Malware Analysis Report

2025-01-19 04:41

Sample ID 240811-qa7hsavdph
Target lolhahahackerwowohnoo.zip
SHA256 0dd46341ec484a9634677c19ce94f04287f2f288c7bf4b751e0ca28a569986a2
Tags
defense_evasion discovery evasion execution persistence ransomware microsoft phishing privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0dd46341ec484a9634677c19ce94f04287f2f288c7bf4b751e0ca28a569986a2

Threat Level: Known bad

The file lolhahahackerwowohnoo.zip was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution persistence ransomware microsoft phishing privilege_escalation

Modifies visibility of file extensions in Explorer

Boot or Logon Autostart Execution: Active Setup

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Loads dropped DLL

System Binary Proxy Execution: Rundll32

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Drops startup file

Modifies system executable filetype association

Checks computer location settings

Adds Run key to start application

Drops desktop.ini file(s)

Checks installed software on the system

Enumerates connected drives

Checks system information in the registry

Sets desktop wallpaper using registry

Detected potential entity reuse from brand microsoft.

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies registry class

Modifies Internet Explorer settings

Modifies Internet Explorer start page

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Modifies Internet Explorer Protected Mode

Delays execution with timeout.exe

Modifies data under HKEY_USERS

Suspicious behavior: LoadsDriver

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Uses Volume Shadow Copy service COM API

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-11 13:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-11 13:04

Reported

2024-08-11 13:19

Platform

win7-20240729-en

Max time kernel

861s

Max time network

862s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\lolhahahackerwowohnoo\hello.bat"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Explorer.EXE N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "6,1,7601,17514" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Version = "6,1,7601,17514" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Locale = "*" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "EN" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "EN" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "en" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "1,1,1,9" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username = "con" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,7601,17514" C:\Windows\Explorer.EXE N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Windows\System32\regsvr32.exe N/A

