Analysis Overview
SHA256
e1782dac8a2ad603ced2ad07901420220ba76cf7378ded425792e84fb6c7bc4f
Threat Level: Likely malicious
The file AAct_x64.exe was found to be: Likely malicious.
Malicious Activity Summary
Modifies Installed Components in the registry
Sets file execution options in registry
Modifies Windows Firewall
Stops running service(s)
Modifies system executable filetype association
UPX packed file
Registers COM server for autorun
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
Adds Run key to start application
Drops desktop.ini file(s)
Checks whether UAC is enabled
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Runs net.exe
Kills process with taskkill
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: AddClipboardFormatListener
Modifies Internet Explorer settings
Modifies Control Panel
Modifies registry class
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Gathers network information
Enumerates system info in registry
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 09:44
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 09:44
Reported
2024-04-15 10:05
Platform
win10v2004-20240412-en
Max time kernel
1213s
Max time network
1205s
Command Line
Signatures
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{A6EADE66-0000-0000-484E-7E8A45000000} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} | C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{8A69D345-D564-463C-AFF1-A69D9E530F96} | C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe | C:\Windows\System32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe\Debugger = "SppExtComObjPatcher.exe" | C:\Windows\System32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe | C:\Windows\System32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe\KMS_Emulation = "0" | C:\Windows\System32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe\Debugger = "SppExtComObjPatcher.exe" | C:\Windows\System32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe | C:\Windows\System32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe\Debugger = "SppExtComObjPatcher.exe" | C:\Windows\System32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe | C:\Windows\System32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe | C:\Windows\System32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe\KMS_Emulation = "0" | C:\Windows\System32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe\KMS_Emulation = "0" | C:\Windows\System32\reg.exe | N/A |
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe | N/A |
Reads user/profile data of web browsers
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0169-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0202-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0145-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0224-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0267-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0268-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0221-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0036-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0080-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0085-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0170-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0325-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0255-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0261-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0126-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0182-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0119-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0076-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0221-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0093-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0002-0046-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0085-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0318-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0081-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0129-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0168-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0220-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0187-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0229-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0367-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0355-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0292-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0014-0002-0023-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0253-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0126-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0020-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0098-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0129-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0052-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0304-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0056-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0153-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0208-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0218-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0227-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0290-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0282-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0113-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0358-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0013-0001-0052-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0202-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0320-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0198-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Uninstall 18.151.0729.0013 = "C:\\Windows\\system32\\cmd.exe /q /c rmdir /s /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\"" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\System32\BitLockerWizardElev.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{DBC80044-A445-435B-BC74-9C25C1C588A9} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} | C:\Windows\Installer\MSI4420.tmp | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\setuperr.log | C:\Windows\System32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\diagwrn.xml | C:\Windows\System32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\diagerr.xml | C:\Windows\System32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\setupact.log | C:\Windows\System32\cleanmgr.exe | N/A |
| File created | C:\Windows\system32\WindowsAccessBridge-64.dll | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\setuperr.log | C:\Windows\System32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\setupact.log | C:\Windows\System32\cleanmgr.exe | N/A |
| File created | C:\Windows\System32\SppExtComObjPatcher.exe | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| File created | C:\Windows\System32\SppExtComObjHook.dll | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| File opened for modification | C:\Windows\System32\SppExtComObjPatcher.exe | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\setuperr.log | C:\Windows\System32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\diagerr.xml | C:\Windows\System32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\WindowsAccessBridge-64.dll | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\diagwrn.xml | C:\Windows\System32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\System32\SppExtComObjPatcher.exe | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| File opened for modification | C:\Windows\System32\SppExtComObjHook.dll | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\setupact.log | C:\Windows\System32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\diagwrn.xml | C:\Windows\System32\cleanmgr.exe | N/A |
| File created | C:\Windows\SysWOW64\Elevation.tmp | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\diagerr.xml | C:\Windows\System32\cleanmgr.exe | N/A |
| File created | C:\Windows\System32\SppExtComObjPatcher.exe | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| File created | C:\Windows\System32\SppExtComObjHook.dll | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| File opened for modification | C:\Windows\System32\SppExtComObjHook.dll | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\mobile_browse.html | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\[email protected] | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ar-ae\ui-strings.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\calendars.properties | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\libx265_plugin.dll | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\deploy\messages_sv.properties | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\management\jmxremote.password.template | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\control\libdummy_plugin.dll | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ka\ | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\liba52_plugin.dll | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\pa\ | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jp2iexp.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_share_18.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\ui-strings.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\nub.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jcmd.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\legal\jdk\xmlresolver.md | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_opencarat_18.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\custom_poster.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\ui-strings.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\nsaDF78.tmp\AccessibleMarshal.dll | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\ui-strings.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\createpdfupsell-app-selector.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\ui-strings.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ro-ro\ui-strings.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz\ui-strings.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\jsdt.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\jdk\zlib.md | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ru-ru\ui-strings.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\ui-strings.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\ui-strings.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\nio.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\ | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\d3d9\ | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm.api | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\ui-strings.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\es-419_get.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\plugin.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected] | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_anonymoususer_24.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\virgo_mycomputer_folder_icon.svg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\ui-strings.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\schemagen.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CoolType.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base_non_fips.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon_hover.png | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\accessibility_poster.jpg | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-interlocked-l1-1-0.