Malware Analysis Report

2024-09-09 20:21

Sample ID 240614-bpvp7szarg
Target http://windows.com
Tags
evasion persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file http://windows.com was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware

Modifies visibility of file extensions in Explorer

Modifies Installed Components in the registry

Drops startup file

Enumerates connected drives

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in Windows directory

Drops file in Program Files directory

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer Protected Mode

Checks processor information in registry

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies Internet Explorer start page

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 01:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 01:19

Reported

2024-06-14 01:39

Platform

win7-20231129-en

Max time kernel

496s

Max time network

1107s

Command Line

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://windows.com

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Explorer.EXE N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "EN" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,7601,17514" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "1,1,1,9" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Version = "6,1,7601,17514" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "EN" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "en" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Locale = "*" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username = "Stand.ADi8mn" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "6,1,7601,17514" C:\Windows\Explorer.EXE N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Windows\System32\regsvr32.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Stand.ADi8mn\Saved Games\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Searches\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1001\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Contacts\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Desktop\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Contacts\desktop.ini C:\Program Files (x86)\Windows Mail\WinMail.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Windows\Explorer.EXE N/A
File opened for modification C:\Users\Stand.ADi8mn\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Links\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Favorites\Links\desktop.ini C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Contacts\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Favorites\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Links\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Desktop\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Favorites\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Searches\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Downloads\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1001\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\unregmp2.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Saved Games\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File created C:\Users\Stand.ADi8mn\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Program Files\Windows Mail\WinMail.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\unregmp2.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Favorites\Links for United States\desktop.ini C:\Windows\System32\mctadmin.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Downloads\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\Explorer.EXE N/A
File opened for modification C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Windows\System32\regsvr32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\unregmp2.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\Stand.ADi8mn\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\Stand.ADi8mn\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" C:\Windows\System32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\ie4uinit.exe N/A
File created C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.INI C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\mshtml.Install\mshtml.Install.DAT C:\Windows\System32\rundll32.exe N/A
File opened for modification C:\Program Files\Uninstall Information\mshtml.Install\mshtml.Install.INI C:\Windows\System32\rundll32.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.DAT C:\Windows\System32\ie4uinit.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\System32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Windows\Explorer.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Explorer.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Explorer.EXE N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\runonce.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\csrss.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data C:\Windows\system32\csrss.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\System32\ie4uinit.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\39 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.midi C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wax C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\20\IEFixedFontName = "DokChampa" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\34 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\14\IEPropFontName = "Kalinga" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\26\IEFixedFontName = "NSimsun" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Settings\Use Anchor Hover Color = "No" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\ C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Zoom C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmz C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\38 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\28 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\37 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\20\IEPropFontName = "DokChampa" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\22\IEPropFontName = "Sylfaen" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\LinksBar C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\8 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\14 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Document Windows C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Document Windows\height = 00000000 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Security\Safety Warning Level = "Query" C:\Windows\System32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Main\Show_FullURL = "no" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Main\Show_URLToolBar = "yes" C:\Windows\System32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\SQM\InstallDate = "1718328101" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Setup C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\29\IEFixedFontName = "Plantagenet Cherokee" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\39\IEPropFontName = "Mongolian Baiti" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\18\IEFixedFontName = "Kartika" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\6 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\12\IEPropFontName = "Raavi" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\21 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\7\IEFixedFontName = "Sylfaen" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\19\IEFixedFontName = "Cordia New" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\19\IEPropFontName = "Angsana New" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\34\IEPropFontName = "Iskoola Pota" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Main\Show_URLinStatusBar = "yes" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.midi C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\5\IEPropFontName = "Times New Roman" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\18 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\33 C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Main\Do404Search = 01000000 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\5\IEFixedFontName = "Courier New" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\25\IEFixedFontName = "MingLiu" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Desktop C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\15\IEPropFontName = "Vijaya" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\29 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\SOFTWARE\Microsoft\Internet Explorer\Services C:\Windows\System32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\New Windows\UseSecBand = "1" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmd C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Windows\System32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\New Windows\PlaySound = "1" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmx C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\System32\mctadmin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\24\IEPropFontName = "MS PGothic" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\31 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Main\Show_StatusBar = "yes" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\System32\mctadmin.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\International\Scripts\6\IEFixedFontName = "Courier New" C:\Windows\System32\ie4uinit.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141" C:\Windows\System32\ie4uinit.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" C:\Windows\system32\winlogon.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" C:\Windows\system32\winlogon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" C:\Windows\system32\winlogon.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\WMPShopMusic\ = "{8A734961-C4AA-4741-AC1E-791ACEBF5B39}" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-msvideo\Extension = ".avi" C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.m3u\OpenWithProgIds\WMP11.AssocFile.m3u = "0" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-mpegurl\Extension = ".m3u" C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.mid\OpenWithProgIds\WMP11.AssocFile.MIDI = "0" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.snd C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.TTS\OpenWithProgIds\WMP11.AssocFile.TTS = "0" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MMS\Source Filter = "{6B6D0800-9ADA-11d0-A520-00A0D10129C0}" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1001_CLASSES\Local Settings\Software\Microsoft C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.mp2\OpenWithProgIds\WMP11.AssocFile.MP3 = "0" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-asf-plugin\CLSID = "{cd3afa8f-b84f-48f0-9393-7edc34128127}" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.cda C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\NeverDefault C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.adt\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mpe\MP2.Last = "Custom" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.m2ts C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.wms C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mpeg\CLSID = "{cd3afa76-b84f-48f0-9393-7edc34128127}" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/vnd.dlna.adts C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.wma C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.au\OpenWithProgIds\WMP11.AssocFile.AU = "0" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-wmv C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ADT\MP2.Last = "Custom" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.asf\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.MPEG C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-asf C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.WMV\PreferExecuteOnMismatch = "1" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wmv C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.MP3\PreferExecuteOnMismatch = "1" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mov\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wmd\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.WVX\PreferExecuteOnMismatch = "1" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/mpg C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.3GP C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.3gp2\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/3gpp2\Extension = ".3g2" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mp3\CLSID = "{cd3afa76-b84f-48f0-9393-7edc34128127}" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.adts C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-mp3 C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mp3 C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\WMPShopMusic C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mms\shell\open\command C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-midi\Extension = ".mid" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/vnd.dlna.mpeg-tts\CLSID = "{cd3afa9b-b84f-48f0-9393-7edc34128127}" C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.WTV\OpenWithProgIds\WMP.WTVFile = "0" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.m1v C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.M2T\OpenWithProgIds\WMP11.AssocFile.M2TS = "0" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/vnd.dlna.adts\Extension = ".adts" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/midi C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.M3U\PreferExecuteOnMismatch = "1" C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.mp2v\OpenWithProgIds\WMP11.AssocFile.MPEG = "0" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-mplayer2\Extension = ".asx" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.aif\MP2.Last = "Custom" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mp2v C:\Windows\System32\unregmp2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Windows Mail\WinMail.exe N/A
N/A N/A C:\Program Files\Windows Mail\WinMail.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2036 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2036 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2036 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2892 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2744 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 2232 wrote to memory of 2640 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://windows.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6729758,0x7fef6729768,0x7fef6729778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1096 --field-trial-handle=1224,i,4639720493593665414,1985037441559368498,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1224,i,4639720493593665414,1985037441559368498,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 --field-trial-handle=1224,i,4639720493593665414,1985037441559368498,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2252 --field-trial-handle=1224,i,4639720493593665414,1985037441559368498,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1224,i,4639720493593665414,1985037441559368498,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1252 --field-trial-handle=1224,i,4639720493593665414,1985037441559368498,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3304 --field-trial-handle=1224,i,4639720493593665414,1985037441559368498,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 --field-trial-handle=1224,i,4639720493593665414,1985037441559368498,131072 /prefetch:8