System Binary Proxy Execution: Rundll32

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-21-2257386474-3982792636-3902186748-1001\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Searches\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Saved Games\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Users\TEMP\Links\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Contacts\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2257386474-3982792636-3902186748-1001\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Contacts\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Links\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Favorites\Links\desktop.ini C:\Windows\System32\ie4uinit.exe N/A
File created C:\Users\TEMP\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Program Files\Windows Mail\WinMail.exe N/A
File opened for modification C:\Users\TEMP\Desktop\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Favorites\Links for United States\desktop.ini C:\Windows\System32\mctadmin.exe N/A
File opened for modification C:\Users\TEMP\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Downloads\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Desktop\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Favorites\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Windows\Explorer.EXE N/A
File opened for modification C:\Users\TEMP\Downloads\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Favorites\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Contacts\desktop.ini C:\Program Files (x86)\Windows Mail\WinMail.exe N/A
File opened for modification C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Users\TEMP\Saved Games\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\Explorer.EXE N/A
File opened for modification C:\Users\TEMP\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Searches\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\TEMP\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Windows\Explorer.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\d: C:\Windows\Explorer.EXE N/A
File opened (read-only) \??\D: C:\Windows\Explorer.EXE N/A
File opened (read-only) \??\B: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\unregmp2.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lolhahahackerwowohnoo\\wowcoolfile.png" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\TEMP\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\TEMP\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" C:\Windows\System32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP C:\Windows\System32\ie4uinit.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\Explorer.EXE N/A
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Program Files\Mozilla Firefox\firefox.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\System32\rundll32.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Windows\Explorer.EXE N/A
File opened for modification \??\c:\windows\cursors\larrow.cur C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\Cursors\lcross.cur C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\DisplayIcon.ico C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\System32\ie4uinit.exe N/A
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\Cursors\larrow.cur C:\Windows\Explorer.EXE N/A
File opened for modification \??\c:\windows\cursors\lcross.cur C:\Windows\Explorer.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\runonce.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Mail\WinMail.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Explorer.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Explorer.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Explorer.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Explorer.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\csrss.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\csrss.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\csrss.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\csrss.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\System32\ie4uinit.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\6\IEFixedFontName = "Courier New" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "yes" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\ C:\Windows\System32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Windows\helppane.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\Main\Use_DlgBox_Colors = "yes" C:\Windows\System32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\Main\NoUpdateCheck = "1" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\SOFTWARE\Microsoft\Internet Explorer\New Windows C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\23\IEPropFontName = "Gulim" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\Settings\Use Anchor Hover Color = "No" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 981a1506f1ebda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\8\IEPropFontName = "Times New Roman" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\18\IEPropFontName = "Kartika" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\31\IEPropFontName = "Segoe UI Symbol" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\SOFTWARE\Microsoft\Internet Explorer\TypedURLs C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\Document Windows C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\6 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\7 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\11 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\35\IEPropFontName = "Estrangelo Edessa" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\37\IEFixedFontName = "Khmer UI" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\7\IEPropFontName = "Sylfaen" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\13 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\24 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\27\IEPropFontName = "Nyala" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\Main\Save_Session_History_On_Exit = "no" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\LinksBar C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\10\IEPropFontName = "Mangal" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "Vani" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\19 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\User Preferences C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\16 C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = 18dd1103f1ebda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\5 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\13\IEFixedFontName = "Shruti" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\15 C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001fa6d82261eb47409572525e66c95d3900000000020000000000106600000001000020000000653425bff88e1076090dca2f53129f9b98b6b991daa5fb29515171b206cb066f000000000e8000000002000020000000ff68421737ab05f8842736ef7439f921d47a96df15c241c2b60ec13a8a426c5750000000b6afc76e44f71b583c9cfbf256672f2bfc0ef279f869bb4d31c6a2b39e4cf2b79294c0a9287d872f5e673173bc1a342d31dd846bcd8443c05d995d4afd9e2038481d59382a5531d5e1940c458e4d429a4000000070966c1f43057b9432c07440464cb22d2ea095f74a3773f3fe36992cdce2cc8790a913e516e04f6d5bce01e69e6ad8f6d908707a7c4a95a815d5509619d02cc4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\20\IEPropFontName = "DokChampa" C:\Windows\System32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\29\IEFixedFontName = "Plantagenet Cherokee" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\37\IEPropFontName = "Khmer UI" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\BrowserEmulation C:\Windows\helppane.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\Recovery\Active C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName = "Times New Roman" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\16\IEFixedFontName = "Vani" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\28 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\InternetRegistry C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\13\IEPropFontName = "Shruti" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\22\IEPropFontName = "Sylfaen" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\International\Scripts\25\IEPropFontName = "PMingLiu" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\Settings\Background Color = "192,192,192" C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = b87b0f03f1ebda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Windows\helppane.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141" C:\Windows\System32\ie4uinit.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\Profile C:\Windows\system32\winlogon.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" C:\Windows\system32\winlogon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession C:\Windows\system32\winlogon.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\KeyboardLayout = "0" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" C:\Windows\system32\winlogon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" C:\Windows\system32\winlogon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" C:\Windows\system32\winlogon.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\RemoteSession\CLSID C:\Windows\system32\winlogon.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/aiff C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-mpg C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DVD\Shell C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/msvideo C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.m1v C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupView = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wm\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\0 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\0\MRUListEx = ffffffff C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-mp3 C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-ms-wmd C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.m1v C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.m3u\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DVD C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-wvx C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0 C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202 C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\command C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-wvx C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.WTV\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByDirection = "1" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-ms-wmz C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mp3 C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\midi/mid C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF} C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DVD\Shell\Play\Command C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.aac\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cda C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\{D674391B-52D9-4E07-834E-67C98610F39D}\Mode = "4" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\Explorer.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\MRUListEx = 00000000ffffffff C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\3\0 C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/3gpp2 C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.MOD\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play\command C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.aiff C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wms C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByDirection = "1" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wma\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\0\NodeSlot = "13" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0\0\NodeSlot = "15" C:\Windows\Explorer.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.adts C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\Explorer.EXE N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\LogonUI.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\winlogon.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\winlogon.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\winlogon.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\winlogon.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files\Windows Mail\WinMail.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files\Windows Mail\WinMail.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\BitLockerWizardElev.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2208 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2208 wrote to memory of 2792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2208 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2208 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2208 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2208 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2208 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2208 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2208 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2208 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2208 wrote to memory of 1440 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2208 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2208 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2208 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2208 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2208 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2208 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2208 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2208 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2208 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2208 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 1188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 1188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 1188 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2208 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1036 wrote to memory of 2324 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 1036 wrote to memory of 2324 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 2984 wrote to memory of 2324 N/A C:\Windows\system32\winlogon.exe C:\Windows\system32\LogonUI.exe
PID 2984 wrote to memory of 2324 N/A C:\Windows\system32\winlogon.exe C:\Windows\system32\LogonUI.exe
PID 2984 wrote to memory of 2324 N/A C:\Windows\system32\winlogon.exe C:\Windows\system32\LogonUI.exe
PID 1036 wrote to memory of 2324 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 1036 wrote to memory of 2324 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 1036 wrote to memory of 2324 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 1036 wrote to memory of 2324 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 1036 wrote to memory of 2324 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 1036 wrote to memory of 2324 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 1036 wrote to memory of 2324 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 1036 wrote to memory of 2324 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\lolhahahackerwowohnoo\hello.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Add-Type -TypeDefinition @'

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\lolhahahackerwowohnoo\wowcoolfile.png" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\msg.exe

msg * "Error 404: Productivity not found. Did you try turning it off and on again?"

C:\Windows\system32\timeout.exe

timeout /t 4 /nobreak

C:\Windows\system32\msg.exe

msg * "Error 500: Coffee is empty. Time to panic"

C:\Windows\system32\timeout.exe

timeout /t 4 /nobreak

C:\Windows\system32\msg.exe

msg * "Error 403: Access to Netflix denied. Go outside for a change"

C:\Windows\system32\timeout.exe

timeout /t 4 /nobreak

C:\Windows\system32\msg.exe

msg * "Error 301: Memes not loading. Did you check your WiFi connection?"

C:\Windows\system32\timeout.exe

timeout /t 4 /nobreak

C:\Windows\system32\msg.exe

msg * "Error 999: The 'Enter' key is broken. Please perform a ritual dance to fix it."

