
| MD5 | b17fd84087d783189e704944108f9c1a |
| SHA1 | dd0cc69ff6d7cbc461045a7a938be01f118a75a1 |
| SHA256 | 4e7a9c48e76bf1663eb93b346166670429a13bce019f5bad7c15ef51367bbee3 |
| SHA512 | 58d06e92f17d546f99b526facb906a17767c654c71bc319cba17c6002c74734e60147e8ec6f2a4ac73a58fb30bad8a177c7fffcbce3c5e4a90f338c239fa941a |
memory/1640-1824-0x0000000001F00000-0x0000000001F01000-memory.dmp
memory/1640-1828-0x0000000002E50000-0x0000000002ED0000-memory.dmp
memory/1640-1827-0x0000000006300000-0x0000000006310000-memory.dmp
memory/1640-1853-0x0000000001F00000-0x0000000001F01000-memory.dmp
C:\Users\Guest\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5afe4de1b92fc382.customDestinations-ms
| MD5 | 22e27b81644f57901fc80d9c0227eb5a |
| SHA1 | 30d03c43f9722c8c0e19f84d64a979ff82959f0c |
| SHA256 | 7917dd208050a45600687ab1de8f04c112c9fa6e69e0e0180bc0604e5df1c979 |
| SHA512 | b94723938e1ae6eac56b79d005cba5bbbfed0818db2112e75c04ba4679d6adf763f00ad7c94fc1a782a40dcb781fac33115d7fd406d082587cdcc849447e2fce |
memory/556-1860-0x0000000002AB0000-0x0000000002AB1000-memory.dmp
C:\Users\123\AppData\Local\Microsoft\Windows Mail\edb.log
| MD5 | bb2e41eadb88a2fa309ab3844b743876 |
| SHA1 | c8a527888666ed29a4c7a30b7a3b082e118a7aec |
| SHA256 | 7c3fdb6205d4500d2616b86f56e95283197b18e99cf79c35b2b466bbf672a2fe |
| SHA512 | 8320612b5e8e112a26f0ced7413f7c3b4dd5ff7dabc30da31c8cf212aeb0516f853fe0f795be7c7ac8ab50c87dd0c1d1b6bd3fe2055d7fda828853f753ba5059 |
memory/3096-1903-0x0000000002700000-0x0000000002701000-memory.dmp
memory/3096-1905-0x00000000026D0000-0x00000000026D2000-memory.dmp
memory/3096-1908-0x00000000026D0000-0x00000000026D2000-memory.dmp
memory/3096-1971-0x00000000026E0000-0x00000000026E1000-memory.dmp
C:\Users\123\AppData\Local\Microsoft\Windows Mail\edbtmp.log
| MD5 | 57536f253b49ac99f81d9445db8377b5 |
| SHA1 | 0ffc06e8048d91c8608b9c73b6b0461837d8dd07 |
| SHA256 | 6ef7b9dbab2c2adc31f18e4f75f981d897b6d3d52e6d429902a07b241d137f59 |
| SHA512 | c61805abb5a052591a2600da545099bbf2c7685ba68cc43af8cdf80ca935d41467e420d6c86657acdada01ca13cb09533a9417f72ae7faa8b3ddebce5e457b82 |
C:\Users\123\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F780C7F\01_Music_auto_rated_at_5_stars.wpl
| MD5 | 3094088e14afdc15d7427b093b8b7b17 |
| SHA1 | ed10bf7cf3df61ba95f45dca39042473efe07197 |
| SHA256 | b2b5080d83a1853fbec424e6b179b784c57716600e1b58dd8b2c5fee0e098fe5 |
| SHA512 | 50cc06540177f4d9c5ae4d458f16ad725410388fbb36109e09a47b08c5dd6fca1a764858c5259c5cb781f8962cfc81226d79c5877f5cddfc47b84dbdd5966f45 |
C:\Users\123\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F780C7F\02_Music_added_in_the_last_month.wpl
| MD5 | 907bfc98ce854ae312127c952d8be0f2 |
| SHA1 | 02defe8c5f9cc85742e45ba55e4fcfe326fd960c |
| SHA256 | c475dc7423c2ad60f25adaac754cd8b68b57ff04f26ecef78f3e5961b986a324 |