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6729758,0x7fef6729768,0x7fef6729778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1284,i,325754172955052911,11471900981391151045,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1284,i,325754172955052911,11471900981391151045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1284,i,325754172955052911,11471900981391151045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1284,i,325754172955052911,11471900981391151045,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1284,i,325754172955052911,11471900981391151045,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1380 --field-trial-handle=1284,i,325754172955052911,11471900981391151045,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1344 --field-trial-handle=1284,i,325754172955052911,11471900981391151045,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3116 --field-trial-handle=1284,i,325754172955052911,11471900981391151045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3752 --field-trial-handle=1284,i,325754172955052911,11471900981391151045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3796 --field-trial-handle=1284,i,325754172955052911,11471900981391151045,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3912 --field-trial-handle=1284,i,325754172955052911,11471900981391151045,131072 /prefetch:1

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1072 --field-trial-handle=1284,i,325754172955052911,11471900981391151045,131072 /prefetch:8

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\userinit.exe

C:\Windows\system32\userinit.exe

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll

C:\Windows\system32\rundll32.exe

rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize

C:\Program Files (x86)\Windows Mail\WinMail.exe

"C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE

C:\Program Files\Windows Mail\WinMail.exe

"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE

C:\Windows\System32\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll,Install

C:\Windows\System32\ie4uinit.exe

"C:\Windows\System32\ie4uinit.exe" -UserConfig

C:\Windows\System32\ie4uinit.exe

C:\Windows\System32\ie4uinit.exe -ClearIconCache

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll

C:\Windows\system32\rundll32.exe

rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize

C:\Program Files\Windows Mail\WinMail.exe

"C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE

C:\Windows\System32\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll,Install

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fb87688,0x13fb87698,0x13fb876a8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fb87688,0x13fb87698,0x13fb876a8

C:\Windows\System32\slsogk.exe

"C:\Windows\System32\slsogk.exe"

C:\Program Files\Windows Sidebar\sidebar.exe

"C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun

C:\Windows\SysWOW64\runonce.exe

C:\Windows\SysWOW64\runonce.exe /Run6432

C:\Windows\System32\mctadmin.exe

"C:\Windows\System32\mctadmin.exe"

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

Network

Country Destination Domain Proto
US 8.8.8.8:53 windows.com udp
NL 20.76.201.171:80 windows.com tcp
NL 20.76.201.171:80 windows.com tcp
US 8.8.8.8:53 windows.microsoft.com udp
GB 2.22.102.181:443 windows.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 216.58.212.195:80 www.gstatic.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 ogs.google.com udp
GB 142.250.187.238:443 ogs.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 216.58.213.3:443 ssl.gstatic.com tcp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com udp

Files

\??\pipe\crashpad_2232_OZKVEGODLQRJJOXA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar20CF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 e2c063951127321bfdd9004b00f7cc49
SHA1 2c6bf63c2b6e559cb73ff42488266ed74f800617
SHA256 37ba4e06f2bb54bfbea2cb315ece0f93d1b9560ed9fda1d79363c13991d960ed
SHA512 602b61148e8344ece20ae14c8eaea4a18aeb1306e6d47fbdd3d7b5138a1b0fac6cd14b9c9db7ec3d775d08dc7f98827c18a315e2b2230e5c75d0ce0c45d24a7b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ed0e3538-2cce-4c76-8c8c-382235a1c2af.tmp

MD5 7a86112c820d1db541b7d46e01ceeaca
SHA1 dba50111870c9f45256579e23ccb045fa46b999c
SHA256 b27022f67b61b4bd1709a09b1f9fcf0910199fa869edfad0b4f6da6afd3734d4
SHA512 32c59e2aaf6e0af590ffcf5954877eaf13bee36cda670a62b7dd4e374b5a49f5c2410c176d356723bbc7cc38ba6687e0957d346c2dc5836f211a41385c8b789a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 cc224701d3988dd5549f5d4adbf10fe4
SHA1 bf7837f102c82b785f087208d907c86f3de96bb4
SHA256 ab4b477c15da3d33fd048de6a07bc97f38cb55f647a7cbb9c39ccbe56e18cb21
SHA512 da48b8a59c7a8434d277f18dff52557066aea503d889b4c06a840e0412afc0732ad8958a95f5d14d92b7cbf503ae0d1a32c5da87027c5df69591e85a973724d9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

MD5 961e3604f228b0d10541ebf921500c86
SHA1 6e00570d9f78d9cfebe67d4da5efe546543949a7
SHA256 f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed
SHA512 535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13362801596535400

MD5 e4282f3baf71570502ecc483ef9dd26f
SHA1 b7df7377a83434113d25c78f831881551808d09c
SHA256 2d23266ba03e7a7f21c8841254e5e975865c7f3c168ba8a44fdda3f5c2064ca8
SHA512 30ecbbd1f5a9ebdbbf3e58eced6b48a032d9d3a2531fee09f75e0bfdf3ac3586422208e48b1cf9275b0b9ea29fcdeda081c45c3cdd2859fe854e6b733272983a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.ldb