C:\Windows\system32\timeout.exe

timeout /t 4 /nobreak

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Invoke-WebRequest -Uri 'https://mirrors.cicku.me/linuxmint/iso/stable/22/linuxmint-22-cinnamon-64bit.iso' -OutFile 'C:\Users\Admin\AppData\Local\Temp\lolhahahackerwowohnoo\linuxmint-22-cinnamon-64bit.iso'"

C:\Windows\system32\timeout.exe

timeout /t 5 /nobreak

C:\Windows\system32\timeout.exe

timeout /t 2 /nobreak

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x50c

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\userinit.exe

C:\Windows\system32\userinit.exe

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll

C:\Windows\system32\rundll32.exe

rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize

C:\Program Files (x86)\Windows Mail\WinMail.exe

"C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE

C:\Program Files\Windows Mail\WinMail.exe

"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE

C:\Windows\System32\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll,Install

C:\Windows\System32\ie4uinit.exe

"C:\Windows\System32\ie4uinit.exe" -UserConfig

C:\Windows\System32\ie4uinit.exe

C:\Windows\System32\ie4uinit.exe -ClearIconCache

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll

C:\Windows\system32\rundll32.exe

rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize

C:\Program Files\Windows Mail\WinMail.exe

"C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE

C:\Windows\System32\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll,Install

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\TEMP\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x13f857688,0x13f857698,0x13f8576a8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\TEMP\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x13f857688,0x13f857698,0x13f8576a8

C:\Windows\System32\jpqbri.exe

"C:\Windows\System32\jpqbri.exe"

C:\Program Files\Windows Sidebar\sidebar.exe

"C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun

C:\Windows\SysWOW64\runonce.exe

C:\Windows\SysWOW64\runonce.exe /Run6432

C:\Windows\System32\mctadmin.exe

"C:\Windows\System32\mctadmin.exe"

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\BitLockerWizardElev.exe

"C:\Windows\System32\BitLockerWizardElev.exe" C:\ T

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{86D5EB8A-859F-4C7B-A76B-2BD819B7A850}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\TEMP\Desktop\hi.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\TEMP\Desktop\hi.txt

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\system32\rstrui.exe

"C:\Windows\system32\rstrui.exe"

C:\Windows\system32\rstrui.exe

"C:\Windows\system32\rstrui.exe"

C:\Windows\system32\rstrui.exe

"C:\Windows\system32\rstrui.exe"

C:\Windows\system32\rstrui.exe

"C:\Windows\system32\rstrui.exe"

C:\Windows\system32\rstrui.exe

"C:\Windows\system32\rstrui.exe"

C:\Windows\system32\rstrui.exe

"C:\Windows\system32\rstrui.exe"

C:\Windows\system32\rstrui.exe

"C:\Windows\system32\rstrui.exe"

C:\Windows\system32\rstrui.exe

"C:\Windows\system32\rstrui.exe"

C:\Windows\system32\rstrui.exe

"C:\Windows\system32\rstrui.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{9200689A-F979-4EEA-8830-0E1D6B74821F}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.0.1277059336\1912134710" -parentBuildID 20221007134813 -prefsHandle 1232 -prefMapHandle 1516 -prefsLen 18084 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1067929-acaf-4c8a-b934-c27e7774f3c3} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 1124 41f1958 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.1.1201637053\197774181" -parentBuildID 20221007134813 -prefsHandle 1376 -prefMapHandle 1364 -prefsLen 18674 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1963602-2314-47f8-9311-c4dd7ae27e03} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 1628 13b81a58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.2.1740000469\1878342877" -childID 1 -isForBrowser -prefsHandle 1920 -prefMapHandle 1256 -prefsLen 19455 -prefMapSize 231738 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {789026cb-5ddc-4f16-b2bf-a1f342b0207e} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 2128 15215c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.3.2049834714\662085872" -childID 2 -isForBrowser -prefsHandle 2544 -prefMapHandle 2588 -prefsLen 19610 -prefMapSize 231738 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {265c5d17-2d78-433c-8f65-59035dcafca3} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 2680 19a6bb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.4.608489378\2022225162" -parentBuildID 20221007134813 -prefsHandle 2932 -prefMapHandle 2924 -prefsLen 20733 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {455cec28-535c-4123-9c90-e40e09daec06} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 2944 1c0fab58 rdd

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.5.213298493\1892938630" -childID 3 -isForBrowser -prefsHandle 3544 -prefMapHandle 3540 -prefsLen 26870 -prefMapSize 231738 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e21f9a3b-693b-42f8-8d8a-a11df448e35e} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 3556 1f9d6658 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.6.1659648842\370881996" -childID 4 -isForBrowser -prefsHandle 3604 -prefMapHandle 3512 -prefsLen 26950 -prefMapSize 231738 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a1ce21a-1a75-42e6-bd4b-3555be7a2aeb} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 3764 1a847258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.7.274584753\453915652" -childID 5 -isForBrowser -prefsHandle 3944 -prefMapHandle 3948 -prefsLen 27389 -prefMapSize 231738 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c8dd716-4280-44cc-a45e-ab1f3631a214} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 3932 1a2f2258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.8.666396048\550122772" -childID 6 -isForBrowser -prefsHandle 4412 -prefMapHandle 4364 -prefsLen 28251 -prefMapSize 231738 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0295ccba-c6b7-4f0b-a4e9-18c98ff4b575} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 3452 1fb0ab58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2300.9.1380746669\1674054765" -childID 7 -isForBrowser -prefsHandle 3504 -prefMapHandle 4572 -prefsLen 28824 -prefMapSize 231738 -jsInitHandle 580 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25063d85-f183-4d42-a899-430adc149eb0} 2300 "\\.\pipe\gecko-crash-server-pipe.2300" 4564 26699e58 tab