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\ui-strings.js | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\it\ | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css | C:\Windows\syswow64\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\jdk\ecc.md | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\SC_Reader.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC4AF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\drvDX9.x3d | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\fillsign.aapp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrobroker.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobehunspellplugin.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\QRCode.pmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acropdf64.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobePDF417.pmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\weblink.api | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\MakeAccessible.api_NON_OPT | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\XDPFile_8.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\2D0CDC21-6093-4384-9569-743D585FA8E0\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ccme_base.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\libcef.dll.15EE1C08_ED51_465D_B6F3_FB152B1CC435 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\System32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC337.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1253.TXT | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\a3dutils.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ccme_base_non_fips.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ROMAN.TXT1 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI41.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICB3C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\System32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobepdf.xdc | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Onix32.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrocef.exe.15EE1C08_ED51_465D_B6F3_FB152B1CC435 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AXE8SharedExpat.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\logtransport2.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI352F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AiodLite.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\C3A75E9D-2717-44AA-A89A-F18D54DEA8BD\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CoolType.dll_NON_OPT | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\JSByteCodeWin.bin | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CORPCHAR.TXT2 | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI39B7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\BIBUtils.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1251.TXT | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\CP1258.TXT | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3540.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroPDF.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ccme_ecc.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\zdingbat.txt | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\PDXFile_8.ico | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobearmhelper.exe.BDCA7721_F290_4124_BBED_7A15FE7694EB | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Checkers.api | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\displaylanguagenames.en_gb.t | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI42.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\ROMANIAN.TXT | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\Search.api | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e122.msp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI82.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6066.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\icucnv40.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI6336.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\comdll.x.manifest | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\adobearm.exe.BDCA7721_F290_4124_BBED_7A15FE7694EB | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\sqlite.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AdobeLinguistic.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\appcenter_r.aapp | C:\Windows\system32\msiexec.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\System32\cleanmgr.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f6e7bea5848d2ec80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f6e7bea50000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f6e7bea5000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df6e7bea5000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f6e7bea500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\ | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\System32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\System32\cleanmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\msiexec.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\explorer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\ipconfig.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\Colors | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B723F941-52A2-4392-B500-60F3889659B4} | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E} | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9C6A861C-B233-4994-AFB1-C158EE4FC578} | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B7278BD0-7970-47D6-8954-99B2343EED88} | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{5852F5ED-8BF4-11D4-A245-0080C6F74284} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{44D1B085-E495-4B5F-9EE6-34795C46E7E7} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B3FB63-66F4-4EFC-B717-BB283B85E79B} | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{76E2369A-75BA-41F9-8B9E-16059E5CF9A6} | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4} | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3} | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Printers | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = a80f00007ed4cb501a8fda01 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663 | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Environment | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Keyboard Layout | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-20\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SOFTWAREPROTECTIONPLATFORM\0FF1CE15-A989-479D-AF46-F275C6370663\85DD8B5F-EAA4-4AF3-A628-CCE9E77C9A03 | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\System | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588 | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Environment | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\EUDC | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Console | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\EUDC | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = d1968cb4f92b23609991ce8e71dd5d207126dd26536fd48c32aab7f0e8fdea54 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588 | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Keyboard Layout | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE | C:\Windows\system32\SppExtComObj.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Java VM\EnableJavaConsole = "0" | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress = "10.3.0.20" | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Printers | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663 | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft | C:\Windows\system32\SppExtComObj.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Control Panel | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03 | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform | C:\Windows\system32\SppExtComObj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588\DiscoveredKeyManagementServiceIpAddress = "10.3.0.20" | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663 | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663\85dd8b5f-eaa4-4af3-a628-cce9e77c9a03\DiscoveredKeyManagementServiceIpAddress = "10.3.0.20" | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588 | C:\Windows\system32\SppExtComObj.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\System | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Console | C:\Windows\Installer\MSI4420.tmp | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f\2de67392-b7a7-462a-b1ca-108dd189f588 | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0018-0000-0095-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0251-ABCDEFFEDCBA} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.acrobatsecuritysettings.1\shell\Read | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.nuv\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0151-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0059-ABCDEFFEDCBC} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0349-ABCDEFFEDCBA} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBA} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0157-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0277-ABCDEFFEDCBB} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\WOW6432NODE\INTERFACE\{0F872661-C863-47A4-863F-C065C182858A}\PROXYSTUBCLSID32 | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\WOW6432NODE\INTERFACE\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TYPELIB | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.CDAudio\shell\Open\command | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5852F5EC-8BF4-11D4-A245-0080C6F74284}\ProxyStubClsid32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0009-ABCDEFFEDCBA} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ogv\shell\PlayWithVLC\command | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.pls | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBB} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0240-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AAEDF0B-D333-4B27-A0C6-BBF31413A42E}\ProxyStubClsid32 | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0172-ABCDEFFEDCBA} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.tta | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0031-ABCDEFFEDCBB} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0198-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0070-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0281-ABCDEFFEDCBB} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.FDFDoc | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.ogv\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1} | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBA} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0196-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0322-ABCDEFFEDCBA} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0143-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBA} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0219-ABCDEFFEDCBC} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0081-ABCDEFFEDCBB}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.b4s\shell\PlayWithVLC\command | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0099-ABCDEFFEDCBB} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0278-ABCDEFFEDCBB} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0367-ABCDEFFEDCBA} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0257-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0051-ABCDEFFEDCBB} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mov\shell\Open | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\FIREFOXHTML-308046B0AF4A39CB\DEFAULTICON | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\.ogx\ShellEx | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBC} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0130-ABCDEFFEDCBC} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0018-0000-0063-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0103-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0007-ABCDEFFEDCBB} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0016-0000-0048-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0256-ABCDEFFEDCBB} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{CAFEEFAC-0017-0000-0318-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0083-ABCDEFFEDCBC}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBB} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0080-ABCDEFFEDCBA} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0107-ABCDEFFEDCBA} | C:\Windows\Installer\MSI4420.tmp | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.xspf | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0150-ABCDEFFEDCBA}\INPROCSERVER32 | C:\Windows\Installer\MSI4420.tmp | N/A |