MD5 1a4ca9070765cb8eb3320588d6b0b6bd
SHA1 dfa85e85c97ec3fbebf9348ce66dfa79f28574dc
SHA256 92682e86819a76399c791eb4a6f66bc4aa51ee1e044178459406e9a97618c0f7
SHA512 905bc0730aa625d7227ae7a8a3b99cb058039b8d9a1c602eaad9091b642ef9a6c012bb14a255001651d3a56e8ff50cdffd500a317a0455c8b50109c53f9ac599

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1656edcd1da30a2f99aecb6edf78a908
SHA1 0b46ba80ac79898e6996c30e94ea47dd7f8ab649
SHA256 cf8fac79f6c8cd25c18f5e36cc410ac33b9accb1de908ed5e9f547832c7748fb
SHA512 ad64eef0c896482ee64a80026aadd13560ea2d78134cff00571a3dbe020283c4289dcd7d4a4494339052cb6c464cc0d65fafed53aca28a1373fa732b5fab4996

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.log

MD5 894a6f85ffb1ffe2efa3a71252b41dd2
SHA1 004c8c7ef0edadba5020eaea2a59234493fb39ba
SHA256 1a11fa443a9c5276f83ffb7498a8731b48448ddad02dd5bf2857ac46616c0510
SHA512 311ce543e4829a598d6f6e92f9692bc0ccb291279d78d753e36db110efdeb6f5e6680d1558ccc23ac890f844585bc008e9c7d15fb3b35c69e97eb03638c2a63a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000007

MD5 f9b398adaa849beec315e5f6f0bee834
SHA1 e24fb84ed0adccb30cc05c0129115d582e5e98e5
SHA256 1e6c50f9e61028b66f8c19f8fd6f2d60c40fee3602397f1f47188ce9813d6257
SHA512 b37ff594d12159f36368f1529f1069e9b61b820fa94ae567084a9944abcc4c5eaa4c037eb236f3198b649ba989a628571caceda98404aa05b8cfaebe45d5758f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

MD5 25576758c2fe54cc6cf36adc96da8c20
SHA1 0ef4d6c8c608289a73d60e5f2ab9f2dd71771c13
SHA256 043ac5cd99239b1974d2fc0cc59602d60a562b89d38cb629faab112b98a35fa6
SHA512 65c3ba923b8a913bc148f41f18fd39f1dd4c9f501a997d6bb6c170a65192d75faab64b931763c1e72e3ffd5420b57f31a221787aa49d71449bedc1f1ea3f87d3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000008.log

MD5 c57eb64be1f584710780e0671f0d75b5
SHA1 6a0c98fdc7c6efeb4cc5677d0f63dfc77bad5908
SHA256 c695e68e3605e0018d90d2fdcbf76bc465e58304869fe594d793309b92cfe4c6
SHA512 392defb51e091624af23d3cda854ae5536aa11688bb0342e45e702d06cc6aa8c1d73c1f41f53c101f9cbb325551be221b97f5d226e891bb88b73cc5a2f335fae

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007

MD5 22b937965712bdbc90f3c4e5cd2a8950
SHA1 25a5df32156e12134996410c5f7d9e59b1d6c155
SHA256 cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb
SHA512 931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

MD5 0c9213c87ca38c4692c02766420b6bcc
SHA1 fd231aaf4549b16889aff792eabf8fab495bd808
SHA256 4343b6ba2d170d0fa55f837d167da34c95d06e82e250f60000e6fb871ef8751b
SHA512 e17b66f64e7790d742cc37d6fe107b776619d76c7c0bd131f88445819ec8723c9c796481aaafcf6336021b0deb267233003f366b80f30b104ac60bdd32a942b0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

MD5 9eae63c7a967fc314dd311d9f46a45b7
SHA1 caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA256 4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512 bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000009.log

MD5 e9c694b34731bf91073cf432768a9c44
SHA1 861f5a99ad9ef017106ca6826efe42413cda1a0e
SHA256 01c766e2c0228436212045fa98d970a0ad1f1f73abaa6a26e97c6639a4950d85
SHA512 2a359571c4326559459c881cba4ff4fa9f312f6a7c2955b120b907430b700ea6fd42a48fbb3cc9f0ca2950d114df036d1bb3b0618d137a36ebaaa17092fe5f01

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\MANIFEST-000007

MD5 b6d5d86412551e2d21c97af6f00d20c3
SHA1 543302ae0c758954e222399987bb5e364be89029
SHA256 e0b2fdc217d9c571a35f41c21ed2596309f3f00a7297a8d1ded05f54f0e68191
SHA512 5b56ae73a61add9e26f77d95c9b823f82a7fcdc75eed64b388fb4967f5c6c42cb0796b0b99dc25c89f38952786176c10d173dec7862a8a5ce5f820280f72d665

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

MD5 1c826a34c17683a705d9c2223037a66d
SHA1 871d084212c70eb2c7b45ed2c38cfe6a862a98d4
SHA256 6f9c4399002fa4a21e665956aab5479f2de79403cabdf26d1bfd58af9d574be1
SHA512 16724655c41eab0047bbe7e994463204c4cb2d59f1b2f0cd523ad9e4b9683334ad119aa14f35a48dbef574cf1410c50044cc3965e5f1f2c443273c24ce0e57b9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000008.ldb

MD5 b0b509b9ced8a11dc49eeb07a2f0f450
SHA1 6e8825afd638b10cfb98f5d2eb693508a735c734
SHA256 058247690c9bb8142d94c05bc916796b14c51768bde0d671a481279dd945d357
SHA512 12590a2e702d51daac3b66b84dd359e1147294deb1f7c353df7eba14f5e0602d79393347b61a270929bcaeed77286f8cec91a7446b7c7323768fb79dec3c450c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000009.log

MD5 8f863be793fc1466742d98422e1d41ae
SHA1 ab22bf35f460a26f450865317462ffc978bf6656
SHA256 3529c35d9a91515522104e65815f9f2454692e21f2bb6af9a5e6bcb9c7ef5f9a
SHA512 50912b7c80b53fda2595c44bd2362a1e43188ab07e88f8b359414d296ddfb628523c5726191a27fcaa7e307dafb000665808465b3c3f6473523f5ee49168e956

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000007

MD5 1c0c23649f958fa25b0407c289db12da
SHA1 5f6b10cd5a39fe8c30353bcf4cd4e4a60ef35574
SHA256 d5134b804a775cfb79c6166d15b5721d38ffc2da11948a6c1263595d6c2941cf
SHA512 b691e882018833a108bd286bc76c55a140d00d5a266617a3a381af1ceff01aefaef17acef29d14dec931d7051455726cde8974cd04cc07302f1c3cc452fe2f52