C:\Windows\system32\OptionalFeatures.exe

"C:\Windows\system32\OptionalFeatures.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\System32\BitLockerWizardElev.exe

"C:\Windows\System32\BitLockerWizardElev.exe" \\?\Volume{1bfb6481-4dc9-11ef-bdf4-eaa2ac88cdb5}\ T

C:\Windows\helppane.exe

C:\Windows\helppane.exe -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\System32\ie4uinit.exe

"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3784 CREDAT:275457 /prefetch:2

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com tcp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:50548 tcp
N/A 127.0.0.1:50563 tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.prod.mozaws.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 34.120.158.37:443 tracking-protection.cdn.mozilla.net tcp
US 8.8.8.8:53 tracking-protection.cdn.mozilla.net udp
US 8.8.8.8:53 search.brave.com udp
GB 13.224.132.82:80 search.brave.com tcp
US 8.8.8.8:53 search.brave.com udp
US 8.8.8.8:53 search.brave.com udp
US 8.8.8.8:53 search.brave.com udp
GB 13.224.132.50:443 search.brave.com tcp
US 8.8.8.8:53 search.brave.com udp
GB 13.224.132.50:443 search.brave.com udp
US 8.8.8.8:53 cdn.search.brave.com udp
GB 13.224.81.127:443 cdn.search.brave.com tcp
GB 13.224.81.127:443 cdn.search.brave.com tcp
US 8.8.8.8:53 cdn.search.brave.com udp
GB 13.224.81.127:443 cdn.search.brave.com tcp
GB 13.224.81.127:443 cdn.search.brave.com tcp
GB 13.224.81.127:443 cdn.search.brave.com tcp
GB 13.224.81.127:443 cdn.search.brave.com tcp
GB 13.224.81.127:443 cdn.search.brave.com tcp
GB 13.224.81.127:443 cdn.search.brave.com tcp
GB 13.224.81.127:443 cdn.search.brave.com tcp
GB 13.224.81.127:443 cdn.search.brave.com tcp
GB 13.224.81.127:443 cdn.search.brave.com tcp
GB 13.224.81.127:443 cdn.search.brave.com tcp
US 8.8.8.8:53 cdn.search.brave.com udp
GB 13.224.81.127:443 cdn.search.brave.com udp
GB 13.224.81.127:443 cdn.search.brave.com udp
US 8.8.8.8:53 cdn.search.brave.com udp
US 8.8.8.8:53 cdn.search.brave.com udp
GB 54.192.137.121:443 cdn.search.brave.com tcp
GB 54.192.137.121:443 cdn.search.brave.com udp
US 8.8.8.8:53 support.mozilla.org udp
US 8.8.8.8:53 wiki.mozilla.org udp
US 8.8.8.8:53 www.mozilla.org udp
US 8.8.8.8:53 us-west1.prod.sumo.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 www.mozorg.moz.works udp
US 8.8.8.8:53 wiki-prod-850398177.us-west-2.elb.amazonaws.com udp
US 8.8.8.8:53 us-west1.prod.sumo.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 wiki-prod-850398177.us-west-2.elb.amazonaws.com udp
US 8.8.8.8:53 www.mozorg.moz.works udp
US 8.8.8.8:53 imgs.search.brave.com udp
GB 13.224.81.127:443 imgs.search.brave.com tcp
GB 13.224.81.127:443 imgs.search.brave.com tcp
GB 13.224.81.127:443 imgs.search.brave.com tcp
GB 13.224.81.127:443 imgs.search.brave.com tcp
US 8.8.8.8:53 imgs.search.brave.com udp
US 8.8.8.8:53 imgs.search.brave.com udp
GB 13.224.81.127:443 imgs.search.brave.com tcp
GB 13.224.81.127:443 imgs.search.brave.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 184.28.176.19:80 www.bing.com tcp
GB 184.28.176.19:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1880-4-0x000007FEF5ADE000-0x000007FEF5ADF000-memory.dmp

memory/1880-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

memory/1880-6-0x0000000002810000-0x0000000002818000-memory.dmp

memory/1880-7-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

memory/1880-8-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

memory/1880-10-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

memory/1880-11-0x000007FEF5820000-0x000007FEF61BD000-memory.dmp

memory/1880-9-0x0000000002DD4000-0x0000000002DD7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a8b6aa829b16c81222a744a8adb86e12
SHA1 f987def00a317bc4f4a149ce0a08054f5f64b2b1
SHA256 13efe60ef225c0ff5f1547813baf473341f57df7185933aa1272d85846bc803d
SHA512 35a7bafbe2a228410294210717c31bfb4d2194eb1090e79541d92283f12d16f19159eeec0b1cb5665d7ef2878aa9572923f150441a94d7d9a42d2ca90088b361