Runs net.exe
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| N/A | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| N/A | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| N/A | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\cleanmgr.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\wdvdriver\aact.dll | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\AAct_x64.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\wdvdriver\aact.dll | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\wdvdriver\aact.dll | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\AAct_x64.exe
"C:\Users\Admin\AppData\Local\Temp\AAct_x64.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\AAct_x64.exe
"C:\Users\Admin\Desktop\AAct_x64.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\taskkill.exe
taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation"
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe stop sppsvc >nul 2>&1
C:\Windows\System32\sc.exe
sc.exe stop sppsvc
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\taskkill.exe
taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" /t REG_SZ /d "SppExtComObjPatcher.exe"
C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" /t REG_SZ /d "SppExtComObjPatcher.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation" /t REG_DWORD /d 0
C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation" /t REG_DWORD /d 0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
C:\Users\Admin\Desktop\wdvdriver\aact.dll
"C:\Users\Admin\Desktop\wdvdriver\aact.dll" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /sdns
C:\Windows\System32\cscript.exe
cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /sdns
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /act-type 0
C:\Windows\System32\cscript.exe
cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /act-type 0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms
C:\Windows\System32\cscript.exe
cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms-domain
C:\Windows\System32\cscript.exe
cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms-domain
C:\Windows\system32\SppExtComObjPatcher.exe
SppExtComObjPatcher.exe C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f /reg:64
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /skms 10.3.0.20:1688
C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
C:\Windows\System32\cscript.exe
cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /skms 10.3.0.20:1688
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ato
C:\Windows\System32\cscript.exe
cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ato
C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=379cccfb-d4e0-48fe-b0f2-0136097be147;Action=CleanupState;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;Trigger=TimerEvent
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms
C:\Windows\System32\cscript.exe
cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM aact.dll
C:\Windows\System32\taskkill.exe
taskkill.exe /t /f /IM aact.dll
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\taskkill.exe
taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation"
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f /reg:64
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d0 0x42c
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultbb760956h1e07h41ddhaa0dh1e023e94a929
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff97d0046f8,0x7ff97d004708,0x7ff97d004718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,5675370353687797155,12877050060112891364,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,5675370353687797155,12877050060112891364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,5675370353687797155,12877050060112891364,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\cleanmgr.exe
"C:\Windows\System32\cleanmgr.exe" /D C
C:\Users\Admin\AppData\Local\Temp\7E4EB013-D1E1-4393-8838-1C5DE1D10034\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\7E4EB013-D1E1-4393-8838-1C5DE1D10034\dismhost.exe {1F2CFF3E-A816-4DDA-95CA-DD97A242BADB}
C:\Windows\System32\cleanmgr.exe
"C:\Windows\System32\cleanmgr.exe" /D C
C:\Users\Admin\AppData\Local\Temp\2D0CDC21-6093-4384-9569-743D585FA8E0\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\2D0CDC21-6093-4384-9569-743D585FA8E0\dismhost.exe {C36D5062-42BA-4A70-ADD2-E33ABCC95CEF}
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultbfe1a229h03bfh40dah8222ha6f0491ce140
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff97d0046f8,0x7ff97d004708,0x7ff97d004718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,11718039603725168234,5994058035149650340,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,11718039603725168234,5994058035149650340,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,11718039603725168234,5994058035149650340,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
C:\Program Files\7-Zip\Uninstall.exe
"C:\Program Files\7-Zip\Uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\7zC46F4990\Uninst.exe
C:\Users\Admin\AppData\Local\Temp\7zC46F4990\Uninst.exe /N /D="C:\Program Files\7-Zip\"
C:\Windows\system32\msiexec.exe
"C:\Windows\system32\msiexec.exe" /qb /x {64A3A4F4-B792-11D6-A78A-00B0D0180381}
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding B141A9845F7D0B0988B181A03D1D1C2D
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 659662C1547C6B9C7822DA2E3BA15216 E Global\MSI0000
C:\Program Files\VideoLAN\VLC\uninstall.exe
"C:\Program Files\VideoLAN\VLC\uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Program Files\VideoLAN\VLC\
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /u "C:\Program Files\VideoLAN\VLC\axvlc.dll"
C:\Windows\system32\regsvr32.exe
/s /u "C:\Program Files\VideoLAN\VLC\axvlc.dll"
C:\Program Files (x86)\Mozilla Maintenance Service\uninstall.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\uninstall.exe"
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Program Files (x86)\Mozilla Maintenance Service\
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" uninstall
C:\Program Files\Mozilla Firefox\uninstall\helper.exe
"C:\Program Files\Mozilla Firefox\uninstall\helper.exe"
C:\Program Files\Mozilla Firefox\uninstall\uninstaller.exe
"C:\Program Files\Mozilla Firefox\uninstall\uninstaller.exe"
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Program Files\Mozilla Firefox\uninstall\
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask uninstall
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" --backgroundtask uninstall
C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s /u "C:\Program Files\Mozilla Firefox\AccessibleHandler.dll"
C:\Program Files\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" uninstall 308046B0AF4A39CB
C:\Windows\system32\msiexec.exe
"C:\Windows\system32\msiexec.exe" /qb /x {77924AE4-039E-4CA4-87B4-2F64180381F0}
C:\Windows\Installer\MSI4420.tmp
"C:\Windows\Installer\MSI4420.tmp" INSTALLDIR="C:\Program Files\Java\jre-1.8\\" ProductCode={77924AE4-039E-4CA4-87B4-2F64180381F0}
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe
"C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe" -u auto-update
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 4EE20E011E081FE9AC96CF0FB7575090 E Global\MSI0000
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 1B4DC0BEEC82C33F3D65B28972B829E8
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe" /x {4A03706F-666A-4037-7777-5F2748764D10} /qn
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4689FE712510E0ADE5D225F89104E224 E Global\MSI0000
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe" /uninstall
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe /uninstall /permachine /silent /childprocess /enableOMCTelemetry /cusid:S-1-5-21-3198953144-1466794930-246379610-1000
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe /uninstall /peruser /childprocess /enableOMCTelemetry
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall
C:\Windows\system32\msiexec.exe
"C:\Windows\system32\msiexec.exe" /qb /x {AC76BA86-7AD7-1033-7B44-AC0F074E4100}
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8AD1E2794858F913A85A486CA03E3AA0
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DE3FC0946082291A2146465008A2448F E Global\MSI0000
C:\Windows\Installer\MSICB1B.tmp
"C:\Windows\Installer\MSICB1B.tmp" /b 3 120 0
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe" ClearToasts
C:\Windows\System32\cleanmgr.exe
"C:\Windows\System32\cleanmgr.exe" /D C
C:\Windows\System32\cleanmgr.exe
"C:\Windows\System32\cleanmgr.exe" /D C
C:\Users\Admin\AppData\Local\Temp\C3A75E9D-2717-44AA-A89A-F18D54DEA8BD\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\C3A75E9D-2717-44AA-A89A-F18D54DEA8BD\dismhost.exe {2964FBCF-7D6E-4FE6-A152-FAAD99EEC239}
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultfdf2cf2fh46b8h4fcfhbd71h16bd2f478ab0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff97d0046f8,0x7ff97d004708,0x7ff97d004718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,5906778178281648197,4788023171049558878,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,5906778178281648197,4788023171049558878,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,5906778178281648197,4788023171049558878,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --uninstall --system-level
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x258,0x25c,0x260,0x234,0x264,0x7ff60542ae48,0x7ff60542ae58,0x7ff60542ae68
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --uninstall
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff97d1aab58,0x7ff97d1aab68,0x7ff97d1aab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1972,i,3724734800391789021,15491419181970480128,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1972,i,3724734800391789021,15491419181970480128,131072 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://support.google.com/chrome?p=chrome_uninstall_survey&crversion=110.0.5481.104&os=10.0.19041