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

MD5 e89d8d14dbd43fa5a7e8995275ac566d
SHA1 ea7613b006537cb7e59c10289a8a25bbb72ead5b
SHA256 c8b6dd159a3d5d776d5fd76a038f4e1a238421d774dfb2b23ecc0045f5225ad8
SHA512 bd3fe1a6f2401fb863ed092d59dee1a848d593b7c43eed267900436f255d59d9623ba14e9dbaa9d147011655d3ee1c1589ac0d28373d6df080a028922d13a09e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp

MD5 60e3f691077715586b918375dd23c6b0
SHA1 476d3eab15649c40c6aebfb6ac2366db50283d1b
SHA256 e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee
SHA512 d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000009.log

MD5 fe62c64b5b3d092170445d5f5230524e
SHA1 0e27b930da78fce26933c18129430816827b66d3
SHA256 1e1a9ca70503efd8c607f9bc7131f08aba0476d75f2586dadb4da5485a5315d4
SHA512 924daccfbfb0c0464b4c5fd769e01a8f2e96fe28b635aa27ab4cd91766b05b03bbf941af14c017436107673f01bad815ce1fac2a649e745c76b3c736994b4fd2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007

MD5 b144a5356106960cd35c014ead7e932f
SHA1 ae54b49136ef78e9e0b211d77202b6d50bb71109
SHA256 221250efb84aeb3d4ada055bfea4958463e942ff54129799af90fd623d3ddd94
SHA512 92d30cdee8177fcadcbf044f62b2707548ed43654685dd220e5d190733fea935e694dfb58933c4efcac66d81b22e19e81f2bcc3b20a8d8e80b596a7d2af32953

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

MD5 81779a980583062e52499dadea8b6052
SHA1 176e4ac7d770bc0405b9e75ded2b44e02b842445
SHA256 639d27d5d53c22075a3911025620abd592b748f78c9b7beebd3249dd0610fcfe
SHA512 d244a7222e5e6a06a328d10d8123a9bf9fb18a2759d3e7a927a484a0d52f5e86010dd33073249d29a96c5779b5bbbf4b58d76fa6b4558348b588a31862a57f84

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp

MD5 979c29c2917bed63ccf520ece1d18cda
SHA1 65cd81cdce0be04c74222b54d0881d3fdfe4736c
SHA256 b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53
SHA512 e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\MANIFEST-000007

MD5 1be22f40a06c4e7348f4e7eaf40634a9
SHA1 8205ec74cd32ef63b1cc274181a74b95eedf86df
SHA256 45a28788cde0d2a0232d19c391eae45777fe640790ac0674d6daa5672c444691
SHA512 b8f6f42d375e3ad8015d744fa2814994fa6e588b41cce0131fca48194dd40146b08169a8ce0da350525ff32a59a16edb503c72e0f07254955c82a0d38074856e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

MD5 24fbbe8a66d6ffa2ef859e4cacf1b503
SHA1 dd93212af34b8458c65e3fc58cf6009715d6d78f
SHA256 e88722405a77cefc9b778105581f9a84746366fe008fc41433721094e210b14d
SHA512 3987d0df930e7bb7e0887e21ebb30109bbdb0ddae8c8c008614e24db0b66436b13f78613fd814483f2af39d20867c3dbd00dad38da902159be76be2f17313e78

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

MD5 d2ad253e04ec72e8cc64b472cc996ce0
SHA1 cc0c5f244aa289778130714768523e71d4c6c989
SHA256 16d2c7b3adbb7f36f4fd66adce698e0cba169521f59c6e8223b3ef92ece207fc
SHA512 b937bf6e5ec362122857930743407c61485c5d163fef83c19033f037429c9e8b4127bdd77e00dae46a0d4a89599b078f94296e088949d4a785a24f05e68ed8e4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

MD5 c42f8516ccf71c14311c11a895015b12
SHA1 88658dcc0e25c48ba339520544e850133cc1afe2
SHA256 b0ec0ed81215b90a2df452d72e670c3923f365b7184ca6b05c3d5bf061d63067
SHA512 dc8dbb26bcb95180cac61261e02c4055bf105a9c344e85be951a23412bdc3187fece83df24464e2366c8d30188ca30ac35eff2448371e13eb3b377f7531208dd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000008.ldb

MD5 147f7d7039ae66390eb8426b559dcc4c
SHA1 d8b1f50c4597976cf4da395e36d503b491f4a503
SHA256 635e1058c5101d5fbc463a6792effb8083d5bb5ecde784cd3b0ea31f2f005943
SHA512 579b197d0c861a7cba8744cac365c2c832664a5be9135256a0d40f142963a1781e1e32b54a2cc92d063a0e7766e9a33e9343502fd4b123dab3c11506a0035f07

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000006

MD5 78c55e45e9d1dc2e44283cf45c66728a
SHA1 88e234d9f7a513c4806845ce5c07e0016cf13352
SHA256 7b69a2bee12703825dc20e7d07292125180b86685d2d1b9fd097df76fc6791ec
SHA512 f2ad4594024871286b98a94223b8e7155c7934ef4ebb55f25a4a485a059f75b572d21bc96e9b48ed394be8a41fe0208f7bfb6e28a79d75640c5b684f0c848fe3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

MD5 248aa19895f1d99ff98a915590a28730
SHA1 2b8af55976f2ae2cacbf4912f83bb21148c38de2
SHA256 c810b66398e2935e9c1c438bbfdeb3c5754d729b62a5f612fd0811d18b30e204
SHA512 83f7981e4b558bf8f5a1ddb31ff3864f66afc6aa831528cbc0f0f8d6d1a489d43cca49ca6cde44f256fd8c4eecf86f51aabf3252224d78a14bb6bd41aa0a889d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dcde4d3f3be4996392b93d300762a464
SHA1 ffd1120952cfe81cd88fc0c87248de1321e36425
SHA256 9d68556371aa57fa758d7a310e463dd999f35d9eaf4811b0dd38042c9dd629b0
SHA512 104b712befb8ee70e8605e2292908013b0dad66754cb1f24fc022644b6aa8f99cd80219b3e4071407605e7cc7afed7f9eea9c382983b44e8aa8ace563bed8c8b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000008.dbtmp

MD5 589c49f8a8e18ec6998a7a30b4958ebc
SHA1 cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e
SHA256 26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8
SHA512 e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 90d6a5ac813252d284ed0becad8c007f
SHA1 7f54d93696cf98b6b7985571ede7532134ee3419
SHA256 feadd3cd3570ca3262de98dae15dd77f47bf855f6160099c9ec4a957c3f937d1
SHA512 a63dba19b5ea1be509c7b17ab2f4b1c6d2ebccfa7757c4fe507c9d8685e46f46daca6ae888fc99076bc741ea860d6fc5c82a6af5da77021854b9e130ff2eaf87