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2740-18-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

memory/2740-19-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2257386474-3982792636-3902186748-1001\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

memory/2628-37-0x0000000002420000-0x0000000002430000-memory.dmp

memory/2628-43-0x0000000002530000-0x0000000002540000-memory.dmp

C:\Users\TEMP\AppData\Local\Microsoft\Windows Mail\edb.log

MD5 59708e7d14d446f05771b1940ca800a6
SHA1 84ba292c224f2a725eadb3c1a02d270f55a83319
SHA256 d3575a19d0963dff1d752178306111f3b50a78b4964640ab9ad3556a2fd0f43e
SHA512 89d9d152d7efe042938689b511b4b4bcd4ba343f39812cb19e8f40c7ab6c89d09957a7084f8c3e078c7735bcf5d76ee7a6c7fb992ed99b045db5c926f067ff8e

memory/2628-56-0x0000000002660000-0x0000000002661000-memory.dmp

memory/2628-58-0x00000000025B0000-0x00000000025B2000-memory.dmp

memory/2628-61-0x00000000025B0000-0x00000000025B2000-memory.dmp

memory/2628-69-0x0000000002BC0000-0x0000000002BC2000-memory.dmp

memory/2628-71-0x0000000002A30000-0x0000000002A32000-memory.dmp

memory/2628-79-0x0000000002A30000-0x0000000002A32000-memory.dmp

memory/2628-134-0x0000000003280000-0x0000000003282000-memory.dmp

memory/2628-135-0x0000000003270000-0x0000000003271000-memory.dmp

memory/2628-138-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/2628-142-0x00000000024A0000-0x00000000024A2000-memory.dmp

memory/2628-144-0x0000000002480000-0x0000000002481000-memory.dmp

C:\Users\TEMP\Contacts\desktop.ini

MD5 eefa7f76ff11a5ec21bb777b798ac46c
SHA1 2e7a65ea8427d13a92ea159a5b8859ff99d2a836
SHA256 840b46ed74821b5b61ca9ddc51a91cfe9151d11a494c89f183fadc02a78ac8ae
SHA512 111301e33c0b33c154ffff274db5eb167de0ddb4e769cab9a2d9fcd2882e6192053149abbcb00d17ae5f7661bafecc1111aff2025c89d07b247633bbccb0e3ef

C:\Users\TEMP\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\TEMP\Pictures\desktop.ini

MD5 29eae335b77f438e05594d86a6ca22ff
SHA1 d62ccc830c249de6b6532381b4c16a5f17f95d89
SHA256 88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4
SHA512 5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

C:\Users\TEMP\Videos\desktop.ini

MD5 50a956778107a4272aae83c86ece77cb
SHA1 10bce7ea45077c0baab055e0602eef787dba735e
SHA256 b287b639f6edd612f414caf000c12ba0555adb3a2643230cbdd5af4053284978
SHA512 d1df6bdc871cacbc776ac8152a76e331d2f1d905a50d9d358c7bf9ed7c5cbb510c9d52d6958b071e5bcba7c5117fc8f9729fe51724e82cc45f6b7b5afe5ed51a

C:\Users\TEMP\Contacts\desktop.ini

MD5 449f2e76e519890a212814d96ce67d64
SHA1 a316a38e1a8325bef6f68f18bc967b9aaa8b6ebd
SHA256 48a6703a09f1197ee85208d5821032b77d20b3368c6b4de890c44fb482149cf7
SHA512 c66521ed261dcbcc9062a81d4f19070216c6335d365bac96b64d3f6be73cd44cbfbd6f3441be606616d13017a8ab3c0e7a25d0caa211596e97a9f7f16681b738

C:\Users\TEMP\Desktop\desktop.ini

MD5 9e36cc3537ee9ee1e3b10fa4e761045b
SHA1 7726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA256 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA512 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

MD5 a2d31a04bc38eeac22fca3e30508ba47
SHA1 9b7c7a42c831fcd77e77ade6d3d6f033f76893d2
SHA256 8e00a24ae458effe00a55344f7f34189b4594613284745ff7d406856a196c531
SHA512 ed8233d515d44f79431bb61a4df7d09f44d33ac09279d4a0028d11319d1f82fc923ebbc6c2d76ca6f48c0a90b6080aa2ea91ff043690cc1e3a15576cf62a39a6

C:\Users\TEMP\Favorites\desktop.ini

MD5 881dfac93652edb0a8228029ba92d0f5
SHA1 5b317253a63fecb167bf07befa05c5ed09c4ccea
SHA256 a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464
SHA512 592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

C:\Users\TEMP\Documents\desktop.ini

MD5 ecf88f261853fe08d58e2e903220da14
SHA1 f72807a9e081906654ae196605e681d5938a2e6c
SHA256 cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844
SHA512 82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini

MD5 17d5d0735deaa1fb4b41a7c406763c0a
SHA1 584e4be752bb0f1f01e1088000fdb80f88c6cae0
SHA256 768b6fde6149d9ebbed1e339a72e8cc8c535e5c61d7c82752f7dff50923b7aed
SHA512 a521e578903f33f9f4c3ebb51b6baa52c69435cb1f9cb2ce9db315a23d53345de4a75668096b14af83a867abc79e0afa1b12f719294ebba94da6ad1effc8b0a3

C:\Users\TEMP\Music\desktop.ini

MD5 06e8f7e6ddd666dbd323f7d9210f91ae
SHA1 883ae527ee83ed9346cd82c33dfc0eb97298dc14
SHA256 8301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68
SHA512 f7646f8dcd37019623d5540ad8e41cb285bcc04666391258dbf4c42873c4de46977a4939b091404d8d86f367cc31e36338757a776a632c7b5bf1c6f28e59ad98