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff97d0046f8,0x7ff97d004708,0x7ff97d004718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,5820299865714034727,4334003120134560445,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,5820299865714034727,4334003120134560445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,5820299865714034727,4334003120134560445,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5820299865714034727,4334003120134560445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5820299865714034727,4334003120134560445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault36bf65f0h5f6ch44b1hb04dhe0857ebfa19f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff97d0046f8,0x7ff97d004708,0x7ff97d004718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,6007094428733841182,4214899399053298957,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,6007094428733841182,4214899399053298957,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,6007094428733841182,4214899399053298957,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultd22b951ch934eh4a36hbc1ch7c3c7af630b6
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff97d0046f8,0x7ff97d004708,0x7ff97d004718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,2701131278159766659,6967864481544361818,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,2701131278159766659,6967864481544361818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,2701131278159766659,6967864481544361818,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" shwebsvc.dll,AddNetPlaceRunDll
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
C:\Windows\System32\BitLockerWizardElev.exe
"C:\Windows\System32\BitLockerWizardElev.exe" F:\ T
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BDESVC
C:\Windows\System32\BdeUISrv.exe
C:\Windows\System32\BdeUISrv.exe -Embedding
C:\Windows\System32\FveNotify.exe
"C:\Windows\System32\FveNotify.exe" \\?\Volume{a5bee7f6-0000-0000-0000-f0ff3a000000}\
C:\Users\Admin\Desktop\AAct_x64.exe
"C:\Users\Admin\Desktop\AAct_x64.exe" "C:\Users\Admin\Desktop\Windows (C) - Shortcut.lnk"
C:\Users\Admin\Desktop\AAct_x64.exe
"C:\Users\Admin\Desktop\AAct_x64.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\taskkill.exe
taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation"
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe stop sppsvc >nul 2>&1
C:\Windows\System32\sc.exe
sc.exe stop sppsvc
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c net.exe stop sppsvc /y
C:\Windows\System32\net.exe
net.exe stop sppsvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sppsvc /y
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\taskkill.exe
taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" /t REG_SZ /d "SppExtComObjPatcher.exe"
C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" /t REG_SZ /d "SppExtComObjPatcher.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation" /t REG_DWORD /d 0
C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation" /t REG_DWORD /d 0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
C:\Users\Admin\Desktop\wdvdriver\aact.dll
"C:\Users\Admin\Desktop\wdvdriver\aact.dll" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig.exe /flushdns
C:\Windows\System32\ipconfig.exe
ipconfig.exe /flushdns
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\0ff1ce15-a989-479d-af46-f275c6370663" /f /reg:64
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /remhst
C:\Windows\System32\cscript.exe
cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /remhst
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /sethst:10.3.0.20
C:\Windows\System32\cscript.exe
cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /sethst:10.3.0.20
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /setprt:1688
C:\Windows\System32\cscript.exe
cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /setprt:1688
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /act
C:\Windows\System32\cscript.exe
cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /act
C:\Windows\system32\SppExtComObjPatcher.exe
SppExtComObjPatcher.exe C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /remhst
C:\Windows\System32\cscript.exe
cscript.exe "C:\Program Files\Microsoft Office\Office16\OSPP.VBS" //NoLogo /remhst
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM aact.dll
C:\Windows\System32\taskkill.exe
taskkill.exe /t /f /IM aact.dll
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\taskkill.exe
taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation"
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f /reg:64
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d0 0x42c
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\taskkill.exe
taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation"
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc.exe stop sppsvc >nul 2>&1
C:\Windows\System32\sc.exe
sc.exe stop sppsvc
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c net.exe stop sppsvc /y
C:\Windows\System32\net.exe
net.exe stop sppsvc /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop sppsvc /y
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\taskkill.exe
taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" /t REG_SZ /d "SppExtComObjPatcher.exe"
C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger" /t REG_SZ /d "SppExtComObjPatcher.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation" /t REG_DWORD /d 0
C:\Windows\System32\reg.exe
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation" /t REG_DWORD /d 0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
C:\Users\Admin\Desktop\wdvdriver\aact.dll
"C:\Users\Admin\Desktop\wdvdriver\aact.dll" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /sdns
C:\Windows\System32\cscript.exe
cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /sdns
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /act-type 0
C:\Windows\System32\cscript.exe
cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /act-type 0
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms
C:\Windows\System32\cscript.exe
cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms-domain
C:\Windows\System32\cscript.exe
cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms-domain
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f /reg:64
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /skms 10.3.0.20:1688
C:\Windows\System32\cscript.exe
cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /skms 10.3.0.20:1688
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ato
C:\Windows\System32\cscript.exe
cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ato
C:\Windows\system32\SppExtComObjPatcher.exe
SppExtComObjPatcher.exe C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms
C:\Windows\System32\cscript.exe
cscript.exe C:\Windows\System32\slmgr.vbs //NoLogo /ckms
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM aact.dll
C:\Windows\System32\taskkill.exe
taskkill.exe /t /f /IM aact.dll
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\taskkill.exe
taskkill.exe /t /f /IM SppExtComObj.Exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "Debugger"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation"
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f /v "KMS_Emulation"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
C:\Windows\System32\reg.exe
reg.exe delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SppExtComObj.Exe" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
C:\Windows\system32\netsh.exe
Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform\55c92734-d682-4d71-983e-d6ec3f16059f" /f /reg:64
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| BE | 2.17.197.240:80 | tcp | |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| N/A | 127.0.0.2:1688 | tcp | |
| N/A | 127.0.0.2:1688 | tcp | |
| N/A | 127.0.0.2:1688 | tcp | |
| US | 8.8.8.8:53 | 2.0.0.127.in-addr.arpa | udp |
| N/A | 127.0.0.1:1688 | tcp | |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| NL | 23.62.61.58:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.66.68.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.40.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:50994 | tcp | |
| US | 8.8.8.8:53 | 225.88.219.68.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| NL | 23.62.61.107:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 107.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | support.google.com | udp |
| GB | 142.250.180.14:443 | support.google.com | tcp |
| GB | 142.250.180.14:443 | support.google.com | tcp |
| GB | 142.250.180.14:443 | support.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | tools.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| GB | 142.250.187.206:443 | tools.google.com | tcp |
| US | 8.8.8.8:53 | 14.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | udp |
| US | 8.8.8.8:53 | scone-pa.clients6.google.com | udp |
| GB | 216.58.212.234:443 | scone-pa.clients6.google.com | tcp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| NL | 23.62.61.185:443 | www.bing.com | tcp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| US | 8.8.8.8:53 | 185.61.62.23.in-addr.arpa | udp |
| N/A | 127.0.0.2:1688 | tcp | |
| N/A | 127.0.0.2:1688 | tcp | |
| N/A | 127.0.0.2:1688 | tcp | |
| N/A | 127.0.0.1:1688 | tcp | |
| N/A | 127.0.0.2:1688 | tcp | |
| N/A | 127.0.0.2:1688 | tcp | |
| N/A | 127.0.0.2:1688 | tcp | |
| N/A | 127.0.0.1:1688 | tcp |
Files
memory/4220-0-0x0000000140000000-0x00000001402DA000-memory.dmp
memory/4220-1-0x0000000140000000-0x00000001402DA000-memory.dmp
C:\Users\Admin\Desktop\wdvdriver\AAct.dll
| MD5 | 124ba791d8c28151abcd27d3d81e820b |
| SHA1 | 8522182981f2c5e8db3954c62e753f7640ed2408 |
| SHA256 | afd72e00b8b6021cbd104d2cdf59fd9b58d245205d4e72e5d8bd8d75b88cce48 |
| SHA512 | 825944bbc0bd804d628020c3f847ef32c5aaf298f02bae07ca9c1a3b57d2f51929a68bd36307d819f46e18bb5ad9c5708ae90a8a7abd96a8eb0266781bba7c96 |
memory/5000-9-0x0000000140000000-0x00000001402DA000-memory.dmp
C:\Windows\System32\SppExtComObjPatcher.exe
| MD5 | 3d062a5923050f0885aa5e4882096744 |
| SHA1 | 9162c4e04cfa48296a77ce2aa92c79f799e2a32d |
| SHA256 | 68b536fb2a6a8c9a2b36e17ead46343d156020c75c559ed068483ecf5bc3f060 |
| SHA512 | f1853c28664ff8fd9f3ce3a6b69dc16737e90f4379cf80cc39742f607764a433984c7909910181b34f364028c1dfb21395b2768a54367a1d2fc995b26ff64d70 |
memory/4804-12-0x00007FF703660000-0x00007FF703668000-memory.dmp
C:\Windows\System32\SppExtComObjHook.dll
| MD5 | e3281cd3a5293b962683b5ab4ad49309 |
| SHA1 | b4e9c27345437f2f1285a705eacaddb64422c88d |
| SHA256 | 26ae72400087f417accedb8f68f1e7df88a7b0b5904a17ac6fcb1d54e9b29980 |
| SHA512 | cb377207f9961fe363eb29f31df0c95632a5e2e2b58a408683592008481f26c230cc02bf6df4de8033b001aefdbb68248b285dba0a4dee8e8ea20749664779b3 |
memory/2980-15-0x00007FF98F770000-0x00007FF98F77B000-memory.dmp
memory/5000-16-0x0000000140000000-0x00000001402DA000-memory.dmp
memory/5000-17-0x0000000140000000-0x00000001402DA000-memory.dmp
memory/2980-19-0x00007FF98F770000-0x00007FF98F77B000-memory.dmp
memory/5000-22-0x0000000140000000-0x00000001402DA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 864aa9768ef47143c455b31fd314d660 |
| SHA1 | 09d879e0e77698f28b435ed0e7d8e166e28fafa2 |
| SHA256 | 3118d55d1f04ecdd849971d8c49896b5c874bdbea63e5288547b9812c0640e10 |
| SHA512 | 75dce411fce8166c8905ed8da910adb1dd08ab1c9d7cd5431ef905531f2f0374caf73dedd5d238b457ece61273f6c81e632d23eb8409efbb6bf0d01442008488 |
\??\pipe\LOCAL\crashpad_2372_PVJFCNDXZRKSCWTD
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4d6acb7f401d55d46bbf2ea2431059c4 |
| SHA1 | e56b5b1ae7e5c985369f65aa5059978f726a9bfe |
| SHA256 | cd9ca0aa376066ce1698cd424181dd4e4c548c7048dc7aa87540f5c689328db9 |
| SHA512 | de45ea04e19224c7fcb8a57be52b23d57698368fb9c8157b5721e52793e71e8c50e040b04d4aaf7ceb0fb1e09f998cda2bc7c428d9d4a4471d25784a69a0e578 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 4df4574bfbb7e0b0bc56c2c9b12b6c47 |