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 2ec55376d827d78fe98915bf5fecdc7e
SHA1 dccdcfb0078c4bcada515ecde2c4901feb9862ec
SHA256 2d623030fdf2db71f4e41b1c84c8fd53ba07a6efaca5c262ebebf72c10862fd6
SHA512 791d7fb87ac439e4c66b4105cfeedb1bc351bf05407f20e3977c072eede198dbe13e70e99ba2144df755e24fdd738fa84a66afecaf4ca6482a0a1a2c7e3a62fe

C:\Users\Stand.ADi8mn\Contacts\desktop.ini

MD5 eefa7f76ff11a5ec21bb777b798ac46c
SHA1 2e7a65ea8427d13a92ea159a5b8859ff99d2a836
SHA256 840b46ed74821b5b61ca9ddc51a91cfe9151d11a494c89f183fadc02a78ac8ae
SHA512 111301e33c0b33c154ffff274db5eb167de0ddb4e769cab9a2d9fcd2882e6192053149abbcb00d17ae5f7661bafecc1111aff2025c89d07b247633bbccb0e3ef

memory/3044-419-0x00000000020C0000-0x00000000020D0000-memory.dmp

memory/3044-425-0x0000000002120000-0x0000000002130000-memory.dmp

C:\Users\Stand.ADi8mn\AppData\Local\Microsoft\Windows Mail\edb.log

MD5 c8acd770f13f3768c87ef5e5c8b85d08
SHA1 0917e7583a19808a3ead4565ee247ffd641220ef
SHA256 0d6665c7a70f525d2aa551a3884c0a0799096e6e13be1fc9e8dd14ccac5b7012
SHA512 d7e7a4ceb3b8faee5634566119b4675515af05650299e06f50a4de1aa3671f05b46ce4e1baa4cfb451df9d6124e6b5b3d92b6e3105152572e1c75fd7e1e7586d

memory/3044-438-0x0000000002310000-0x0000000002311000-memory.dmp

memory/3044-440-0x0000000002310000-0x0000000002312000-memory.dmp

memory/3044-443-0x0000000002310000-0x0000000002312000-memory.dmp

memory/3044-451-0x0000000002770000-0x0000000002772000-memory.dmp

memory/3044-453-0x0000000002760000-0x0000000002762000-memory.dmp

memory/3044-461-0x0000000002760000-0x0000000002762000-memory.dmp

memory/3044-516-0x0000000002A70000-0x0000000002A72000-memory.dmp

memory/3044-517-0x0000000002960000-0x0000000002961000-memory.dmp

memory/3044-520-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/3044-524-0x00000000022B0000-0x00000000022B2000-memory.dmp

memory/3044-526-0x0000000002210000-0x0000000002211000-memory.dmp

C:\Users\Stand.ADi8mn\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f8a7a914a9ad11f3c4223f4119663763
SHA1 3e7868f4464b78b7ac4033329a39b181981427cc
SHA256 2126edcf281d005c7543e29f12392e30356d6db8681fb00ba2cc714ec5629f88
SHA512 1b25358dba555aeeeb75b0b6af6a14b923a621976cad5f6e0dee1a45d4f27ff44c040ace9eb960dd367585117cb829d0c0abab6bc73191c76d401e33d7ac800d

C:\Users\Stand.ADi8mn\Videos\desktop.ini

MD5 50a956778107a4272aae83c86ece77cb
SHA1 10bce7ea45077c0baab055e0602eef787dba735e
SHA256 b287b639f6edd612f414caf000c12ba0555adb3a2643230cbdd5af4053284978
SHA512 d1df6bdc871cacbc776ac8152a76e331d2f1d905a50d9d358c7bf9ed7c5cbb510c9d52d6958b071e5bcba7c5117fc8f9729fe51724e82cc45f6b7b5afe5ed51a

C:\Users\Stand.ADi8mn\Pictures\desktop.ini

MD5 29eae335b77f438e05594d86a6ca22ff
SHA1 d62ccc830c249de6b6532381b4c16a5f17f95d89
SHA256 88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4
SHA512 5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

C:\Users\Stand.ADi8mn\Desktop\desktop.ini

MD5 9e36cc3537ee9ee1e3b10fa4e761045b
SHA1 7726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA256 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA512 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

C:\Users\Stand.ADi8mn\Contacts\desktop.ini

MD5 449f2e76e519890a212814d96ce67d64
SHA1 a316a38e1a8325bef6f68f18bc967b9aaa8b6ebd
SHA256 48a6703a09f1197ee85208d5821032b77d20b3368c6b4de890c44fb482149cf7
SHA512 c66521ed261dcbcc9062a81d4f19070216c6335d365bac96b64d3f6be73cd44cbfbd6f3441be606616d13017a8ab3c0e7a25d0caa211596e97a9f7f16681b738

C:\Users\Stand.ADi8mn\Favorites\desktop.ini

MD5 881dfac93652edb0a8228029ba92d0f5
SHA1 5b317253a63fecb167bf07befa05c5ed09c4ccea
SHA256 a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464
SHA512 592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

MD5 a2d31a04bc38eeac22fca3e30508ba47
SHA1 9b7c7a42c831fcd77e77ade6d3d6f033f76893d2
SHA256 8e00a24ae458effe00a55344f7f34189b4594613284745ff7d406856a196c531
SHA512 ed8233d515d44f79431bb61a4df7d09f44d33ac09279d4a0028d11319d1f82fc923ebbc6c2d76ca6f48c0a90b6080aa2ea91ff043690cc1e3a15576cf62a39a6

C:\Users\Stand.ADi8mn\Music\desktop.ini

MD5 06e8f7e6ddd666dbd323f7d9210f91ae
SHA1 883ae527ee83ed9346cd82c33dfc0eb97298dc14
SHA256 8301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68
SHA512 f7646f8dcd37019623d5540ad8e41cb285bcc04666391258dbf4c42873c4de46977a4939b091404d8d86f367cc31e36338757a776a632c7b5bf1c6f28e59ad98

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini

MD5 17d5d0735deaa1fb4b41a7c406763c0a
SHA1 584e4be752bb0f1f01e1088000fdb80f88c6cae0
SHA256 768b6fde6149d9ebbed1e339a72e8cc8c535e5c61d7c82752f7dff50923b7aed
SHA512 a521e578903f33f9f4c3ebb51b6baa52c69435cb1f9cb2ce9db315a23d53345de4a75668096b14af83a867abc79e0afa1b12f719294ebba94da6ad1effc8b0a3