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

MD5 76a2edf16f306cdfa1aa8eea0f954d7c
SHA1 99468c7828f1b13737aaabb26ed5fa837c644fde
SHA256 1a8efdcc316e41dcb3f1e47e5a2f95e67d3734decbaad94eb20fd35cbbb17cb7
SHA512 efd308c32240eef1b26cc9049b072237c18385bf574686499c63a49f0ce917e484ea9e0abef9025b10c41c79a4bc2bdd268000f58f8d5f67da01f2b4495ac625

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini

MD5 f107d0270e21a2fe91099fdc15918d44
SHA1 dabc2f24f4a4e90053743166e5c4175dcf2b2d2d
SHA256 eb315c9d165b4916e3b00e4d148b53a6c03a2f0694a6a8821d98e76f935ca6a8
SHA512 b5d51c0d6abe99121d4f4f1d236def4260b7d5c26c501d7735eba4f58e2597db0e89b2b1df16545e49fc39649806e5305efb912328541bdd31c01ff3d2bda49c

C:\Users\TEMP\Searches\desktop.ini

MD5 8e11566270550c575d6d2c695c5a4b1f
SHA1 ae9645fad2107b5899f354c9144a4dfc33b66f9e
SHA256 1dc14736f6b0e9b68059324321acc14e156cd3a2890466a23bf7abf365d6c704
SHA512 a9fc4b17d75f85ae64315ba94570cb5317b5510c655d3d5c8fb44091ea37f31e431e99ed5308252897bdd93c34e771bf80f456c4873ef0aa58ca9bbb2e5ff7e0

C:\Users\TEMP\Downloads\desktop.ini

MD5 3a37312509712d4e12d27240137ff377
SHA1 30ced927e23b584725cf16351394175a6d2a9577
SHA256 b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
SHA512 dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

MD5 0ff56a4620c3221ff64ec61a3a0d3033
SHA1 3a45320be12b585dcdc5ab2af5ea1455b2c919a1
SHA256 0b0a65accca705494739d03b6c2ea769c78cd0eee996bc95b0c6ebc0941f4b1a
SHA512 962a340efeb6d18c85e5872997eebb83374e114be088689690ba438f0db8e2e4df6c24713a35cfaec518f58d5322cf9617638ea55ff279a9d161c4fdf9af74f6

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

MD5 fbe2aedcc651c06b6533fc4f1626be83
SHA1 b38cb10efadc8851f3f1d5799e9596264376c242
SHA256 fa583569e1c91b2daebd3a1b25f2e33b0c2b1ef7fd6258f2f56a3a1f2228fa6b
SHA512 b3640911c8884ca8f84a6634684ba29a32e780ba1967c58f74779ac6830943176a68640e6ee6a5c4109f45fafe4dec8fa5e215aa29ccd06608bc271841eabca0

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

MD5 7f1698bab066b764a314a589d338daae
SHA1 524abe4db03afef220a2cc96bf0428fd1b704342
SHA256 cdb11958506a5ba5478e22ed472fa3ae422fe9916d674f290207e1fc29ae5a76
SHA512 4f94ad0fe3df00838b288a0ef4c12d37e175c37cbf306bdb1336ff44d0e4d126cd545c636642c0e88d8c6b8258dc138a495f4d025b662f40a9977d409d6b5719

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini

MD5 548b310fbc7a26d0b9da3a9f2d604a0c
SHA1 1e20c38b721dff06faa8aa69a69e616c228736c1
SHA256 be49aff1e82fddfc2ab9dfffcb7e7be100800e3653fd1d12b6f8fa6a0957fcac
SHA512 fa5bb7ba547a370160828fe720e6021e7e3a6f3a0ce783d81071292739cef6cac418c4bc57b377b987e69d5f633c2bd97a71b7957338472c67756a02434d89f1

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

MD5 5547a64ee3681b1fca07111e73dcc51a
SHA1 0b16a54ccb7c0284df649594e006ca96e07ac296
SHA256 c6a3db953cc63f23aa5ff66de5fc6b483f6a1106cf1f77cbd73617b2c4340e0e
SHA512 21a6b9b2c578ea8d0bfb22c1b37b0dde47395ec958fa5c73eafeb8b865080db132e565c7e8ce2ab1d2e934f414e23b820f3ff3571a7d737453f3ace76d11cc25

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

MD5 57df9accddfd9b0ed8f4901fba06be34
SHA1 fcd6ef2d7af746692c3741de7c46d229dcc3f847
SHA256 b90bf260e07586224477771ad43a29cdbbcdd3a555bbcaffce581c7189b7be02
SHA512 452557943a6c52add7d4ad591c2783001e5ddcdf7c36879a2717581ccbfc18a4c916b4bada34aae7868217d191394876842c214eee550fbb7e827325031ba6a3

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

MD5 0a6ea9c200ee95e0fcbb7cfa8485a542
SHA1 933bdc510b382c98618fe644c210341fba9deb3c
SHA256 fee51f41743577087cf4b12c1fa0866bb6e2965c55f5e6d49c0e4a6cee6e8d75
SHA512 2a9e9b463417cce5071820e8327d18c5e47e54a4ec49d6e3fb9fa8d1c53cc8313d418d477a6bed79d84a5f9c70f0e37361eb85fe5aaf7dc765ead01737ae44b5