| SHA512 | db4045f992bad6ad660769a22345c5e0d965ae521d6828d612b15f0163622c629992c313a41bc9e381f9b0f098117eef840d33100af4c6a3634eb0013a7fe1c7 |
C:\Users\123\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F780C7F\04_Music_played_in_the_last_month.wpl
| MD5 | f8d3a4cacf055f5ec5c62218ea50d290 |
| SHA1 | 974474ce3fe345d8015863bd6ea7242ba118532b |
| SHA256 | 201f2170812cf8041964c4d3c5ef539d96adeba6a68b69ecaed0affe3ae8e25f |
| SHA512 | ac32cbeb05fae672047705679043aecf9b56314baa09c2d3abb7eac655710d7cb2c967ea1772767e366bb502e8ad6de375302f51ca62a76d962ee539b45bfc21 |
C:\Users\123\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F780C7F\03_Music_rated_at_4_or_5_stars.wpl
| MD5 | 6d791b697af46d6777182af7f18c2955 |
| SHA1 | d73e8b5f4ee646c1c4ab6d23f3cb3394cb833ca8 |
| SHA256 | 4825eb90140f6b2f4f7ed0df66b24e10ff5d0da70af53ea495fd30b3aa791870 |
| SHA512 | 268cf327a9f471d547ad1dae47833cf6d722c08f9cbf5e7867a422282ce52dc320340ded93473a598903bfee9bf6a1a3393779468dbeb27d3390dbd59e6d20ba |
C:\Users\123\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F780C7F\05_Pictures_taken_in_the_last_month.wpl
| MD5 | 821d2be672f05514127c117cef460c6e |
| SHA1 | 1c75f314e7658a3dcdcad315e301f2bae6d47b31 |
| SHA256 | 3abdb6cbd88ad1557054ece3f10dd1a8494ed32f423b3cf8321b18decc489474 |
| SHA512 | 146d6293173b80ffe3721ae6e61293cc1d838e8a72713be8b859ce33c69ef753408057be9ce15a78d573e253548ee674ca3fea77efa3d330ce8c8a50f8a8a988 |
C:\Users\123\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F780C7F\07_TV_recorded_in_the_last_week.wpl
| MD5 | b9987b1f9df6d0afc01558b907e62a16 |
| SHA1 | ef202d5d6f90b37c71cb757f3babb0857ce54d86 |
| SHA256 | 0892efdb8459d81d4c5e1085239734d9910b9c6a1debd7189cf385141f0b19d1 |
| SHA512 | 6bc86075632c3e56ffe1d371f4178299e93e014f5c5c83dfdca2dc9efd1155633409c79ec87cfe2afd4374b83771ae56a3eb7fac00f83921b433cb49216037f9 |
C:\Users\123\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F780C7F\08_Video_rated_at_4_or_5_stars.wpl
| MD5 | a3787a42b81fce0e448976ad158edd93 |
| SHA1 | 45ff275c0c32eab1f0b56e8b61e8ead18cfd1675 |
| SHA256 | 94bc17ac59bde92fbca00fcc69aed68fcbfe2c1754dd45f4810765f5fdf774ff |
| SHA512 | b36ca10f580ec9d455fb57149bce1897fe48fda6023b2fb55b6b4b80a91f1754311b91edd72c13103e0da9ed90b696c28d6904ea91984ade69ed50791f4065ae |
C:\Users\123\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F780C7F\09_Music_played_the_most.wpl
| MD5 | 467e71aa2fd951eb0a1af3d6bb8378e8 |
| SHA1 | fb654c0b2663d4fa5fd0f1658097d936dd0429ed |
| SHA256 | a54bc2cad63ced4fd9ff2a3a094a26e264e8a5ce8139193896d13236f494e2ee |
| SHA512 | f9242a4925b910f4a114652967a6e2f49444a3f0d9f35402fef28cc8d39c58720930084112baf92eb6716af541fd76e3803ccc1e742cec07f1d4fb6abc13a42c |
C:\Users\123\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F780C7F\10_All_Music.wpl