| SHA1 | 81efcbd3e3da8221444a21f45305af6fa4b71907 |
| SHA256 | e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377 |
| SHA512 | 78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | af932237b9d6803dd31103c911c01607 |
| SHA1 | 60bbc2051043d5b88c454aa18a5e943a013abaa8 |
| SHA256 | 583f4e1dbc053c0ce81f713b3ab889ff443c5bc792554bf4943faa0369445e3b |
| SHA512 | 5e9d8cdfe6e5da3e377d5a7aa0bc1acea1bb367ec9a58e5b2c071c507a941b7a9ac64abe87ddb30d10270c88e0795c70701e0d765a95285059902342fd436803 |
memory/5000-74-0x0000000140000000-0x00000001402DA000-memory.dmp
C:\Users\Admin\Desktop\AddDebug.dwg
| MD5 | ad7510ddcf1b9e1671d23d94118c8b79 |
| SHA1 | 70e42cb935d4b94d2346797021bc5fa740ddae23 |
| SHA256 | 7f09039c405b2db117aad9f74229980e49d03636de3e67a1c86a2e7bae92ae94 |
| SHA512 | dbaf5c978ffbad7f5a1d24ea41bd71b55e0de6dcfc2228bae3f4ef613b5d79fe3279aeaeda271059bb9512b610b5aea4a5b20c5e6d890637f8e5c692cd6ac50b |
C:\Users\Admin\Desktop\BlockGet.rmi
| MD5 | 86056da64e723eb7194b25317dfa0568 |
| SHA1 | 7544b79b3bc4d997638fa6a2f6e0ec3f711fdbda |
| SHA256 | 94ea7b95d5e0db4d2f12b48b122ace62a5e1753f70db3ed114133b125b234d0c |
| SHA512 | 4a07fb2629f248b13a9c9af6e5bf5209c756391c30a50a91ea3991291f2fc797dbd133c37586da07093c13c11a57888b1aaa3f61d73dd0cc984a7fae00010882 |
C:\Users\Admin\Desktop\GroupSkip.aiff
| MD5 | 8ac52ccff1abcdba65ed4fa0e7ff48ac |
| SHA1 | 2ac6fabe3df4b0436d56ccc86e084ea53a48ec84 |
| SHA256 | bf4db41e9b7a203e41882192201dc3285cf133071045155db1e459f06713ca02 |
| SHA512 | 9f7e7a64f84913145effdfe425e447d3031d460991598ad133b0e11f853cdd0d1ce42b5216f57e91ad22bc4afbd0b35c4a324eec71d1aca27ccd0068d76f4a4f |
C:\Users\Admin\Desktop\FindJoin.otf
| MD5 | dec7acb3a9004575b1bc9f966623a1bd |
| SHA1 | a87d82ea59e5ce2ea1b7f6abcadf3188a260cb82 |
| SHA256 | e5e017dcc60f8f550f8dddf995003355e588c63c0686c1a3cbadd2403aee1f16 |
| SHA512 | 1089b770efc9fbada23f8aaa947f79335d955f0d7d8913e24ed9eea7eb3449791b617184d231cb191947347db93fe0f8c6f92e0927da80d74c9578b5758e27c9 |
C:\Users\Admin\Desktop\ReceiveSuspend.rle
| MD5 | 92dc205b3606487fd4513d7078598a13 |
| SHA1 | 0ebac7303d11805daa59ec6bd2bcff57753282d0 |
| SHA256 | d1c803b834464fc812c97ad89e56b9154fd900db9d0c51812dfff37e709c6cf7 |
| SHA512 | a0f66ad0b3b2d0778ccfdb0b22376bf851189e82c6b640a72a219451e8a39905bfdd56786fdb5feb78362c1317c1ba104817a8a654fcb15fa55090baefed17b2 |
C:\Users\Admin\Desktop\SearchRestore.ADT
| MD5 | 2e1815e690b587a703ebba199155a151 |
| SHA1 | c26af7320c4c7a6631bff1d02b9d31fe203324b3 |
| SHA256 | b1fd164f289d43178d2e6a426690b8edbf2b8019069acb295cbacce477d40a49 |
| SHA512 | 48c2d7ede98f649355942eb1dba3858e7e32c0469f508794884ff54bdea6dc96570698dcdae8a61ec6d394700a7f36acd710058c400cdaf46dbc36797ed21a7f |
C:\Users\Admin\Desktop\TraceRestart.ram
| MD5 | ba8b90661fe720df4eb97ca4d00e7510 |
| SHA1 | e09302a5014a8745c8010ac9bb919ace620195e7 |
| SHA256 | 1eb1a3a42a33ad22d03dc8270e8ce483cd20e6bf496520590624e0ce3518a876 |
| SHA512 | 22a91698aeea272bdf870ecde7e6437607666902570e6cfb724c41ab315f7f2d79d84994fddb4f6fe1b746f25a0a2bb7632a2163af4b4714bad584f6059651a0 |
C:\Users\Admin\Desktop\WatchSplit.crw
| MD5 | 9543decaac7fdd3ebe1d5cdfcd3e78fa |
| SHA1 | a51bf29d16f2db125de910fa919a40aff7d7cdf1 |
| SHA256 | fade95a594cf3ea43eeb4837a06396f7a945b85ec8a78da34e4bf4fa347b3e10 |
| SHA512 | 6177564b9ca426b5dd64199c47e709f4a34b3388fd7b3ad8bc98351a3bd0311fe787cc4e13a212b91d2c8c91ddc282e905965e7128d7bcedc61b0a7e5758fa46 |
C:\Users\Admin\Desktop\UpdateRead.pps
| MD5 | b11871e0fd1816d004861014adf2f500 |
| SHA1 | 10fbe3355b767b8b1e8f6ce9619fb1c805d2acd0 |
| SHA256 | 15805e7dbc8a216decc456caecbf608b798827ee1a323c32ed91b157e12bc077 |
| SHA512 | d015c0b8c0f3cdd54f53ca66a10cd78fbf0b9a03e2df31c511c5f09131d2366ba22da7fdc8b3d2b81ade42201986054a4294f7c6238abab5e7efba717960387a |
C:\Users\Admin\Desktop\UnprotectEnable.xls
| MD5 | c1f29e44f7cd9ebfdebf6f3ad53d1cf0 |
| SHA1 | dcc669c54a02eee4576c27a97725e80b89a9abf1 |
| SHA256 | 7cab3437255b5aad5cba08f2ff959db728baa1c8fbf7c3312d78f484cfa8911c |
| SHA512 | 7bf740f09a376f9589453bf22869076fc9e1e177b32f6b349c03419da5f0e2aa455ed3d5e792bbb408b744fdd8a51b7dde325d58783a2ec6f4b6a968ac53381d |
C:\Users\Admin\Desktop\UninstallMeasure.bin
| MD5 | 4b47899903eb31423599fe362d36c064 |
| SHA1 | 0d116852baff11ff02d8ec529778356440c7ded6 |
| SHA256 | 8fac676e01fa3404566a67224f274ae69c0f60d31c496cd8b13e2808f9988621 |
| SHA512 | 3f73066b0205b0aa9f82ae543cd5f774eda661eb8533b418b880467cb2c1dbe7457a6f8b44f1d5cd07b4f72b8d9a6b3b27d2f3976fbcefc4ad0b7f423e4df9f4 |
C:\Users\Admin\Desktop\TestGrant.emf
| MD5 | 0aba9bfda649bb23f70b00070f1b33d3 |
| SHA1 | f32185b6019aa99d26a232a555337d9f296c2254 |
| SHA256 | a026dd8680d1d2fd6556f2aefca7aa4166d32039b72581c652293a3bed55c394 |
| SHA512 | 13a96d774f024822a59aa4c61653610c0d7bfbb19411f4139680023a46673268aa75ea0e95e60e8c5b2b7c3c883cb56a84461b7ac4ca21fff2af2035f8c7041d |
C:\Users\Admin\Desktop\SplitRequest.odt
| MD5 | c0bf723acc9579c0d042d7335afb1a85 |
| SHA1 | bb2ac2bcf9afeeb6c0362a3bf5abda3deb9204d1 |
| SHA256 | b5f6022360789fd1d9c3522b79e1eb42837088a358bfc08c4d7d3b05592eb815 |
| SHA512 | 47edcf4f9dcd6cb7a9ba63d25dfd7f26b2944a0738c9b2bd37676da5aeddce9b252a0eca95e521f8ffea48d1cc30f92ba4817e9f9058406cb0a06cdea06cedd8 |
C:\Users\Admin\Desktop\SearchMove.xla
| MD5 | b3d6c31242c4f88a5e45c3cdf8d3035a |
| SHA1 | f3bf0f39183216f1d6d798b4665bb0f01a92881b |
| SHA256 | c8882688f30859563e8420aa3313a4a8a18a4a15b73d9f4e47e387740ef467c5 |
| SHA512 | 4c9f0c3bc9f08a7dc166c9334cfcce2c28469b75890884228c968b133da98a5f14e4fdec63f70cebc73cf86674aab38c911b73247105f730dd71dc4ee9d35de5 |
C:\Users\Admin\Desktop\SaveConvert.ps1
| MD5 | 190d815e27bea905b11091899b3d7831 |
| SHA1 | 84d6508bacf6934d6c94795c5ebd701d68996088 |
| SHA256 | 4fd25525c3d7e0c85f7f0616eaa00bb52ff278fa72851a97951cca7717e1fddc |
| SHA512 | e7e0f947e32a86ab3381d451f6c93902e1e4793d4080e55e695761098f1df92a83981a5af2bb0bd321f838f3889d5c237e94eccda2151dda4f30d542a64cf405 |
C:\Users\Admin\Desktop\RevokeResize.mp3
| MD5 | 8c9ad7b29ad42aa8362548327ddb8ac1 |
| SHA1 | 6c7172ffbca85b0d04298e31d3930cc7392bd37d |
| SHA256 | caa307bc409dcd960a278361f9254a3e3d3b798666cbbd15093f1a2ac0aa1073 |
| SHA512 | 6ffd9ca36b1f2fe07da0cb6a59a68dace3389b681046432aa39314410f1a86c2a8deb9960adc58bd1b9c355e60bb14b70dd07a983ffbdd960292ed7ca11bf8d5 |
C:\Users\Admin\Desktop\RestoreDisconnect.png
| MD5 | 98f6106d513dad64b0337fdfd2abe9ee |
| SHA1 | aa9f3bf3f57962b6b7cdeae798b243df86ed0bbb |
| SHA256 | 5bd3abbfd338b4bf1a06b1b9161a3a9c4532e2db44c2dea07a4576a7b46979e7 |
| SHA512 | 3b114094cf571bc0b036e8150febc0bf35ee41fc22f92b23cadd868cc70092821f82aa1d081d8e41a5e17ab2fd54e5fbed61c54563d64c7d6cb7b43818b90951 |
C:\Users\Admin\Desktop\RegisterWait.docx
| MD5 | 18e872f55891811bc8fda1a3b9603e51 |
| SHA1 | a706b5e31ada6820e19c9572713a72369ff9e1e8 |
| SHA256 | b053ea6df647dfb973d860a3e4fcb5361b044fbe3041ad70e5449f69723dbc34 |
| SHA512 | 1542f49c8debf4c680c661f43184567c1646eaff7b0bf4c290f110f096db99b64f56f6cc54e28964e6097922000e82fd24b3a900316d7daabc9ab2c9ab6d3434 |
C:\Users\Admin\Desktop\RegisterProtect.mpg
| MD5 | 70b3fa2afb5f3db7a7c867ce6d140f32 |
| SHA1 | a4391ab294b4d81c465dde0271b9b46ba51ba4ac |
| SHA256 | 145ad769cbdab2ecd9d5108a268ff8517dabfff487b3c9408fa90e77e52e8572 |
| SHA512 | 563315ed676c6c9c80f314cad88487abf375e424513c596d8e1b9a0c383670f87b1afe4ce24cf0e6e726cc353b4def4044fbe58d4470768757d439113ded89bb |
C:\Users\Admin\Desktop\ReadWait.xltm
| MD5 | 7c1c6a1750e297c0ecc8fb6e0d148560 |
| SHA1 | c202299b157227609b3b1825c685f02dd696bae1 |
| SHA256 | 4dba5406b303b41fbd91549503c5f5b77e44256ff3bab1da516e941673cd8c37 |
| SHA512 | f35febf2726acdb9c1d2fa37219a09c9e8037d191ea0625f33a236e2153767da9e0ca85ca8efd5332977bdc9012c105b840a18edf448204138ef30bf44207ab7 |
C:\Users\Admin\Desktop\PopAssert.DVR-MS
| MD5 | 63201d99dfee2253174201565ec9519b |
| SHA1 | 54fb5f632fb57518917613c919802062c730a8b5 |
| SHA256 | 3c415b48a3ed67830307d79e3283eaafc4e76b3202c8ce83457da9cc2d695996 |
| SHA512 | 7eef06b0453f0c9c24d8bcd07bce0a4417a8d6b818cc44538f500c35f6f5c4c92bb0a598c7ff41f72ca7da4f2dff25327de35bc40b3128fda5cb54f34a69ffaa |
C:\Users\Admin\Desktop\PingImport.dib
| MD5 | 23f8df1d3b6ea4f664a08c901316ede9 |
| SHA1 | 5a7aba049283c252d3bc4251a4bf4adffd5e9074 |
| SHA256 | b943ae7198837e0b00afdca17f62098db32f0740636109415e481d6233fb631b |
| SHA512 | dbceb766fcabcb37f483cc111025934e4c4fd108df8aac20339e25e844207f05ac4b3f5759c498fb7576679440464ed6df0003ad41d446ff56730160c171efce |
C:\Users\Admin\Desktop\NewSwitch.mp2v
| MD5 | d92b4bf33958523970a5cd30510a184a |
| SHA1 | b91374237e8c95ef4bb8e0601b2303f60992b0d3 |
| SHA256 | 1911bc3660d8243fd1655e4c51225552ad563ad4a98f002858cbd43cba991017 |
| SHA512 | 82f1f28a62dc03423834bf9b83deb2cc9248340ca5ae27ced14b749e2cba4ebc520acc524bb3d0e2e2565277b4e3005c7e35acaef1b7045a4d3fb04a6bfb994f |
C:\Users\Admin\Desktop\MovePublish.ADT
| MD5 | 7fea92815162bc96a218d53aaa4d1a52 |
| SHA1 | 5c36919a7ecea478375d1a6fc4c7f078ff39cfdb |
| SHA256 | 1a5387b77e4f392f9ecbb22ab472851d1c44d3f29fec71980936a75155bf0d01 |
| SHA512 | a2a9613876c962796e97495d366af1998fb91ab04e756ca70d5d4a559fee6418dd4ad72241e69ea7deeca44a425bb3a14ec121f63850809019c9348607b5c835 |
C:\Users\Admin\Desktop\GroupUnblock.html
| MD5 | 577532bf45ddb267de87094d0677528f |
| SHA1 | 87750b7ea0924199ead2210e0e8c13845fa436ab |
| SHA256 | 31d3803526d8007fdfb0e945aa42d6fe5c27a8f60769438358e9d037d25995b8 |
| SHA512 | 7b9b9a096a6d7b66918e3d113a1a78c453d29bafd4a89a2406994a7845c88ed13c83e7d99120a44bd1b9a40538f5d528e0bd08a261335b18bf64275a378ecc74 |
C:\Users\Admin\Desktop\EnterConvert.ps1
| MD5 | 33ee600458ebbc7fab1b299af120d3f9 |
| SHA1 | 5285ecb6c24639137515607a3ebc9bf453dfbed6 |
| SHA256 | 8504269da78bcf12bc12581f7d4675fd19a158024d81adf014aa468678fcd45e |
| SHA512 | c15942f0d4595ed7f0f90cb8811c31196c3013464fc1943d50e4cfce7115908f90ae9769a06ece35ccd6c4dbcfda2379fa62c528e621e81255836f55d9c94aed |
C:\Users\Admin\Desktop\DisconnectCompress.eps
| MD5 | 5dfd29dae5b23f3f19f803e31584bda7 |
| SHA1 | 2d76da7979e7c09549f72b71f5b012d8de3ca434 |
| SHA256 | 87ff4ea3da0416515b78c73733104cc02fce4b38849a63bf11863ee1bdc9a1bb |
| SHA512 | 11093b327e462de1158229ec58c7413538a54b91afe76a128e0bb39ca27f454002e62b17676dbbab4d36fafe8de6c2bef6fb891fea3f49616fc4de09da016409 |
C:\Users\Admin\Desktop\DisableLock.emf
| MD5 | 39b74dfdb4283c7443a92d5ef52e99d5 |
| SHA1 | a45f4cdc2f4e78133d13da66ffebd8bd6de19f2b |
| SHA256 | d1b692a958a8d750a32521fc5425d6fd09c85832301a458bfdbfbbe49f200b4b |
| SHA512 | 8ad5b5e4717db2f0278eb59cd5f2a7987a040330c4f38e63c8bddfdfef74d9e1cb9f8f1c18145bee2c96f0807e23ab5642c5360e0177c32bf87a67a0fa72b50e |
C:\Users\Admin\Desktop\BlockStart.dib
| MD5 | 233427a60ad4e1e9720224d967d44b2b |
| SHA1 | 3e91b35f6fc13d87a89adf9154402f4289df94e8 |
| SHA256 | c7dde025db6adc47567362f3f636e8d18d3983adf844d040763009ee362cfc10 |
| SHA512 | b0e89007af069f7a34f7a910dbf9f8c837c31e065e882deddeaa38db0bc773cb0e68640d03262c7621723adb3b4a287ee1d135dc8bf218981af89cc62436e18b |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | 107ded7dc8eed713e4a572d62838b99b |
| SHA1 | 8552658d9075b6d32a5221bac4feac9af767f0e5 |
| SHA256 | 93e291a6829c4d126a0c3ce8ad362dcfeb7b74cfac0d1cfe79bcd7c35423a800 |
| SHA512 | 99ef0f7d5a89812c08a549ad0664ead1fccd6116ecb2cfe836c7d9a4491c13d3656a180a0845b5f07fb5dcda4ad32187290b180325f3d4bff8662c2c158d21f7 |
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
| MD5 | d22733915032548e3b4845f750145168 |
| SHA1 | 2c59270f46fdfdff8299dae18682df34dd241096 |
| SHA256 | 82f498944bff05422a495f1f3d8226c2b25794e06f3f99994856dda18215149f |
| SHA512 | 3cad628335bd665f1b47db4ba5a89fe2a6f095ab65dcbaba3051ebaa54b470d9c1f06861ca8b6045f5132249e818da728a6652670dc65bedc1380bb139992b47 |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | f7c45320ff38d82bf4efa871a73d21ee |