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

MD5 c140f29230c9a4eb4ab775e517c359c6
SHA1 ad92b8b7ea27ccfdf93cf258349dc67b578912ec
SHA256 ecd97f8a22bdcd043b35e43a878df2f60b125196267c357169bdf09fe0c458da
SHA512 24341cf7cca6feb856d0fed5d7dbe8599cff94ee47d77f7de313c5ae6da368b3a2f59d5c54fe0a07a6734834ea04c2c829facb11bb5745e7f069eb11a51cb77c

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini

MD5 f107d0270e21a2fe91099fdc15918d44
SHA1 dabc2f24f4a4e90053743166e5c4175dcf2b2d2d
SHA256 eb315c9d165b4916e3b00e4d148b53a6c03a2f0694a6a8821d98e76f935ca6a8
SHA512 b5d51c0d6abe99121d4f4f1d236def4260b7d5c26c501d7735eba4f58e2597db0e89b2b1df16545e49fc39649806e5305efb912328541bdd31c01ff3d2bda49c

C:\Users\Stand.ADi8mn\Downloads\desktop.ini

MD5 3a37312509712d4e12d27240137ff377
SHA1 30ced927e23b584725cf16351394175a6d2a9577
SHA256 b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
SHA512 dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

MD5 7f1698bab066b764a314a589d338daae
SHA1 524abe4db03afef220a2cc96bf0428fd1b704342
SHA256 cdb11958506a5ba5478e22ed472fa3ae422fe9916d674f290207e1fc29ae5a76
SHA512 4f94ad0fe3df00838b288a0ef4c12d37e175c37cbf306bdb1336ff44d0e4d126cd545c636642c0e88d8c6b8258dc138a495f4d025b662f40a9977d409d6b5719

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

MD5 107007b6944f02921ea38915c168d226
SHA1 eaa3ccf0123084a4d4ca7a5b889cd965940c3e6c
SHA256 9fe15daf69cefaaec8742a63bb780609d3317fb98d742be9dac39c054cdc0b24
SHA512 edb6a1f75b590d8680ec5b1335446ddad38a671d628ace549f5ec67cdf4734a6eb69a8baf995755674e3c40a24bb990d5eb635ad3afe2180bebaaac6513dff61

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

MD5 5547a64ee3681b1fca07111e73dcc51a
SHA1 0b16a54ccb7c0284df649594e006ca96e07ac296
SHA256 c6a3db953cc63f23aa5ff66de5fc6b483f6a1106cf1f77cbd73617b2c4340e0e
SHA512 21a6b9b2c578ea8d0bfb22c1b37b0dde47395ec958fa5c73eafeb8b865080db132e565c7e8ce2ab1d2e934f414e23b820f3ff3571a7d737453f3ace76d11cc25

C:\Users\Stand.ADi8mn\Documents\desktop.ini

MD5 ecf88f261853fe08d58e2e903220da14
SHA1 f72807a9e081906654ae196605e681d5938a2e6c
SHA256 cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844
SHA512 82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini

MD5 548b310fbc7a26d0b9da3a9f2d604a0c
SHA1 1e20c38b721dff06faa8aa69a69e616c228736c1
SHA256 be49aff1e82fddfc2ab9dfffcb7e7be100800e3653fd1d12b6f8fa6a0957fcac
SHA512 fa5bb7ba547a370160828fe720e6021e7e3a6f3a0ce783d81071292739cef6cac418c4bc57b377b987e69d5f633c2bd97a71b7957338472c67756a02434d89f1

C:\Users\Stand.ADi8mn\Searches\desktop.ini

MD5 8e11566270550c575d6d2c695c5a4b1f
SHA1 ae9645fad2107b5899f354c9144a4dfc33b66f9e
SHA256 1dc14736f6b0e9b68059324321acc14e156cd3a2890466a23bf7abf365d6c704
SHA512 a9fc4b17d75f85ae64315ba94570cb5317b5510c655d3d5c8fb44091ea37f31e431e99ed5308252897bdd93c34e771bf80f456c4873ef0aa58ca9bbb2e5ff7e0

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

MD5 d1e9b491a2c1a247bcce86478b611feb
SHA1 b5023317e12d07be381590a7c654c753e8d3d39d
SHA256 a7c09e7bd8efbc04a827666df38da4a1598ee3cbd23cc8883aa7d54531715d0d
SHA512 970c64524aa898d0b24890115ff11ba6cd547e641fb7658303cc36ef6bef496e3c4f0bb95ba48aa10e3669d3171a140b7602fe8afbf4e94c00d1a099d4e0aa2b

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

MD5 43316303b93df0edd21eea3577b6c918
SHA1 21d3bb07752df5b440fd538078c6b81f5f7ac6a3
SHA256 c9e27337ac347564b77fd29cfed0f8817b61135adee1ea992ec1c9777ec786f7
SHA512 33fa9a6b5b1f193da62e28f0def6a1666498dd4176e4b4afb161f5272bdee29bc7f50a85fc4dcb62e73d4546dfa7f0f4d16ca7e458f0ccd6a9730aff164958ae

C:\Users\Stand.ADi8mn\Searches\desktop.ini

MD5 089d48a11bff0df720f1079f5dc58a83
SHA1 88f1c647378b5b22ebadb465dc80fcfd9e7b97c9
SHA256 a9e8ad0792b546a4a8ce49eda82b327ad9581141312efec3ac6f2d3ad5a05f17
SHA512 f0284a3cc46e9c23af22fec44ac7bbde0b72f5338260c402564242c3dd244f8f8ca71dd6ceabf6a2b539cacc85a204d9495f43c74f6876317ee8e808d4a60ed8

C:\Users\Stand.ADi8mn\Links\desktop.ini

MD5 98470d9bd7fba55a0c303065f9c4f9be
SHA1 5303b190e29ba48332f7c90a832ef08af5a1953d
SHA256 3830022d5d7ef2ae2ca0a2b6ad73f0d4716b49bf7eeeaa87b618988d531b7c72
SHA512 134e072c3600bbb3c724c2700da399a14ba5b907153969362b3dbff32c480d39e7f5ecceebc9122a5a27265410557a16eb6bf82c9b635b90ef1fa0ae9efb849c