| MD5 | 51aeed11707741118e0706c1259df22e |
| SHA1 | 6434e915b018c6d15898fe0a4d006bbe3e1edb60 |
| SHA256 | ec286113e5ad77ac34063589a137a6dc4b4cab8845cd9c5386519983fa3b48f0 |
| SHA512 | a674487f9cabe1fb2809cd98958dce696f7f066d3738bfb30317201ed804df3c72f2d24d6f9c0832cf446c8a965e21f3ea50aada1c69860a12340d6eca88e942 |
C:\Users\123\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F780C7F\11_All_Pictures.wpl
| MD5 | 74294ef495559ed32731f19096d70312 |
| SHA1 | fdc6cc849270016d2a382d7d0daabf44a4556cd9 |
| SHA256 | db34d82f2cd23e6e55a64e12d2a0a9c27ac2ded156483238f22a336ca6825110 |
| SHA512 | b068d903b83945f146abd4cf384da99af608643c62b647ea65db33c3b0e0face4727a74be3210a9c6469bbc403d1f5c59d92cbd57722737e992b0e4f5e66662a |
C:\Users\123\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F780C7F\12_All_Video.wpl
| MD5 | 372d0beebea5460409a6a1c53ac52a18 |
| SHA1 | 1b5a925e00f9a4cc3a18feb8f74a2e39ef11eeb6 |
| SHA256 | 5b8b62b35e5dd8a46ccccaf3fc3743be9e0965d24cbcd20da2681065eeb37ef3 |
| SHA512 | efb412e3a17f4eab84fb9f99b9e420d18e23610a9a66bcd7298c3ba68fd24abe0c1f2e58faa411e059788d34f4cede45f9e25c6578d13faefb8ee79acd50f2e0 |
C:\Users\123\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F780C7F\06_Pictures_rated_4_or_5_stars.wpl
| MD5 | 0a8a40ca87323dc16893194b00c7fe77 |
| SHA1 | b88a42a85053e0a7483e331b66ba5a40a6290e10 |
| SHA256 | 9aa433bed2e090cc6904f1c24d5a7b5a1ed6d8f71a997e661b886c69383fd53e |
| SHA512 | 5932f09106d622054e6d624221d754ff471e3f37d9f585ed23db7f7327fe1e2f624b22a8f7f2827b607fdb9a30683b8f20c48a39cd35a57ad5cb78467af2c20e |
C:\Users\123\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms
| MD5 | 696bffbc8cd1ad6400f10220607837c6 |
| SHA1 | 4f7aa526dcfe9b2931d58e3730d68aec56ba8c15 |
| SHA256 | 5ccaea1aa0a029d4c535f919ff30467be23ffc8f4c20c213a29e1b7da74407a7 |
| SHA512 | 7552a73d36c23f85df32dca367d9719dc699ce6823d55f03fa11e27ed1becc80b5e8842ca9e102cda1fcddc508149349f5ed939e7596ff04820a1139f0799363 |
C:\Users\123\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms
| MD5 | 283b0f93e606e6c9f99e8b23f44bcd70 |
| SHA1 | 7d31177feebe76439c98de822f4a922fb360c732 |
| SHA256 | 1cc8857d515a24f7e0f4ebc5a5f70055223315c15110a3a23850e8b5260c5e84 |
| SHA512 | c671da50a105e76c50868c9ba54d66f00cc538d0d4dc4ca108569ce20fe31723a25a9f12ea08a267d1dab57dfc4e5434313dbbb5e1ee28244846c20fc83b6fc6 |
C:\Users\123\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms
| MD5 | aa4238553d2ed26c73021359686b1cb2 |
| SHA1 | e14f8be45c0fa3a445420d9865132c3fc5281fa1 |
| SHA256 | 9f795de97f11345ba27e33a1d576a1f526f7d129e658257c11629bd7a5e23886 |
| SHA512 | c4bff8763338af4cae951a22a468ce0ab0c3a808d3717719a90f338997de839dde038b5c86af810a16dd94c71ab29b055564ab43b49d5a5b6c87a2aee8aeed78 |
C:\Users\123\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms
| MD5 | 7e05293f9dbab34b03d9194a4b78d7b4 |
| SHA1 | ce14b05170d6071a7ef9e74cff2ee44b76aac4f1 |
| SHA256 | 33d93d6c6355327e48db10a1a3125a496fbef0056eb1fbb7c6cb6e5e76aa72e3 |
| SHA512 | f30385441e17ab75bcd70711d0e5d00dfe19b4884515da6ec59eb5717866b515ab1248fb077ad13be9f45e15f5cfb033920ceb14b7b77ec961baabe684fa1789 |
C:\Users\123\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms
| MD5 | 4f92139cd322a396d7e0d25e5d151301 |
| SHA1 | 67f94e2990106d9481e78ae08356d7a4ec1737d1 |
| SHA256 | f47afaacc544f681170b9d6ec201dd92d2a166966da9ea1274675b1a9d6c4b96 |
| SHA512 | cf135d6a55e5744b905d2ab65d7d021133c353161a431a1026055632f0988e5760c7f0b334d17f3dd3ef1d98320efd207c36db1948adc00d2fa6035a172498dd |
C:\Users\123\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms
| MD5 | 4658184760eae5c15805a14ede87b8c3 |
| SHA1 | 9ec14b943a798f1daa82687594a71844e02a5aee |
| SHA256 | 2891a1dc0e10466e3e42d0c7432c14fab2219fce6d884a1cb6ed95c3d52f3ede |
| SHA512 | 687bc1a0e3bc2987e058c474f45cb7b98f372f9b9f0de1491ae487012af6d463ef61ace71eb71a9b5b284fe7c348937368cfcad421360e8c2988e1a5b5bf5db2 |
C:\Users\123\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms
| MD5 | 7e40f5e4b5efd5dda70bf756a98ac8d4 |
| SHA1 | 838770370b9a7c2a44520e1496a52b03ce260629 |
| SHA256 | 3a20029b5abed0cb1a6de9d1addbb2cb3ad5648fddcb5b4cb9e4a66dc3a90263 |
| SHA512 | 240a1b362d6bf82d0e8cc5e4c9614e04e3526ce44a15e8215a48c5147152694090b132bce1aba728305afcc0284b8369caf12c908178e0399bd44ddced7396f2 |
C:\Users\123\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms
| MD5 | ff73563b733324cf41e9b01d3d0e887c |
| SHA1 | 841b6a1ed4d07c1cb0a28449e76372f5210cb1bb |
| SHA256 | 9b6b5116e524029bca7cc4601c9e4a2a34767dc508e17f8308a4e53039f76a16 |
| SHA512 | c438656505b80b1240fdfe4983b36e4d83ef2f8a5b2c2455f45581ea50de7a78ad9a2badbf89831e4d9063cfd8034fc7b3bd9fade3084470cfb52061c2bae581 |
C:\Users\123\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini
| MD5 | 3a33faac6513738fd86f43dff8989882 |
| SHA1 | afd4390e6b63c40e55ca08d27661a23d657b01a2 |
| SHA256 | 21a4315cbae2b0e8db633e86c344171da86f115bcbbb745680ff6f577668c910 |
| SHA512 | 8d7a47cba6b4d0da36151221c373625b67e44354b7cde41b5c3657e73a843b22a0a5b0bf92a4cbc32eac70b8292d674821085acf92bb58b94ea4542458c94b57 |
C:\Users\123\Favorites\Links\desktop.ini
| MD5 | 3c106f431417240da12fd827323b7724 |
| SHA1 | 2345cc77576f666b812b55ea7420b8d2c4d2a0b5 |
| SHA256 | e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57 |
| SHA512 | c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb |
C:\Users\123\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms
| MD5 | f7994805c440a145ff138e6d56f0ea71 |
| SHA1 | f6817ac1a751df898983f0750fc29b8a7bd84ae3 |
| SHA256 | 946f8ebe8dd5c69e149edc1746894a65d7f124d0cf65ff7d4528246bce415fa2 |