C:\Users\TEMP\Links\desktop.ini

MD5 98470d9bd7fba55a0c303065f9c4f9be
SHA1 5303b190e29ba48332f7c90a832ef08af5a1953d
SHA256 3830022d5d7ef2ae2ca0a2b6ad73f0d4716b49bf7eeeaa87b618988d531b7c72
SHA512 134e072c3600bbb3c724c2700da399a14ba5b907153969362b3dbff32c480d39e7f5ecceebc9122a5a27265410557a16eb6bf82c9b635b90ef1fa0ae9efb849c

C:\Users\TEMP\Saved Games\desktop.ini

MD5 b441cf59b5a64f74ac3bed45be9fadfc
SHA1 3da72a52e451a26ca9a35611fa8716044a7c0bbc
SHA256 e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311
SHA512 fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3

C:\Users\TEMP\Links\desktop.ini

MD5 92adc8410cd8cb1d0481e2adbb62c7dd
SHA1 bac1444ebe0bac748966f3bee84ee11e151a4810
SHA256 4a3d7ccddac5c1b437fb687e90589015b9b9ae7708ea35eed9917d1190f65694
SHA512 d7c3a5df50b28e336ff24f828cdf225554d199d3c2a857e2a7baa1f2bc1fee21944733edee52bd665ebaee999f5668d03497e9bfe88d58d380b74e6046ec5d62

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

MD5 453249f95d75eb5e450eb91fa755e1c8
SHA1 3e200e187e8cd21d3d1976ea0f7356626254de18
SHA256 01bef150c18e377a57843965d55f18f0b5cb3fa867c5ab30f1e67eacd6ece48a
SHA512 6125ffc1ab457bc1ba957c78c2a89ca54060c1969c4a981acf71025a1d79760159816d5fc36e351429de3bb5820e755b9bc22386f3d6892bfdf3da67d86f157c

C:\Users\TEMP\Links\desktop.ini

MD5 de8858093993987d123060097a2bad66
SHA1 0a89e87ba46538cb73aff1a47e4dc0bcfb4760d5
SHA256 4c0d757717dec80eca8c6cbbfdda4706eb38fbbb7624933d5429dafc7bb9f0ec
SHA512 fa348ac4025b599f460cb831338ce010dde8fba87587a6d078d6d594a30fee87ed112e412078c10604553f326cc7bd7627ae93b0e3d8a60cfeda0720cad29f4c

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini

MD5 e4e50dfa455b2cbe356dffdf7aa1fcaf
SHA1 c58be9d954b5e2dd0e5efa23a0a3d95ab8119205
SHA256 9284bd835c20f5da3f76bc1d8c591f970a74e62a7925422858e5b9fbec08b927
SHA512 bef1fad5d4b97a65fec8c350fe663a443bc3f7406c12184c79068f9a635f13f9127f89c893e7a807f1258b45c84c1a4fc98f6bd6902f7b72b02b6ffbc7e37169

C:\Users\TEMP\AppData\Local\Temp\RGI1287.tmp

MD5 3006752a2bcfeda0f75d551ea656b2ef
SHA1 b7198fc772be6d6261ed4e76aca3998e8f7a7bdb
SHA256 dfd64231860c732dced3dc78627a7844a08d5d3e4cd253fd81186bae33cc368a
SHA512 3fcfa7c8f46220852dc7efef5b29caba86825d0461a35559f26dbb2540c487b92059713f42fe1082a00a711d83216db012835673e1c54120ffa079e154950854

C:\Users\TEMP\AppData\Local\Temp\RGI12CB.tmp

MD5 a828b8c496779bdb61fce06ba0d57c39
SHA1 2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda
SHA256 c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d
SHA512 effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea

C:\Users\TEMP\Favorites\Links\Web Slice Gallery.url

MD5 873c8643cbbfb8ff63731bc25ac9b18c
SHA1 043cbc1b31b9988d8041c3d01f71ce3393911f69
SHA256 c4ad21379c11da7943c605eadb22f6fc6f54b49783466f8c1f3ad371eb167466
SHA512 356b13b22b7b1717ded0ae1272b07f1839184e839132f3ab891b5d84421e375d4fc45158c291b46a933254f463c52d92574ce6b15c1402dfb00ee5d0a74c9943

C:\Users\TEMP\AppData\Local\Temp\www155C.tmp

MD5 ad93eaac4ac4a095f8828f14790c1f8c
SHA1 f84f24c4ca9d04485a0005770e3ef1ca30eede55
SHA256 729111c923821a7ad0bb23d1a1dea03edbf503cd8b732e2d7eb36cf88eaa0cac
SHA512 f561b98836233849c016227a3366fcf8449db662f21aecd4bd45eb988f6316212685ce7ce6e0461fb2604f664ed03a7847a237800d3cdca8ba23a41a49f68769

C:\Users\TEMP\AppData\Local\Temp\www155B.tmp

MD5 c2858b664c882dcce6042c40041f6108
SHA1 52eeaa0c7b9d17a8f56217f2ac912ba8fdc5041a
SHA256 b4a6fb97b5e3f87bcd9fae49a9174e3f5b230a37767d7a70bf33d151702eff91
SHA512 51522e67f426ba96495be5e7f8346e6bb32233a59810df2a3712ecd754a2b5d54d0049c8ea374bd4d20629500c3f68f40e4845f6bb236d6cca7d00da589b2260