| SHA1 | 32c33289af32af9b37fcf94f02ca939653515011 |
| SHA256 | 1472bc446104e539c1795aebed90ef7ab1df2ea8105bd3ba3767393e03ea647a |
| SHA512 | 0396dffdb9df3a82183bef328919a7af214adefae10a3666cec1d190ace7f76e8a95b28cc0f4b136beaf4d01ee60f043b94c705f7a3c237e3c9ab1a0929d6c63 |
C:\Users\Public\Desktop\Firefox.lnk
| MD5 | 7aba411b5f37e50ffa8be0d43f0d2c85 |
| SHA1 | 421200f25374b733178d5d6b66132d3580b42d30 |
| SHA256 | 729a5762918624b051a044d158c1245ce8e2bccd138ee1a338cacf4622bec9b5 |
| SHA512 | 9c959390023baa5eefcd471426c9645f5bc590566361e36eef9de54da011e96f3a5c9b67cdc5057189dd56cd4e3df4c8103471d1f3730c85df13b6ff34eca4f9 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 0d9f1ab5d804e1df9027a6ec7ec97626 |
| SHA1 | 1ea543741d9ee582218c2d220c0b577a614ff4cd |
| SHA256 | 4db8c4bbfe2caa54576756fde7416abda4948d3931b495af71f442ee179caf9a |
| SHA512 | cf1ea2cb17f674c5ee479869c2a0081e9e452b07f6a79fcab56f802bf17381a1365e7e68c556f43026ea831fea374a693ce231ccfc932e61a0abc0a3604a2ada |
C:\Users\Admin\Documents\TestInstall.ods
| MD5 | 75852f3fd817e9317e8cf38a6b130288 |
| SHA1 | 6b4eb6586a2b21ff40e3903cd7ca2a76913e75ed |
| SHA256 | a00fc333321e09fb9d10e7de9fcc9bb45426c3336ee530550e370200eb1789db |
| SHA512 | 903c42a1a9a563c1937fe9ca0da919bd24ec593c74edd3d94226c5823ce8615228dc6a607000cfa13bfc76d3372b854f2285c5985d4e99ae8a9b9634c0eeeb7b |
C:\Users\Admin\Documents\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
C:\Users\Admin\Documents\UnlockDismount.odp
| MD5 | e6e829df5628df21fd8dbf3fc9cee1c7 |
| SHA1 | 0d2e41bb3bdebbd5de689c944a6c9149630099e4 |
| SHA256 | 7e47037dcfdd2f13ed3e15b7707ddf3a654b2c6cff88ed8dd7e9b57b12f16956 |
| SHA512 | 4fd041742a514779abc6f9ec350a6d49d09c8116bb739480154ad3da11eb0fae8b8b80a73648ad747ba6786f8e608ffb38952a5c75de5703c99386f3375ff3f2 |
C:\Users\Admin\Documents\UnpublishRemove.xlsm
| MD5 | 62f507586f4794155c054837639f1baf |
| SHA1 | 62b9bf7ee0ecbf3eaddf6c29b5d6f0ae1adb8c50 |
| SHA256 | 10288d21584d1a4624526b1b9fedd10da1ca3cdc821b3c50d1041c1ed8783586 |
| SHA512 | 886f3dcdf6cdfcdac77eeea0ee7773e4435bd67e5ab80619a685bd521fc5a8ee3dd59b7bce635e21fa455f82e090c2e8e54a929077ef8f33a712cbd1e030b7c9 |
C:\Users\Admin\Documents\UnblockSwitch.vssm
| MD5 | cc901408bd6afc7da2bf85c47be83bee |
| SHA1 | d603a7d7f9db5ed4e87709565b976e951ae45fa6 |
| SHA256 | f18b76e073e47f7b85bb762bc30d367048e838e729baec8d8f0e7b764b095559 |
| SHA512 | 0438a3f8534aa17cefc746f460613a53c17c8ca2fe6b0de3cf0d0dbae897f44ad37de9a10ddcbbd4d359824a05a7feaf4f5971b2f9c8db160c16ba68d3edf45c |
C:\Users\Admin\Documents\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\Documents\LockUninstall.odp
| MD5 | b23072cdfd5aa7cf2a6cc0b502bacef4 |
| SHA1 | f571db99ce3ea069d8a3e62a6b01c9be6aa60269 |
| SHA256 | f370e3fee5f9ae7644c22ee0e500d1c88b7e74cbb3fd01425cb9545c4b2bc9a2 |
| SHA512 | 1a74e0848b277434d591d1fd767f9152a55b8e9e51f8a158cee319b378e5c9aecd308fe84802553f53529207b023d5dd06a3ab4eb75be465ca1379cd36147969 |
C:\Users\Admin\Documents\MoveRead.xps
| MD5 | 5a1516218ae71d17de45231bdb459d50 |
| SHA1 | 50dcb46d54f39e4ede38f9940857d2613d2103e0 |
| SHA256 | 3142b4205c978414e38a52c978b260aa7d05feb52f401f45f0d27114d52750c9 |
| SHA512 | 40d8f3b77ec8baaec20f677998dc0f298f2cd4c9fa74e1d270a6f434e7887bd674b2e134c9c74c82e743256d6cab41a3a6407b1f51caf4215697ddc301aceea2 |
C:\Users\Admin\Documents\OpenConvertTo.xls
| MD5 | 86bb8a9b0a79c5509d20062ea0c3e78b |
| SHA1 | bed08a95f54159e9e9b4ce2dac909071af1d83cc |
| SHA256 | ae2a81f9221ebf8d6883a1157b92bac8aa1823a9ed4cbe11979abfc79f75f858 |
| SHA512 | 414f31ef889461e9bb0f20a77e80caeab5a1c7fb6c2eac9bb0ea133628f2e2d581dbabc09a1288134e7150a8a2be0eecd32ad2bd5e4afe4963d465b9b19e81c8 |
C:\Users\Admin\Documents\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\Documents\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\Documents\OpenAdd.vsdx
| MD5 | 684e436df74241c8ffc0f80e86b2dfa2 |
| SHA1 | 207a514a9c1ed30e66a9537e601888ad72674a93 |
| SHA256 | 5174824f65b17af92c1df9fcd67070c82bd364415c1a631fa4dd75ea69d1fad9 |
| SHA512 | b2f76374097a39278aa8c30d1f5e731bcbc7e2ee046006115622a486e09bdcdd66293868897e9a146c9ef26520114a3e3daa55b00c533aa9c68b087a09ffd944 |
C:\Users\Admin\Documents\InstallResolve.dotx
| MD5 | f67b6dea89a5fab6f518d5366bdc1318 |
| SHA1 | cb76e5d5721cada01e357aa5d0c38e2a1bb5610a |
| SHA256 | dae180c71673936d029de249d7b082986837590e6273c32ac7b27e21134786be |
| SHA512 | f160e2bf0fdf59949440d4c6efb380e8d20568a0f10c27f879cb7739ffdb4289d3fad85c8fa041fe63465e950c449b3e0817b9c760d37faba7ee05b5f5fc0d25 |
C:\Users\Admin\Documents\ImportPublish.htm
| MD5 | 0b9fbaf76b73b6db0ccc948be58fe44b |
| SHA1 | 9e0fca04b78a38c32d316ebd93b70d27542490d7 |
| SHA256 | f30b553c7567fa9071398c5b94c8b17d79680a1ab6d735a92136c93fafa3bcb9 |
| SHA512 | 85e72bb909280aaf488524e8f1929dd1f92e2c65d8130c1256544e034dfd8f83638eb0684487d0367be1fad79f57cd627c0fe754059b09882598d4ee940b6180 |
C:\Users\Admin\Documents\GroupPush.docx
| MD5 | ceb932aa00f1b6a8f104d13e15e10134 |
| SHA1 | 4a56ca56a0478e745185fda9e5fc7369accc5f35 |
| SHA256 | f34c1bcf3471f201168adeaff1712db62f6aa716880ca7eb868e9fd8be81c44b |
| SHA512 | e4feecd053f76f07975e7577878420ea6e666665e629a529dc2133b6a32220cce06354d5d74a41979e83d4a98d412aa78076f6c3110aa12721b963e633646ffc |
C:\Users\Admin\Documents\GrantRepair.xltx
| MD5 | 932fda8620677f25359fc2fde99dd1f9 |
| SHA1 | 78b70ed63eeede3c6be057769519c853b8218492 |
| SHA256 | 0706bbf303aa12f4488aa140e3eebf3bfd1a8d589c3752191069009789d6e105 |
| SHA512 | 66b2f3b70c11797f3837937f3574daaa49ef9d78e508aa7e619d10c805a0dbfbeedf125939e65ae3b76e0ac2ddfcc39a8dd0ebfd1261cfccfa969fe3b805ef02 |
C:\Users\Admin\Documents\CompareResolve.vdw
| MD5 | b14ded3c2115422fba06a0f9faf8f569 |
| SHA1 | 65df83c055b84295973e18aaf470dab1f376095e |
| SHA256 | e4126f79cf0494ba1a0e0671bc5f1f212ce256d9570ddc1431cc01c1476db959 |
| SHA512 | 6aa59bb70242273d26fd09e0e2ef72bbdea6821d4f64196c9256807fc8a4f0cdd413559d23d654b0446f37e55bf511058704da733088502df7f5f64cdb15eadb |
C:\Users\Admin\Documents\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\Documents\AddRemove.xps
| MD5 | 2e4ba6ab2edbd7195124bf75e6bde130 |
| SHA1 | b22a53eb8d203ed01b11e8049f12d34be3437c7e |
| SHA256 | ea3f8d94f9ad390db60ffdb8f0c17d512ce620474f0dfaeb8fc2b2dc34852bba |
| SHA512 | 73cd678f258209ac9bff9047439dd45de09148d3a9a685d677d99e2bb4b19f0c90e7a1dbb9259d9ba3a8d31b9effe387508548973121be91c0966afe159ba508 |
C:\Users\Admin\Documents\WriteUnpublish.vsx
| MD5 | cce1d734cedc186c954d6434b08f43db |
| SHA1 | 9683d3ef994ad237d75d8126cc8c7a86d1e05304 |
| SHA256 | 2791955cd5fca00d7e421edeab4953d69238ea47c714aadf3e3dffc1901d6ba9 |
| SHA512 | d2a4dc0f463e76489b061612ac589b0fabdb343f536649a33a6814c77f0fa139954f8ab13e0ed4ac235b8303643ee011c4aee8927cee82887fa7206717fd6a7d |
C:\Windows\Logs\DISM\dism.log
| MD5 | 72cc62c45c27375071e96dfc596266d9 |
| SHA1 | 6d4e274292c79165f2ec5f1aeebe513e4f70037c |
| SHA256 | 4a9428566a2b1f6920d611cda14340caf71bd424b6a27f2ef6fc5a866bac88ba |
| SHA512 | 7fc60980aae0b3e43c80ab89c28cf5f8def8f131e9f8fd1536d0207536003bbb7aea6f197f6b1ed9528c60b3c8b4e83db9b68b378cd5395222da2155252c054d |
C:\Windows\System32\LogFiles\setupcln\diagerr.xml
| MD5 | a93655ad851d7abc6a5f95f47769b8b3 |
| SHA1 | 4c57c3e7ffaf197fde65a063d00f157eb473ff59 |
| SHA256 | 777d31ac0c50ea3ea1d0770f9723198fb955e7c84f69e280f84e5c65f10b9423 |
| SHA512 | abcba15d559d0d15efa6f6fd0a4a06a31452db0facc7c41197bcf086ba28605cb5c95272456ab6da677fae50d3e650b42ed511414f623e9dfedea6d8e5e5e075 |
C:\Windows\System32\LogFiles\setupcln\setupact.log
| MD5 | 793f4b8de8d291cd6aeef57c9e6aac48 |
| SHA1 | 43cd0ef586e7632fa320acced98dd8a973bacd3a |
| SHA256 | caffb9bb283fd4c40d4b798481d5b9526691152e99f00469933540f429518d5f |
| SHA512 | 7ee42afe98279b8d300ded570567974ea889cb43dad6cb4b0eb22c351c41b03d08fd1432a6856b7b9259929441abefa69e44d54f75723b4091d0bae9151f009a |
C:\Windows\System32\LogFiles\setupcln\diagwrn.xml
| MD5 | 692ca5ebc9e0cef0a8d0be4df7400cee |
| SHA1 | f63dada2e5f7a1d786c93bc3d757642d93b24b59 |
| SHA256 | a378a154cfbf27b8471462c657f28a11fee70fd33593ac09ee216c642b26b3aa |
| SHA512 | 429b2eba8b421f3bae504ebe94da0ea9e662e5256d16301f46a4590f915b381cbc67b86c2beba391600b5f512412f1dcd9bdefc363b4c63dc7136022fa0f45bb |
C:\Users\Admin\AppData\Local\Temp\2D0CDC21-6093-4384-9569-743D585FA8E0\DismHost.exe
| MD5 | e5d5e9c1f65b8ec7aa5b7f1b1acdd731 |
| SHA1 | dbb14dcda6502ab1d23a7c77d405dafbcbeb439e |
| SHA256 | e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80 |
| SHA512 | 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc |
memory/5000-529-0x0000000140000000-0x00000001402DA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e2ece0fcb9f6256efba522462a9a9288 |
| SHA1 | ccc599f64d30e15833b45c7e52924d4bd2f54acb |
| SHA256 | 0eff6f3011208a312a1010db0620bb6680fe49d4fa3344930302e950b74ad005 |
| SHA512 | ead68dd972cfb1eccc194572279ae3e4ac989546bfb9e8d511c6bc178fc12aaebd20b49860d2b70ac1f5d4236b0df1b484a979b926edbe23f281b8139ff1a9ac |
C:\Windows\Installer\MSI39F.tmp
| MD5 | 1f0af45ebb41a281e1842cf13ec0a936 |
| SHA1 | ed725de3bfb61f9614d76497ce88488925502977 |
| SHA256 | 18c9929344a096d80a051b2513c1c91ca89ba22c9e8d24240faf1566767a9e66 |
| SHA512 | 3c414d6ea6f929d9710ffb9a8dbfa737b36ded9b2cdf8260d6a8a9224ffb005e1dc090d331b9f69b9c7c8871570f437288fcc3c8b51dd619df9975d374085c8c |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | e1e95d8f88714f7ea99c02dc632b3a4e |
| SHA1 | 691c6cdc89c48201c83018919b18eeac946fc544 |
| SHA256 | 79b91dd14684212eee24abf99bc46e564243997be61e09b0fff67d7fe403de7c |
| SHA512 | 6821bfb719a58a5b896cad48f7cd5ba755410df16681f4df7009463b9fa2603b6771699183ac0e3c1fd4884a88710e03bd998d358d664cafe2a53743eed7b8fd |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | d0f0af6c2edf5a4e7918224062f0cea8 |
| SHA1 | ad3431e8ac104708ac4b96ebad49e29064bc0164 |
| SHA256 | 303a5fd3b6a5dd422dc339a0dc58b1d9b168e6c454ad59c72bb61470bfddc4a6 |
| SHA512 | b35cc350edd75c4069f48e076553d3fffdcceb89d1bb5ba64afb3bbc807b33007dbedb38459d8d82600b2cf3346d1acaf6d6964fa77788d3691da17cb8e0c645 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url
| MD5 | a55fb7769c8c3be66219e8ca2b322d51 |
| SHA1 | 50c5a0e965307903119126e54351a5a47f0dc3d9 |
| SHA256 | 4de0a9dec604cde18e16cae6eeed86f85adc687d19c12943f5a3abd08c1e785c |
| SHA512 | ed4ae845d5172aa96f7a24f0c307c0c535e563c0b35bddc99953e3d993d57af86f820189d0ece08f1858b1c9d5bddfc42e55b491fdde802d657c59d23b6c76d1 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java\Visit Java.com.url
| MD5 | 8d2ea0247cae891e2786f4265f151c96 |
| SHA1 | fd072605314c81207e14988d12ca0206c7e31122 |
| SHA256 | dbb6eadf1e8331965d112f6428fc864412240b8595964e25cb00bec14e69cc3d |
| SHA512 | 389598be3b6ebb2d11383e98c16ef517f0eb3f82a9c1fde88a8d85f5bb537636704602148f33529d2033e50b839b2fa5d8fcdc60e60ad5849fa29f2e26948ec7 |
C:\Config.Msi\e5cfeeb.rbs
| MD5 | 2dbd1a0773582214f594488b3fdc6c33 |
| SHA1 | 79d6c26388a21d2485d47452d761532ba61fe36d |
| SHA256 | 2236762f3ad29d5ad5a742b86c45f44451bfb801b8d119d3c1c0aa77374f6479 |
| SHA512 | e40ba157e07aa1347e32f17bc3d13b0dd6393e1d0c1b0b628336573158d8de31ca6c13e5b46a37cad197b01cfcfafae3b30b12eaaf59273cc7ca6de54ab5f699 |
memory/1136-812-0x0000000000400000-0x0000000000481000-memory.dmp
memory/3352-818-0x0000000000400000-0x0000000000481000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsu2D4E.tmp\nsDialogs.dll
| MD5 | 2029c44871670eec937d1a8c1e9faa21 |
| SHA1 | e8d53b9e8bc475cc274d80d3836b526d8dd2747a |
| SHA256 | a4ae6d33f940a80e8fe34537c5cc1f8b8679c979607969320cfb750c15809ac2 |
| SHA512 | 6f151c9818ac2f3aef6d4cabd8122c7e22ccf0b84fa5d4bcc951f8c3d00e8c270127eac1e9d93c5f4594ac90de8aff87dc6e96562f532a3d19c0da63a28654b7 |