C:\Users\Stand.ADi8mn\Links\desktop.ini

MD5 de8858093993987d123060097a2bad66
SHA1 0a89e87ba46538cb73aff1a47e4dc0bcfb4760d5
SHA256 4c0d757717dec80eca8c6cbbfdda4706eb38fbbb7624933d5429dafc7bb9f0ec
SHA512 fa348ac4025b599f460cb831338ce010dde8fba87587a6d078d6d594a30fee87ed112e412078c10604553f326cc7bd7627ae93b0e3d8a60cfeda0720cad29f4c

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

MD5 453249f95d75eb5e450eb91fa755e1c8
SHA1 3e200e187e8cd21d3d1976ea0f7356626254de18
SHA256 01bef150c18e377a57843965d55f18f0b5cb3fa867c5ab30f1e67eacd6ece48a
SHA512 6125ffc1ab457bc1ba957c78c2a89ca54060c1969c4a981acf71025a1d79760159816d5fc36e351429de3bb5820e755b9bc22386f3d6892bfdf3da67d86f157c

C:\Users\STAND~1.ADI\AppData\Local\Temp\RGIC69A.tmp

MD5 3006752a2bcfeda0f75d551ea656b2ef
SHA1 b7198fc772be6d6261ed4e76aca3998e8f7a7bdb
SHA256 dfd64231860c732dced3dc78627a7844a08d5d3e4cd253fd81186bae33cc368a
SHA512 3fcfa7c8f46220852dc7efef5b29caba86825d0461a35559f26dbb2540c487b92059713f42fe1082a00a711d83216db012835673e1c54120ffa079e154950854

C:\Users\STAND~1.ADI\AppData\Local\Temp\RGIC6EC.tmp

MD5 a828b8c496779bdb61fce06ba0d57c39
SHA1 2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda
SHA256 c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d
SHA512 effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea

C:\Users\Stand.ADi8mn\Favorites\Links\Web Slice Gallery.url

MD5 873c8643cbbfb8ff63731bc25ac9b18c
SHA1 043cbc1b31b9988d8041c3d01f71ce3393911f69
SHA256 c4ad21379c11da7943c605eadb22f6fc6f54b49783466f8c1f3ad371eb167466
SHA512 356b13b22b7b1717ded0ae1272b07f1839184e839132f3ab891b5d84421e375d4fc45158c291b46a933254f463c52d92574ce6b15c1402dfb00ee5d0a74c9943

C:\Users\STAND~1.ADI\AppData\Local\Temp\wwwC94E.tmp

MD5 c2858b664c882dcce6042c40041f6108
SHA1 52eeaa0c7b9d17a8f56217f2ac912ba8fdc5041a
SHA256 b4a6fb97b5e3f87bcd9fae49a9174e3f5b230a37767d7a70bf33d151702eff91
SHA512 51522e67f426ba96495be5e7f8346e6bb32233a59810df2a3712ecd754a2b5d54d0049c8ea374bd4d20629500c3f68f40e4845f6bb236d6cca7d00da589b2260

C:\Users\Stand.ADi8mn\Favorites\Links\Web Slice Gallery.url

MD5 ad93eaac4ac4a095f8828f14790c1f8c
SHA1 f84f24c4ca9d04485a0005770e3ef1ca30eede55
SHA256 729111c923821a7ad0bb23d1a1dea03edbf503cd8b732e2d7eb36cf88eaa0cac
SHA512 f561b98836233849c016227a3366fcf8449db662f21aecd4bd45eb988f6316212685ce7ce6e0461fb2604f664ed03a7847a237800d3cdca8ba23a41a49f68769

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

MD5 da288dceaafd7c97f1b09c594eac7868
SHA1 b433a6157cc21fc3258495928cd0ef4b487f99d3
SHA256 6ea9f8468c76aa511a5b3cfc36fb212b86e7abd377f147042d2f25572bf206a2
SHA512 9af8cb65ed6a46d4b3d673cea40809719772a7aaf4a165598dc850cd65afb6b156af1948aab80487404bb502a34bc2cce15c502c6526df2427756e2338626062

C:\Users\Stand.ADi8mn\AppData\Local\Microsoft\Windows Mail\edb.log

MD5 3b8be7ca650b50f1894a7fc222e01e79
SHA1 672a022e9ab50ad269bfe7f06d2f8d4dbe4e0a73
SHA256 6022d01ab28b862388506efdcfb096d38ee495bbeb68a1361f9b0a0ae3e8c5fc
SHA512 c7d75e42f4bd4a7e90332c3b899c09af881dc504525f7d87f0cc15cbc6792786fb7e15e3affde3d13831a55ed4178ce969635d0f55ced887a2a064d1c9f21093

memory/2880-996-0x00000000027E0000-0x00000000027E2000-memory.dmp

memory/2880-999-0x00000000028E0000-0x00000000028E1000-memory.dmp

memory/2880-1006-0x0000000002450000-0x0000000002452000-memory.dmp

memory/2880-1008-0x0000000002430000-0x0000000002431000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini

MD5 46a4eca2a791d84afecfd9f129a567df
SHA1 004f2926d9377cc23c5b68ce26907435b8539643
SHA256 06b6d34db7e9ebecc07e0b53fedb2a9bc2d4563b1d2037b7630fbc002942baf7
SHA512 dbeecf882210add0dd4ac57f75ccdf6a9604c3308e92f70747313f89a7f9c590f4e1cdd507e53ee37e0a1b7e437320dc6ec1299d406ef34ddd67dfd900fddd98

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

MD5 4d7a0638c2d76fe0d8a6bc92be6d45c6
SHA1 b7ce38e2907faa31d603c75b1ab17ad24129c30d
SHA256 35150162b1d250163f3aae105c64dfc8b5d294a9a09f90a0f6494624151b4aa9
SHA512 a275366aab51a03e4838bca5ef335e4433838895ef1146ec7c24b5cf7660f21a0eae93914da34c758e47d6ccf8ad262e5d58979e78b7d29380e1d9939e723dec

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

MD5 9d3992c20197c16cff5b7c3a385aad64
SHA1 9a2834d33eb30d65b2b2c4e66cf5f14ea0eb5417
SHA256 1bbb09845d9e1a4e3eab3f65959ebe583ef9fb361a5b7062be069212f68905ff
SHA512 3ad05ff08a49fb4524ac9e588ae7b09ac70d37b60637965e4d2f5a286080a3b01c1ed20ad6431b088ecc065233e00f4d84946be2fc6ee224dc6cbaeb127408a8

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

MD5 7a8d325ba6bd708046b0e8e26aa22db5
SHA1 5994c67a16969ee746e5a85198746c477bb1aba5
SHA256 139aabdd512b412114252c20742fc9972d8cf9c52dc1926ec74e34f68359e694
SHA512 6688f21f26dec0e317405406133d9f26ccf0cbf3730843ceb737fa1ad0ee280ed476bf73eab72e4d770b2c89ac1f59d3d6568df74d6c6cbab8c07430027473e6