| SHA512 | 6552576b1cdb25c248aadcfbca452355a732c5454da803fdbc8a8fe7b651cfe70ddb43fb38396b8fea30f52976e3c2f1fc710ffec77e54dcc6316fed020383a3 |
C:\Users\123\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms
| MD5 | ed5fead3c1f396df1d9b3aac3d773a2e |
| SHA1 | cc7619e56a0a9e1d4f49be0e112a9f5e017e8356 |
| SHA256 | 4f603c2c02c9a1600f70dba27028375b96fdd6bc258b5c28844f0a49e73c07b2 |
| SHA512 | 0c6ab314c78d2df45f16d67b405898efbe00c006713fba13a9c3f0146092364bdb285d7c12e6114b2d2deb0414b864f21c9d580e979ebb7ea908f21bfa090bb2 |
C:\Users\123\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms
| MD5 | 5152eff6f8a3106a69c1f7aaac686c98 |
| SHA1 | 16212c5eb4764e211e008feefdd0a5e4b3b7d9cb |
| SHA256 | 51ecf54d4cc0f8526a3ed51e3d73647a635f0ec05e90de658133e809a8606b14 |
| SHA512 | e22de62646d41ecbe4befb534398226f7157818b32a966cfe76dc8bbd0ac686695215526458e201a5d2f5efe729fb9ead64c2fb7db3a278b2e357cb10a2771c0 |
C:\Users\123\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms
| MD5 | 9c806be088d4cc4b89cb0ea1035eebd1 |
| SHA1 | 3b8eb7ea1a5b86067f6b071559f0aac35ab1578e |
| SHA256 | d51f9af4631b2052af443b1c17535b7a701334484affb8284507b09281e48249 |
| SHA512 | 99d2b564bf0f72246091d4589de6ff9ca2bcefb52530f225ec951a2946e7974023acee3ca5e248861e7184add50b9dc6d0c8a8017331ca292234f500a98b4049 |
C:\Users\123\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
| MD5 | 2b35f45b1676da0b3c4805d22d6649aa |
| SHA1 | fb65ff08df990a4fc4eed2874c785356cd1205ec |
| SHA256 | 70dcc65f52972a5d28a5cf1107371af81613238e4d60569cefc1cad79451159d |
| SHA512 | 76bf67125225c5d7447132a8d2aa960d572b76b8652b4ac0bcc8a93e7fb9a0f6390d58399d926041c5d23278a1c5fad41c1de7aaddd5bc3e02b78f716bb9fc7c |
C:\Users\123\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
| MD5 | 099dda80ae29c7d1497c9351ed512aea |
| SHA1 | ff6649d95da1a47a268dd567a53c3685ee3d4099 |
| SHA256 | b56270a698c5e866de3cb332b6a7bb0cfc673d0049e7d2c127d449472030d61f |
| SHA512 | f2a038fe7116cced595ff8fd6ee52b13b34b1eae057073cfb26511660777ee92c2ba3600c0f3994903d7b12314cd1699d7b1bc28e8dca6aaeaa20679bc4cd4c7 |
C:\Users\123\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
| MD5 | 2d969131bccec01149620521aab5d9d2 |
| SHA1 | ef8864ea141862fbae6eb25c0c62b34f5398c304 |
| SHA256 | 63b9a95398fa607bdbd5187b15ffd20aa6fb3055cf6eb524cdbc9450ef5675cb |
| SHA512 | edb7139066dba40bfb2f0aedb48d7103eb54de28e4a5c61a1e200a3430782f04eebd1ca26a693a616444782d5c1966fe40dacb3180900cc0c80a81b0a53c41d3 |
C:\Users\123\Favorites\Links for United States\desktop.ini
| MD5 | c762527adcf889dd09cd11c286e1ea37 |
| SHA1 | 1f87d883ea067c1053360e5e3e5f60ced467da83 |
| SHA256 | 900278f22989be7f356d7d3babf0ff233ac58fff8d3f501a1cf70e89522252cc |
| SHA512 | 7a1fa4993e17e333321e7ff61761a378d3f5caab5135e6c518de57e80a51159ef09dc3771e3c88735ac0edb94980001d7f3433d31afe7c243dd4a2158f9d7669 |