C:\Users\Admin\AppData\Local\Temp\nsu2D4E.tmp\System.dll
| MD5 | 4f25d99bf1375fe5e61b037b2616695d |
| SHA1 | 958fad0e54df0736ddab28ff6cb93e6ed580c862 |
| SHA256 | 803931797d95777248dee4f2a563aed51fe931d2dd28faec507c69ed0f26f647 |
| SHA512 | 96a8446f322cd62377a93d2088c0ce06087da27ef95a391e02c505fb4eb1d00419143d67d89494c2ef6f57ae2fd7f049c86e00858d1b193ec6dde4d0fe0e3130 |
C:\Users\Admin\AppData\Local\Temp\nsu2D4E.tmp\LangDLL.dll
| MD5 | 20850d4d5416fbfd6a02e8a120f360fc |
| SHA1 | ac34f3a34aaa4a21efd6a32bc93102639170e219 |
| SHA256 | 860b409b065b747aab2a9937f02d08b6fd7309993b50d8e4b53983c8c2b56b61 |
| SHA512 | c8048b9ae0ced72a384c5ab781083a76b96ae08d5c8a5c7797f75a7e54e9cd9192349f185ee88c9cf0514fc8d59e37e01d88b9c8106321c0581659ebe1d1c276 |
memory/3352-837-0x0000000000400000-0x0000000000481000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsx8BF8.tmp\System.dll
| MD5 | b361682fa5e6a1906e754cfa08aa8d90 |
| SHA1 | c6701aee0c866565de1b7c1f81fd88da56b395d3 |
| SHA256 | b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04 |
| SHA512 | 2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9 |
C:\Users\Admin\AppData\Local\Temp\nssCCD9.tmp\UAC.dll
| MD5 | d23b256e9c12fe37d984bae5017c5f8c |
| SHA1 | fd698b58a563816b2260bbc50d7f864b33523121 |
| SHA256 | ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c |
| SHA512 | 13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e |
C:\Users\Admin\AppData\Local\Temp\nssCCD9.tmp\ServicesHelper.dll
| MD5 | b9e8c2212ac8dae4b0eaf97c048529fa |
| SHA1 | 331d172323480b0518abdb0cc9e256dc7f46c357 |
| SHA256 | d6f6758adac2c073bec481e8de762af3a5574789bce3f43de02356afc9911e0f |
| SHA512 | d93aa032e27c8268a4f6883711cf41f7ee2b5d33673a26d78db24456f2c548af39b7b98ed4b4737245c278d524fffb3e4bf708b6815dc866acd371427ff6be96 |
C:\Users\Admin\AppData\Local\Temp\nssCCD9.tmp\CityHash.dll
| MD5 | 2021acc65fa998daa98131e20c4605be |
| SHA1 | 2e8407cfe3b1a9d839ea391cfc423e8df8d8a390 |
| SHA256 | c299a0a71bf57eb241868158b4fcfe839d15d5ba607e1bdc5499fdf67b334a14 |
| SHA512 | cb96d3547bab778cbe94076be6765ed2ae07e183e4888d6c380f240b8c6708662a3b2b6b2294e38c48bc91bf2cc5fc7cfcd3afe63775151ba2fe34b06ce38948 |
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
| MD5 | bb6a4ec007fb251f4891f9782067a9f8 |
| SHA1 | ca3c13644794eb8bf5640d19c811c693a5aa9029 |
| SHA256 | 8a024c98cee15a0eabee880947f16ab9dda59b37cdea1442ed14368fcaef02fd |
| SHA512 | 91d0eb8fe07cd72868bb469f746bb4cc3eeaee6f495458a7d9dfd3fe9db86fa007278ff3014172d0b59563a47002c030ef4823c51d36d05f2a5b3673818c7a68 |
C:\Users\Admin\AppData\Local\Temp\nsdCF3A.tmp\ioSpecial.ini
| MD5 | 4ecf306772834f4a1d68755f88b002b0 |
| SHA1 | 3bcefe2b073f0cc5d99953a4e350848b04b96071 |
| SHA256 | 4181e2a4043e1b14522fddbd43b1a13ff05bdabdee3f93a1fca32a97070999bd |
| SHA512 | 08f6a9bf1677d1959e85dadab38515e73511c77a09902fbbcc2d44d3809a26ff00072c101e62754a5c920274ada5427d794823346e9a61bd123578e5702f8c50 |
C:\Users\Admin\AppData\Local\Temp\nsdCF3A.tmp\BitsUtils.dll
| MD5 | 8dd17c172a24ebf9601308b949a9ea22 |
| SHA1 | 507e586c9f69ddc7e58442631efc44f3fe58089c |
| SHA256 | ab77c0a6c79e76ab0f509d655273b2ee5c682c702217f4f884bbab3d2fdfc4c0 |
| SHA512 | 7de5a35771ac8ead2e3096de29bdedd8e94696d35dc304388c1cff2a14bb264e389a576dae21aaf9cbac79de6c99606b61f1dc5f0ba35fd261b2f5553d389e59 |
C:\Users\Admin\AppData\Local\Temp\nsdCF3A.tmp\InstallOptions.dll
| MD5 | fd249bc508706f04a18e0bc0afddec82 |
| SHA1 | b94efda9f41c89fc6120ed385867125d03f28bea |
| SHA256 | c34f095e200db420ce9af5489c3e392be285e43c3f4c9fbe34686b1f0a1531ad |
| SHA512 | c820c06ad5ae21101602d9e7864fed9b470b25fa9a0ee025d05e72697d88c7e03cbee7ad476f4e3d5b6e467248b8ad1fefa2710c76011e2156b85068961404ba |
C:\Users\Admin\AppData\Local\Temp\nsdCF3A.tmp\ioSpecial.ini
| MD5 | cc7cbcac7195cf32c28e36da84e9536d |
| SHA1 | 07cfc22589fe4ba8e97007230e6f33992d85e0b3 |
| SHA256 | 88d5ed15c20e5112171ef09a9ab44973f5ae63acf1da8e3fa7410857e15de1ea |
| SHA512 | 8c12bd2762a879fbe40b0e77cecaac0b53b8238b11f64bf4beb3b46f712a229dfadb7120c6b8157d05fb0fbf417cde4062342e0f190897dda175e0bb4d39d2b1 |
C:\Users\Admin\AppData\Local\Temp\nsdCF3A.tmp\ioSpecial.ini
| MD5 | c39168e9adef2155821f5c9f935899e5 |
| SHA1 | 42059dbe2ec84a56dbaf02d37136f5bff85de0fd |
| SHA256 | 7a909b70335f1368e5e0d35508cac079fd8a33436788f53496d433b2e64f972d |
| SHA512 | bc2a767a053bf915cd662a291cec6da542f4940738633b9ce021e39f0de351ca67e763954115b32c3f22deb2a1a5e3c19443d93e7994855fefb07e0c2672a817 |
C:\Users\Admin\AppData\Local\Temp\nsdCF3A.tmp\modern-wizard.bmp
| MD5 | 49ff8ad8f51875597f3e919e8770c24c |
| SHA1 | 1e840ce0f68281e312317bcbdbc10fdfcd3959c3 |
| SHA256 | 76da716588b8e51e36ee7a674cd873a8069e27fef73851d1e190face5a67fc66 |
| SHA512 | dcf29bbef46b1bd8d9f6c6221955ab06da23bc6661c603c188ce34fed80984a3b6d2006ab38b49aa9d1908d714cc0f40e63b6230244e4d4a0c9baebbbda1ddb1 |
C:\Program Files\Mozilla Firefox\nsaDF78.tmp\AccessibleHandler.dll
| MD5 | a86004cd9f3387c116f7f8fdb6cd5655 |
| SHA1 | 86396b3d596956977112d4d6b886e553227f668d |
| SHA256 | 38cae253110f2d2852a7616ef337c11495ad0801a2e549216bb34fb1d2069962 |
| SHA512 | fd8db274fd98ac836b0be8e410b17ee12ec29fdc13964310d8dbbd4b69b9cb71d796902c327b12b966be8fced311d3fda9e816e012a3a8906922d7cb67d769ff |
C:\Program Files\Mozilla Firefox\nsaDF78.tmp\AccessibleMarshal.dll
| MD5 | f67c1e4920a5482f7ae8c56c188379c4 |
| SHA1 | 92642319f4254011cd2e18a480a389dd7fd2d2ee |
| SHA256 | 023f747692e6ee26f7b4948c36da325e3f9fe528869fbafebd80c1549f496054 |
| SHA512 | 20674533a8b5764073f2a624e0f73b0e09f8cde9978f0499309a0a088a15c3eac4958f40cb5ed6195f4a03e001f823695bb9feb4ac2c1955e59a7cdbc92e75e4 |
C:\Program Files\Mozilla Firefox\nsaDF78.tmp\IA2Marshal.dll
| MD5 | f6c251368d2ecbe26d78dd0087dc29d0 |
| SHA1 | 7a52373fcd0545c7945ec5ad33a3294ef4d7adbf |
| SHA256 | 4ea93aa8d5ea91e73c5a579a3a2154932b50ac3aa6170251d964726a853e7ec5 |
| SHA512 | 2043300b58f009a5cf6f2bdadfaacd723742fa34d6a8c7528119fa2e6a5125aceb1107b7b392f94b20763ee70eac731bf922eeefb8a9bb12c67f2a3eda6ccebd |
C:\Program Files\Mozilla Firefox\nsaDF78.tmp\freebl3.dll
| MD5 | c19f51b89ad2cec296f976aa67631ad7 |
| SHA1 | 51ffd2b698a34d935b7653959c5d6ac21b6c739b |
| SHA256 | e540e48084d8c8f4ae7a136c44170ca2336e27c21c3ad69e361eb79f88432593 |
| SHA512 | 0bb68147cda4d8df36480aae44674b9ae17248e10e538cfdf2f3919dc9c518559c5b214e5afbb5f80c4aefd2df56d34dfd674b312666e11d6a367baecbe7aad8 |
C:\Program Files\Mozilla Firefox\nsaDF78.tmp\firefox.exe
| MD5 | 94ef2fadc18337ed24316f0244bca697 |
| SHA1 | d903ed312a4220453c7d336cf4b6a8b7ce9bd599 |
| SHA256 | f293de7a58dc35a39df67d982301b0dd8016162a4188cf73d74adb15062d7524 |
| SHA512 | ae3b5bfb1188ce5c6cc317fddd4e0e39253b95aa9df3232fd88a9b140f3cc9831ef2cc54c8aa960b43361eb8a88b0ed6cd1cb0990b0b84e3edfea2298b2db2c4 |
C:\Program Files\Mozilla Firefox\nsaDF78.tmp\default-browser-agent.exe
| MD5 | 46462a56ff00112e5b44f421ab18c908 |
| SHA1 | 5a058c946477e0ba206ed44f79664f7648c00272 |
| SHA256 | 0296cdc02a167b5443339e45348202e6e3f643caa6b3ccf5b6c0eb4457c4750d |
| SHA512 | 5f46ea8a85672aa0a1ac4f252f9a2e216dcaa2a44dc0d3f2191be9fd57ba874b1c1b571471b0a498b84d23ee450301d7eb14f6e1ee35d8de5462c7a1175b0287 |
C:\Program Files\Mozilla Firefox\nsaDF78.tmp\crashreporter.exe
| MD5 | b53b154cef8f2fd9d0d640869d3e93e6 |
| SHA1 | 9c0ab7ea71c44f4dd9102ca9db31c7f0b4eceef3 |
| SHA256 | 46c200f82ac3ecafa06d4997a21f01c7c40a207bdf3c241a1d0929eb7ca1c0a2 |
| SHA512 | 65cf89f0b3927f5aee033c2a6ad8c956a38821921a93ad7cf1f2b765a7cf497a7ee5e44d97da03a60609348ffa91c92a6e43b5d4ff8995caddd72865d7823f64 |
C:\Program Files\Mozilla Firefox\nsaDF78.tmp\mozwer.dll
| MD5 | 62f0fa43eca5bac352fa7929fedffa40 |
| SHA1 | 85e034f9832185422e9642683050f0bb9b54229f |
| SHA256 | 9612373c2dc666dcf3bb25b0e76a2a4b9ccf3a0ad15b30c7a72b688e3a23eefd |
| SHA512 | 723001b74c2d39038a74b3dba6f3bbf688001c66726d8ed6e6a3375eecbe88209a06cf6fb6c60775dedc9a838f96c1cd785c5eb235764c76e90aba90315a6779 |
C:\Program Files\Mozilla Firefox\nsaDF78.tmp\minidump-analyzer.exe
| MD5 | 67c562e98bf72cb1fd44b090860ada5b |
| SHA1 | 59e87c41e62f3d2570bb6d67bd50af78e7476b95 |
| SHA256 | ed26aee96713f18b86a56dda7e5595e7d6354bbef982f7a3ea4386a0a862ebeb |
| SHA512 | 80d0832cbdc17808b0af2bb709a88ca779afccf6fa95b2cb50fdad5830fff3e0e07fa97426039a8cf7ba6ddaa38e1415e6299ca1a0b2738de14447944aaba3ef |
C:\Program Files\Mozilla Firefox\nsaDF78.tmp\nssckbi.dll
| MD5 | 42dee40ae1fdd368e2013ac147e79c1e |
| SHA1 | 0f4ab1e0686b12f4724cc7c0f78104310a8c5e84 |
| SHA256 | f601e66fda1c8d0059667b76e97ecfb3abf8aa12d5095a0db916857ebc75ef81 |
| SHA512 | e0c2b8e040bf5760fefde6179a21a291905debfa46ac5fcc00e5b906889eef10f41374fbe9472d66bafea714950b3831810d3214b48f6d6eb3f6690e27d41630 |
C:\Program Files\Mozilla Firefox\nsaDF78.tmp\updater.exe
| MD5 | 3e94c46ccd48ecc8feb0a0bdf6a65f05 |
| SHA1 | 657a32b95848b1e6aab6677d4251717a6cf5c50b |
| SHA256 | 043a16e78a63a5a63b2c41b7f13920a3d4776d5d163af57f5e05604c779b2f8c |
| SHA512 | fb38354a98994ffd6d79527bd20f5c1adc957b9aad51e2e766e66704281b9118d94cce33b83cb3885fbb3b1976d949298f27bf524af158607a7b690b8d247d05 |
C:\Program Files\Mozilla Firefox\nsaDF78.tmp\pingsender.exe
| MD5 | a6c135cb83ac8b3843093954f85904fa |
| SHA1 | 05092e8ab996ac25d95447ed5504c2cb6ac50181 |
| SHA256 | 63b9e90c1a62d72b9bee84ead5988c59e2f764c347ccbc52c15d25935b2e885d |
| SHA512 | ff9e99be5ea9c8bdd8e065288bdaed1f8fd14ce8fadd2078f32ebaa1988f0d11a8382d9b55e44700a019495ec81f5b81284bc8378e23308a6114d634f931db1b |
C:\Users\Admin\AppData\Local\Temp\nsdCF3A.tmp\modern-header.bmp
| MD5 | d74f354a7dff27324b463404f4eec99b |
| SHA1 | c0cd9ec50ef163bb868f574db8ca97ccbaa109e4 |
| SHA256 | bc08eabb8b11b7693ac5de4db4d787ae31fdc9f29f6020536c838793bb2d4438 |
| SHA512 | 09116cfc89e16c0cb104e13292976fe8cb97131f309228fd6488a13d2afff4b902ed490f12cb633be232654ceadaee00f23cbe6206677e61c0a9642c72486c4e |
C:\Users\Admin\AppData\Local\Temp\nsdCF3A.tmp\unconfirm.ini
| MD5 | 19313efd31f6576a8ce93ac026ffd896 |
| SHA1 | 4a4ea15e220c46df28bd5bfc8e6eb491e6b60355 |
| SHA256 | 822d328426d827c8fb8529cf17c548f57bf0873df3a4a2286977451c7ad5cc3a |
| SHA512 | 7a4adc9534a9300f64a4f3fc86cd536f700c0e1b0e75cb5578ff422e24bd9f1ceab88e47d4bb088c624521220b1c2cbb1038c926f0b10583ad288e6ebf17226e |
C:\Users\Admin\AppData\Local\Temp\nsdCF3A.tmp\unconfirm.ini
| MD5 | aae1a4438fa196d0b7ce2bb2f89ae56a |
| SHA1 | c3183ab89eb3386f81e1e173e53d85f698c6ffaf |
| SHA256 | d0c1aa89c0206849a93802586ed6dab16d0f7383ab3a5a438a53ada99ddbaf45 |
| SHA512 | 64611b0a03c914137b4296ed99d425de34e8908ac6363f0448a04551784b2792d6d8952576b7a28052dee7ae5d621178808c77ad8ce9a76b5327644e8c26d4bf |
C:\Users\Admin\AppData\Local\Temp\nsdCF3A.tmp\ShellLink.dll
| MD5 | fa94d120efb029b43217c66bbc8c650c |
| SHA1 | 1fcf2d76adf69b403b7400681ac91d50ed20385f |
| SHA256 | 5f6f414b412c72b10f49eb92af1d368ede531b58fb200d539fd2b45e371612db |
| SHA512 | 07ed0771d5bbb651ea7421a5f6b08fa234f9cc041315d9360a7135ba12180064fc99a27725385a8ecd3ceb25bed5c00de169f7dabb3ccf6e987f45254dff8158 |
C:\Users\Admin\AppData\Local\Temp\nsdCF3A.tmp\ApplicationID.dll
| MD5 | fdc0338e6faeaf6f7c271982e103473b |
| SHA1 | 9a41f7932abe8be7e32c6371f085cf14de355d00 |
| SHA256 | a9dad9fdaae93d10dc2ee346b231913445e731049554b8bb1506827e46f8a44e |
| SHA512 | a766eef11db4c94b1445d1cd70cf1d3b6141d6b3973562e9fa8d81c79195886b884dbc9b9f6952f8a6e8619534a6bf2d615d539d2cace9c8843dc19415051cc0 |
C:\Users\Admin\AppData\Local\Temp\nsdCF3A.tmp\ioSpecial.ini
| MD5 | 1816b8b0e90eb61a7ec59722d8d9abf1 |
| SHA1 | 81b604cc76bb47d5c8b1dfe71a3dde15c9eba757 |
| SHA256 | 96b7dbda00fef4a7455f37c08f1147ef27490de1a9d96d5250a8f29346d5345e |
| SHA512 | 0a4dd8601b748f7da175f76bde39766d942eeeb8efbb6e8755e1b23d2f2e93fe98aaf5034d5de3a2a4819c4e08ac4b706ee1ddf54d91b40c5e3b12ef39e11a62 |