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

MD5 7f8019fb465f9a09c3b5002059a248d4
SHA1 d16c0b7e6215b2eb1b262c7a57a46c4677aa8163
SHA256 6853e3431028ccec881c9644ed4a5eb4635465eb8399b0b10acd3f7499bc8716
SHA512 5849eda663a86c17a7dcbfc6083a16c8ca8eb72d64d8a63dc44f5e9efcf5d72ca8e2cb0fb92b388f92cbfbc39235577e162ac94c728c130b7e2313aa5c7451a5

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini

MD5 e4e50dfa455b2cbe356dffdf7aa1fcaf
SHA1 c58be9d954b5e2dd0e5efa23a0a3d95ab8119205
SHA256 9284bd835c20f5da3f76bc1d8c591f970a74e62a7925422858e5b9fbec08b927
SHA512 bef1fad5d4b97a65fec8c350fe663a443bc3f7406c12184c79068f9a635f13f9127f89c893e7a807f1258b45c84c1a4fc98f6bd6902f7b72b02b6ffbc7e37169

C:\Users\Stand.ADi8mn\Saved Games\desktop.ini

MD5 b441cf59b5a64f74ac3bed45be9fadfc
SHA1 3da72a52e451a26ca9a35611fa8716044a7c0bbc
SHA256 e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311
SHA512 fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3

C:\Program Files\Google\Chrome\Application\SetupMetrics\829fa8f3-412b-41a7-970d-566fc67b2ef9.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk

MD5 30a27cb437428ae853ab4a63d26b1519
SHA1 07257f7a5a46e6ea1bdfda19dcadd197fdc963a7
SHA256 47d06cdd9f2d897a41a73af397bbddba273121c695800f33cb2bd00deed1790f
SHA512 e24dab58eb4c316ff4c0f8f0b5c29aa4d2262cf3a38310dfb8bac7c9ae6a12e82410632065f7887cb3c9a9acb02cc8891da91e7d7e94d2592320945ef0030a96

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

MD5 1c61dc21f9b83172d65be1e94b79026f
SHA1 7324473ddda64b87c299bf6e3b9e9aff53f7fd74
SHA256 8e920d7893b682a049f6a5097f880d915dc2d7bf8bc87ae558cd7f14466d5d1b
SHA512 9660cde4d7606826c2fb6623460a2a286339970256e677c8abf8189fd1d58e0284c024bbf5c0bf539189dafa3e8d5269c1e0f7e3717891f2ae4771634731bbd8

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

MD5 9a1b13fd914dd7054b83bc1760c99ab8
SHA1 340c37602b11cd3cb9ae681d09bfc4c81f733742
SHA256 7f0a9cc0be951d60d6c8e60d1a612bfa65fa390020d7c0c80f212ba2a47a4aa3
SHA512 50d48a348c71fb9e89ab01e59fe599b692a1701f19d2c9de6ae09678e0a44ba95020b1989f9c776edcacacc5f2b2b348b0f31aa28c04850e69e47cda6dcaf88e

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk

MD5 47b2e1c4ddd5fa161f4e7314222d7a29
SHA1 f8e0a57ad324aa0ce6eafcbee54361cfc3fac7a4
SHA256 20b9ba1869ed5d109962522c7c9a09e2675c457edd780f3723d33f9b40475772
SHA512 07c8e9fcc6441c45540ced17802aea9fc84197733cc13af77516813c3beb346ae2748445ae99318309cbdc2da8e69e622dd91e658b7e9ba27d424eae6f5acf1b

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk

MD5 fabab9793df60cefb431abdf1568c276
SHA1 3fc10a1b9516918e9d73799dff46f2a4e135ad22
SHA256 0c973b208d08a12dc4cb0dad1351564c8178d00bfc425a2d1bcab98629e111ab
SHA512 8e635d9e6527180ea5a288e800db6ab8ac523c8fc56bc640af5c00baccd291e3732ed05ad4ebaf59ceea5bb453696ac9464a05a06ba917ce5692f7f021b44f21

C:\Users\Stand.ADi8mn\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

MD5 e5a8eb64419f6d85a1b7aed2152616c2
SHA1 f5d94f8953bb235e35fccec0ea4f14ba69443081
SHA256 5266b08d0c1bf229ec5eafdb6dae2a4849b6b394694d34033453cf8a379725a7
SHA512 7c304bc842c81d3b5cff745d34b038a2a867063c65e502f4155439ba0642e8b0643f9b7254f74e85d5b150c134836b9e398a0dcb192550d97dfd431c3d93f1f6

C:\Users\Stand.ADi8mn\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini

MD5 e0fd7e6b4853592ac9ac73df9d83783f
SHA1 2834e77dfa1269ddad948b87d88887e84179594a
SHA256 feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122
SHA512 289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

C:\Users\Stand.ADi8mn\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms

MD5 1c16ae3357a1d789ba860daf7cf79da5
SHA1 429097abf9545e5dbd7c7255e7ec3d3f246ae209
SHA256 a5f957220955ed98a639656f3add79ca86772b73f55e0006f2d7afad617d3eed
SHA512 3589fd4ed4bf1fc0359a53ffe4450a0760e6e509921ad6e9e68430dcd0c629d4b05d2b3e4257d650b95d4d4c52cf58271573321758564e61c6126bf8472cd3ef

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 b93732edab0db0ece0e8d121829ebe97
SHA1 f2cf37e3f5e482c819157a98e347a036f9fd4d24
SHA256 43359fd652637a2cea5f2cd3f52e689e2f988d434955d6c74b54d4be16a8b32b
SHA512 d2b2f588a5ea8c7958786ca844be108675fc11572f1b27cd5ca6bfcd035b9ab04f84ba3dbb45951593ed84bf4da443c24ceeb8dba95399fdd5a893bd43101de1

memory/1648-1459-0x0000000002A80000-0x0000000002A90000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 d60633b29a1bb8265a0395ef5c38e038
SHA1 385c08b596c3224a0a1bde9a20d890a73009b81d
SHA256 faca587bf0e0597a8510a027d9fea52454a7b67b08c442bf9d8be681cde89283
SHA512 be559dff42fe6422edcb1a20b2ac3a66da6f6d4eff58a5f1f879b7a45f32dc28c64368528777c791b3949087a3e37196731f87936451913d80ecfe0e2c1903f2