C:\Users\123\Favorites\Links for United States\desktop.ini
| MD5 | 87a61a68c2db9b094112d4f4290fb795 |
| SHA1 | 1b5e6ec32415d010e5311caea31df96b0294fb65 |
| SHA256 | e25a84c6e593a5bd6592eca920fbc126d3e96c8d80f2bb0b17a36e40ed42c1db |
| SHA512 | 148411b6bd6133b17c3d192594338180846df638b9fd6bef7ddeb13c3858b3eab91940102349f2827ec69111adf7e506f4340b395928672180715798b4238919 |
memory/1640-2828-0x0000000002E50000-0x0000000002ED0000-memory.dmp
memory/2376-2854-0x0000000000300000-0x0000000000301000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | f69bc287a52f43d1e0103b593875c06d |
| SHA1 | a3dda1cda9d905b3ee7f88607475d039c3be301e |
| SHA256 | d66a0f2af3b1e5a4cb317857a54520964199d23b7b0786294aa8a4be47ee7e86 |
| SHA512 | 38816a943aeaf981a6969bca8ce71413de07855c794753c3cd02e41725ff7af534b1a65383e5f3d3508877382b4b8a806046161a06d518779b48c1ae16399b8a |
memory/2376-2890-0x0000000000300000-0x0000000000301000-memory.dmp
C:\Users\123\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
| MD5 | 2034995f0bbaa16db835b462eb78152a |
| SHA1 | ce19b1a236f95307067d4979f8dd96c70d69c18a |
| SHA256 | 62ce260f5e10fc17bf63faafa39912febf61d20fad51cc11606a295801743799 |
| SHA512 | 3427f74d944eaaf5a3e1dd22dc566c718be58e4ceb53ba414c72bca974136cac2f1cd8d0a2a0377ce3918c3f83b2480fffbd9088be135fe0fe48c5a499fa6759 |
C:\Users\123\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db
| MD5 | b623140136560adaf3786e262c01676f |
| SHA1 | 7143c103e1d52c99eeaa3b11beb9f02d2c50ca3d |
| SHA256 | ee3e1212dbd47e058e30b119a92f853d3962558065fa3065ad5c1d47654c4140 |
| SHA512 | 68528a7eb0efd59bed8e77edbee80ec654ec3b8f58a82b1c8ce594dcd3aba07af28268aa83f161837f63ff4278068238aa294e0b5649a688db5a483314df6700 |
C:\Users\123\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
| MD5 | 3e9c4eaba2c54dfe525197d54dc10532 |
| SHA1 | 4b71d8970e657835ebceee5ec79faea2c1422fbe |
| SHA256 | 05da3daa836dc6ed72144dff35f8d90396b4d524dc35ef8d8cd01d86855be858 |
| SHA512 | d6c71d6d749ee3599216208ae7bb0dbb45153cec956c447756c826b06dee139df0903e18400cc73d143164a6e766e29ac7e6f6aed9b2f865b5bcf55caf2f5177 |
C:\Users\123\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
| MD5 | ae08a2f7fbf44ad3cb6cbc529df8b1dd |
| SHA1 | bb2665ee5cd1821d48cca1cb07cdfde9ed6081a6 |
| SHA256 | 8429d5c6eb134eb64d8b0f3ecce83ab4d4d16e73c2d76993163372692b65ea8f |
| SHA512 | 4ba54d565403b82b8c293acc2da5a4c6bbbe5278ea9449720b18901f58a68c3e91c494d763a3de4f3c295bad5685156552c2979453a8765e0b994c28f378f089 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 24d1c6b76c6d4eecf7b93e551311e8c4 |
| SHA1 | 2fde7e9c8e66d6651c7401ab802f7fcf19df1aed |
| SHA256 | ddcd2fcf2e7019041d0939fd2ef8b0132d61243c33454a7d123641d5d90d3a62 |
| SHA512 | b03c8dea8c0a80dbf354b5153cd1e8210bc69d8c5ab35df781c8f501b43cce8a925b7ca8a53ef2c218c990c54694d128e01204a65ee93925cadd419e1e0b43d1 |