C:\Users\Admin\AppData\Local\Temp\nsdCF3A.tmp\ioSpecial.ini
| MD5 | 8885e03fe608cc64d03cc9943144d161 |
| SHA1 | 7174816e4c6d73bb8c39cbe513d13048c494f568 |
| SHA256 | b2781cc222ae641b2bc97c19dfaef3830909b0134966b2690c550aee7f123be5 |
| SHA512 | ae39147e1bcce39a21c50bb26f98567e645f841c0f52420f762c8742807bde0ab95f6cf65594930b6d522ea6604030fb3ac1c04c59075b88c388a9413ed4252a |
C:\Users\Admin\AppData\Local\Temp\nsdCF3A.tmp\ioSpecial.ini
| MD5 | 2c9263210b7d46a8d924e4a4ffaa789f |
| SHA1 | 351f757e5e249487efc0939acfade77ac32ecee0 |
| SHA256 | fe7d4e1134847059792c9f4027ea6326eb526888e249a92d266ba8460f094e64 |
| SHA512 | 5b30c620912f05071841dece43944ad895c1caf79180dce0b45ba1ace9758ed60769368b0086acc1bce7210a2147ca44a39b09219a7d39ec7b22bada7477ee01 |
C:\Users\Admin\AppData\Local\Temp\nsdCF3A.tmp\Banner.dll
| MD5 | 2b3f617f22f70710aaf7f27efab15c40 |
| SHA1 | 66c2397748b46c0aa03f0de1d3b1ef0598512f7c |
| SHA256 | 2393ee61dff10c520fea62b5d6dc1c3a559fcad55f5cf15b22e1f408692a35f8 |
| SHA512 | 69295601e8c20a97b512a99afec2609997b589d46a507b2738a6c974ee5b68bde0e56fce150ab1fc4355aa561e8125335378a9c648bbc533bc5b44de1b85b3e5 |
C:\Users\Admin\AppData\Local\Temp\nsdCF3A.tmp\liteFirewallW.dll
| MD5 | f31ba98a8d87faba153eea134968c854 |
| SHA1 | da0865cc1a86a39367f22897e1f9fbf4fb1f804f |
| SHA256 | 708fb54cffb6aea3547fc5ac745d1435ecc814df563bef59ba7a94f57d082bbb |
| SHA512 | d991a2dd5ef537b25898afd7b7e73274a3cb8e6f5fca1621af22ee2761b82baf220aecb0c84434566742e2ab00b2f57a3740ce9831e76d4e1829bac3e044c8e9 |
C:\Config.Msi\e5d00b7.rbs
| MD5 | bbd156b37cdd88883a8dc2a95b9a3b64 |
| SHA1 | fb947cd861109b8add0f5fa786a235d80436dabe |
| SHA256 | 05abcbfe5b81aedb8dfd841b287d264e34bfacf00ee5e9f3f4d3860118d25f8c |
| SHA512 | 7ce47b8b8a1d0d4bd9d6196eb8b11d7edf36fca6fdb3d62ce42725dc1382525631136daf9aa1b00fd4dffba442842c37bffae90fc82d7a94e681661537c0a22d |
C:\Windows\Installer\MSI6357.tmp
| MD5 | 4367508c0a612115c8d15c92b6ccec0c |
| SHA1 | cf19b8fd08d65af94f519e71b7976d3699ef1cd5 |
| SHA256 | a7d7b98449549710b359dcacb41642e26e9d79523fb1507860ba2ed4b314ef89 |
| SHA512 | 291a111cdd47182421786dec45a9cf08d10fdf2328afff60920f16eeaf8ee84e0c4c6fb2c04ab215e28473e5e4adca4ecfc80cba277dcd351797838e410d737c |
C:\Config.Msi\e5d01d8.rbs
| MD5 | 39b22088819558dc24e67f2b59587eb6 |
| SHA1 | b2ed3ee9653ffe2c4995aa7294e42d16803cd4f7 |
| SHA256 | 47edc74a458ebb621e3b4892793ee66f41f7f6c34a808affbdd2193795271fe9 |
| SHA512 | 86954a530dc1b10b817ef2adf1d8cdd87d7112a525e69780543a2e1ba07b8f8bf234d6f11e0453dbeacd1732ca6a79adb3009cd796517ada3302672cd8a52bb7 |
C:\Users\Admin\AppData\Local\Temp\tmp7EF3.tmp
| MD5 | 9e936c2078b286132cd6b9c8602fd17a |
| SHA1 | f638b8a7448daa6da754c9bb2fbf2cf4ee1b007e |
| SHA256 | fa994badb1e90b2629e0d955572ca57efe97169d20d6b4957e2f830e3680da9e |
| SHA512 | 6973f1eef2a2baccf2b0bccf5047f6db434698cd483c0b0dfbfcc2230c45bc1ce4a23e67b5ab7ec8767d4cc8d75dcc76eeb347038eabdf5ec99bc12e3a3bb946 |
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\setup\Uninstall-PerMachine-2024-4-15.952.4768.1.odl
| MD5 | 754e2832b69085da2e05578b46f7398f |
| SHA1 | 4f317385e8178385bf6c488e5c1cbc1a09c6903e |
| SHA256 | c27ff9ccdae9b57f8539617e879a7b2293e4c07a770ec2048c84de1cd2e29c2e |
| SHA512 | 6f9058ba42991805f3c1ef8f03b5b242d9014acd4b647d54483ceddd249aabe010726ac818661b6fa8360a2a1705fc25adf9dad8e071971739981209dc199649 |
C:\Windows\Installer\MSIB8FE.tmp
| MD5 | 67f23a38c85856e8a20e815c548cd424 |
| SHA1 | 16e8959c52f983e83f688f4cce3487364b1ffd10 |
| SHA256 | f3c935cac911d9024c7797e8ffe4cce7d28154b236ad3e182f9efb85cd5a0a40 |
| SHA512 | 41fc1b4e2f47d5705861ee726c8d5d7b42191e7d586b370981da268414f207f6dea00a59dc53012cf6510c44651fec4a3a33bf69e501d85fd2efd66517e4169d |
C:\Windows\Installer\MSICDCD.tmp
| MD5 | be0b6bea2e4e12bf5d966c6f74fa79b5 |
| SHA1 | 8468ec23f0a30065eee6913bf8eba62dd79651ec |
| SHA256 | 6bac226fb3b530c6d4b409dd1858e0b53735abb5344779b6dfe8859658b2e164 |
| SHA512 | dddb9689ad4910cc6c40f5f343bd661bae23b986156f2a56ab32832ddb727af5c767c9f21f94eec3986023bae9a4f10f8d24a9af44fa6e8e7e8610d7b686867b |
C:\Windows\Installer\MSIE8DB.tmp
| MD5 | 0e91605ee2395145d077adb643609085 |
| SHA1 | 303263aa6889013ce889bd4ea0324acdf35f29f2 |
| SHA256 | 5472237b0947d129ab6ad89b71d8e007fd5c4624e97af28cd342919ba0d5f87b |
| SHA512 | 3712c3645be47db804f08ef0f44465d0545cd0d435b4e6310c39966ccb85a801645adb98781b548472b2dfd532dd79520bf3ff98042a5457349f2380b52b45be |
C:\Config.Msi\e5d038e.rbf
| MD5 | 21438ef4b9ad4fc266b6129a2f60de29 |
| SHA1 | 5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd |
| SHA256 | 13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354 |
| SHA512 | 37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237 |
C:\Config.Msi\e5d01df.rbf
| MD5 | bfcccb06480faa017870261e7a6c9b94 |
| SHA1 | 71d2ce04db20065b69d999c0b42627a17476037a |
| SHA256 | a1edaea883c96161a942138e5ca1879dbae462dbc81688787b7a190589870c49 |
| SHA512 | 111f9578333300d8309fa6b6123f330dd3cb59c8ec365b81d2aee87338d84111a5d2eab4b056779df366e79768d521b230ae1c4be5161ece608a605945c6c041 |
C:\Config.Msi\e5d01de.rbs
| MD5 | 7a67d00045777fcc1bcb62772175fa86 |
| SHA1 | 9a939098c9a9ea08bb4e9a0d4e616377c2e6f41e |
| SHA256 | a5e6b2e7066a1651e8923a2203be15982ed118af39b83620fe023bc48cf0eef7 |
| SHA512 | b51ea5d456c1e332eb782819d14cf9bfbd0519207b4384d4884d3fa501012a70e9fd722b8d8dab182b766f84a105e432364195d59714564582f0a2a7b3c8282a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 0cc0aa6831de305844a40ad1d7526919 |
| SHA1 | 251d1288318eea41a93c159231d217eadb904045 |
| SHA256 | 49f35db0b15ac1fd2318d4ecc429a4178614b2eab2565f459700582df53f3c57 |
| SHA512 | 14008587b441f4f99c8db3f75cf91a7cd3e873f3e3acb973366bd81b5f7c190b1e842ca38f5aed3e8bc1155464de64bfec41781a1f56d8e651b955c8782e3054 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7d039f4e-e961-41a7-bf72-026d706be043.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 5bc3b1968436b3e6919bc3d2fd633b3c |
| SHA1 | 147176ada77765d3ebcc58dc3315426b60d2d3e9 |
| SHA256 | 9953c84e1f4cc6c2bf1c33cd1b31aba21b353dd7cb19c630397f17657828c4f4 |
| SHA512 | ae2613461aff1a5c035026533bc2c48e25e9a0e8adfec70067d29467d513a89ec0149aac004379693b0a0758574e2e506f6e879af325fc9d2d2089213754373c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ed10d15ba3e47fcb7368c24cd9b947d1 |
| SHA1 | 83a4c9ff12bb67dec76022d6425df69bb80cc367 |
| SHA256 | 688cb15cd8c45ea66a98ec38a9e6d98f83fe7c1998521caf2c55c260cef817ce |
| SHA512 | 5a9e0890b19d25104290f63cdc6a69dab8d0d4d85228ca1cfe0c42f0c71aa7704a567602f23c1c1cdd3a3b70477f7ff2274208d6e56269a65ba17eb8d01d7fc3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 158d08438d3e83f6f1faa4107ca68362 |
| SHA1 | 2eb9e074a5410dd4956f03cbf2f3727ffde1441e |
| SHA256 | 163860136e21b2e4d5ff8ee6a328d452ccd8f609f4bc46e893c6658ffc882b0d |
| SHA512 | da4ecd1271dda1f342fa38c9a8e5955b1c51df87363eaefc236cac0c66f45cf5f093f7b0a39a40a0f808b5d97e7eed12d88bcc2e113d52ae5d606f3e03e9b36f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 932994c42dd50a7647194b0458057322 |
| SHA1 | 77963662cf41bfa3541d7ba0768993f601805560 |
| SHA256 | ccbf381c1178c2cf78572dc243dcc8aed4c7a60f9d302e61d3468b6d79acc186 |
| SHA512 | fe03b49aa980c784a470ab18c95abf3510a1c7ee733d2fb585679bd585b1a1c6b7a7417cbea71441db3e23fa07edc36bf1a3faece4da589781e971a88cfc3d9c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | cb004d96dce381bda829e03cd770d181 |
| SHA1 | 86eb85279a1ba8b6ee17690f5baa571a559dc92b |
| SHA256 | b3106616fc90303a0f0aa05f63788b0adf695cfd8ee02c620704970f2e8eb0ff |
| SHA512 | 6fc8ed284aba54b0f8a2f775807198d0d448bff9555a0b27a6185b750d02f532fa337c1e0eba573d170d93cb0a5aec8a9970d25c49699a75205301ad0af9318d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 8c038be6723273806d7d5562e4228bf6 |
| SHA1 | 50f721ba3239e812bc0d4d33bba169b86c269381 |
| SHA256 | 61502f3036930033099e40eb96f9a1612af7838c9da8bef274359d2297a9152c |
| SHA512 | 2c1534eb38653aca733c396cdb02fecfe6a0f48ca5e3a7c8da4a38b77fd2dbe5ece2e7c6ec3645cd4b5f2e7dbd473fadf47b08b45e84611d6abd78fa237251e4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | eea8da9bab7ad2bbee6080fea87f57a4 |
| SHA1 | 195818b7250bca18dbe08cafcc69bb2249084ce5 |
| SHA256 | ced6df99675c41406314840fb4fb835f71a00595f93dc2059467ba25c2ebe194 |
| SHA512 | add3fb6a0e2e5abe7d56f88fc5d1bf6232c61deac19b31cbc5dfaa0def6b58f3c30d9e2f8328fbe883f2f1ce50923ba4b261e670363379e292618acc55972bb4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 176a6060044a0d0c0dae40dd183b21d0 |
| SHA1 | b1a2d105e352275d26896d80226a66da9b414754 |
| SHA256 | c1e369f70974ffe13fe433a058aaa3212eac6adfaf1918c732b768243992374a |
| SHA512 | 4be349bb1fbcda1abe29ff2750f309b308a498f66a009728c25faa579d40ab8c7fb26fe487422d14d69d5aac5c1aae4f063966398e5fc3b3f154562917bcb3fb |
memory/2276-2355-0x00000216C4000000-0x00000216C4001000-memory.dmp
memory/2276-2356-0x00000216C4000000-0x00000216C4001000-memory.dmp
memory/2276-2357-0x00000216C4000000-0x00000216C4001000-memory.dmp
memory/2276-2361-0x00000216C4000000-0x00000216C4001000-memory.dmp
memory/2276-2362-0x00000216C4000000-0x00000216C4001000-memory.dmp
memory/2276-2363-0x00000216C4000000-0x00000216C4001000-memory.dmp
memory/2276-2367-0x00000216C4000000-0x00000216C4001000-memory.dmp
memory/2276-2366-0x00000216C4000000-0x00000216C4001000-memory.dmp
memory/2276-2365-0x00000216C4000000-0x00000216C4001000-memory.dmp
memory/2276-2364-0x00000216C4000000-0x00000216C4001000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\TempState\StartUnifiedTileModelCache.dat
| MD5 | 6c0b3c094058704821edad21dad50a89 |
| SHA1 | 75927526c463671828538e54f8fd6e8ebd7ad37e |
| SHA256 | 982ad20dec32798fbe1625a9ee9f4de282c62abc2816f11680abdd43ccae895d |
| SHA512 | 1f6805d192e88dfa0c8751a184e490df4ff98b5a1b5f5c87d7677e5c9e775b5c1bb6b3a4a67671fca7a5371cc8815c406b70a7616df9b007f878835d87f4841f |
memory/4364-2375-0x000001B017F40000-0x000001B017F50000-memory.dmp
memory/4364-2391-0x000001B018040000-0x000001B018050000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 09b2b6ccf61ab3430c3dba84ce4b4a5d |
| SHA1 | a9e17e97479a23208ef5a837c8660c2d5d3a7e2d |
| SHA256 | 904ae2be8fe19e1bb41747f469263c974b18ed64cf52d774bf4d7baa43e96271 |
| SHA512 | b071de45a87f31e57f5339774593d1e1aa14bed065fccae88947927c41f331cb3e2b38011bb87dae8b8d7de1bc3165c141c7419aca74f0de8a5465a1af07b46a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
| MD5 | 838a7b32aefb618130392bc7d006aa2e |
| SHA1 | 5159e0f18c9e68f0e75e2239875aa994847b8290 |
| SHA256 | ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa |
| SHA512 | 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4a44afd95ea83e885faff1ab1228c6e7 |
| SHA1 | ff509c060709eafd436ee7f1c4e54b864fba3789 |
| SHA256 | 65f527c823f1734b32db044ee69db5a3c73eca11486af7ee76d7d3c6ff280c21 |
| SHA512 | 8d9c6bbeb526ebdaecc64775ce11ffb7f5fb12d5e64aa109ce85a10863b9b9d79d0c96f2c93842624c45c44dae0db3a0217b5022086e183b69e5f4f03a94b207 |
memory/3468-2537-0x0000000140000000-0x00000001402DA000-memory.dmp
memory/3468-2539-0x0000000140000000-0x00000001402DA000-memory.dmp
memory/2340-2540-0x0000000140000000-0x00000001402DA000-memory.dmp
memory/2700-2547-0x00007FF768D40000-0x00007FF768D48000-memory.dmp
memory/5072-2548-0x00007FF995E90000-0x00007FF995E9B000-memory.dmp
memory/5072-2550-0x00007FF995E90000-0x00007FF995E9B000-memory.dmp
memory/2700-2552-0x00007FF768D40000-0x00007FF768D48000-memory.dmp
memory/2340-2557-0x0000000140000000-0x00000001402DA000-memory.dmp
memory/4964-2563-0x00007FF7A4D80000-0x00007FF7A4D88000-memory.dmp
memory/4596-2564-0x00007FF995F70000-0x00007FF995F7B000-memory.dmp
memory/4596-2567-0x00007FF995F70000-0x00007FF995F7B000-memory.dmp
memory/2340-2573-0x0000000140000000-0x00000001402DA000-memory.dmp