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

MD5 da288dceaafd7c97f1b09c594eac7868
SHA1 b433a6157cc21fc3258495928cd0ef4b487f99d3
SHA256 6ea9f8468c76aa511a5b3cfc36fb212b86e7abd377f147042d2f25572bf206a2
SHA512 9af8cb65ed6a46d4b3d673cea40809719772a7aaf4a165598dc850cd65afb6b156af1948aab80487404bb502a34bc2cce15c502c6526df2427756e2338626062

C:\Users\TEMP\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore

MD5 7724be77082b7785df32b6bcb75f7552
SHA1 3541002de404a807a883b49983e3c56f8a637501
SHA256 b4a63316ef4a92120d5d09ed7c3ea519eaf09ccb0e6cc7b6b656b516e79bd014
SHA512 5d59212973d0f52216745c57a5cc63147383058c5c75c7952847fc05ff548047bec15942877a0f446b0403eff467555f2bead711a034c695cab11a30ae614ed4

C:\Users\TEMP\AppData\Local\Microsoft\Windows Mail\edb.log

MD5 6cbc5045365dfebb64971243e46d1f85
SHA1 0ec613ea4398494da266821757befcfddd6f6361
SHA256 aad1516f6df56e63b0376bb26c351455fc4179bb06225dcd0bae1f9f52ef0e1e
SHA512 3e4436644ed8d6f5d78e15ecbba50a51769b034911f883328621a0bcb150b94c3bf4bbf726cdb2e1fa465770dd0c5043037d1b46363b5c14aa8d83ec2b700f99

C:\Users\TEMP\AppData\Local\Microsoft\Windows Mail\edb.chk

MD5 77bc6ae1e0e8dd8f58baba9d2652855c
SHA1 cf1334feb2f458b28ead32eb505396c2165856c0
SHA256 106afb35de2db5b4367c8bc4b1833a58e8b4a6e0caa2e9032cb97870d7d66123
SHA512 697a49ad9e1a70b0e2ae35927d91273f6d61422dee863649bf59baf57b305d1e6893a39686a1650c17d514e613481fdb43230c11a92ec73fb253b3a1c9838888

memory/2268-613-0x0000000002740000-0x0000000002742000-memory.dmp

memory/2268-616-0x00000000028B0000-0x00000000028B1000-memory.dmp

memory/2268-623-0x0000000002700000-0x0000000002702000-memory.dmp

memory/2268-625-0x0000000002560000-0x0000000002561000-memory.dmp

C:\Users\TEMP\AppData\Local\Temp\wmsetup.log

MD5 bc0e063b347ae0d3a646534445e842f9
SHA1 1a2968d7ffbac4f2e9bb36255ebc81431757b828
SHA256 e8b4b2e9d901ce52cd7e746ed8f6ebaa6d85f2e2e9361300a9eb153f5a7b1791
SHA512 8220240ef7d6d4c2606e93fafd60d7450251be3e7e76c17682c388026aeca9636a293670b118f728376c1f84373584d7f44608901ff9f51a2a77e8ee37a2d62a

C:\Users\TEMP\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb

MD5 b8e91f2b3b7a59241965dc1b4b660e7f
SHA1 f1326e5dd0a326d4bc1990ac465180e1d3a385fc
SHA256 38ea0d42cb1a87f861dcbae99d69b9041de07b132e4ff980ab0f88b58850f17b
SHA512 b75e59f70d22e40bb65097a6fb99e63deef1b6004abc667a5e8c2b56387bff767f94350848ca59e91702ba47991c5805323aaae4d9c9aeeccfd5cd69031e031d

C:\Users\TEMP\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 3e65af2ec0d9017005c7642ff1c798f8
SHA1 14438b9671e15d05c8309b590556cca65da13406
SHA256 a667f2a04c4bddcea5706c475eed1438bbe8296f87d38dfa1c85c534fe1f21e4
SHA512 7908e28102d073ecb14b94029612fb3df96ffca197cc8658ea2ab82e1e39325c81400711b741ab294bf6f79a4cab8934f6b25c4f2c87e8fab19f701089010731

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

MD5 0a49ff7230c3fc8902d1c14dfe97c1b6
SHA1 2df504a89a8491116e825915f2ad50f5fcd74ad3
SHA256 d0abb6567d2098c69a27f1e14f2e684d4e71f24a6ff39f7358f4d6df49093bbf
SHA512 98133b3515499a9fd5f19a16c1125532304a5bf04b550b2d6cacbff8e226155bb5c84ff764a420c2b2cbfb881837e9c0a64c288e547e26effb1b10c1eb44a843

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

MD5 65ef1c091b078cf7de5d7f2bdd659318
SHA1 62afcedb32e4d7aea5f57c957e45425a6ff32183
SHA256 fec6b78dca081e21dcae184ecc8d0724ae4f40848040c96c460bf0aa8d57e39c
SHA512 c6000708cf17d40eb9db0fb8ea08a92a57fedba29a4b352ef8e592cb0e6645733673d07d9e59419d848ebbf31aa34d422cd60114625b379693b5f597e36039a4

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

MD5 8b94df9b0fddfaa2048f26cf80f81047
SHA1 6e3fdfd9e5db46fd899cab2ec016e1d930257c07
SHA256 b6c18d65e26b690ab65fb92b31e8f6b3a3f469f4a2e6398511c330052adbf737
SHA512 b46176c9547ed50ea96e4dabea15b9db9f04ad727333848b82a8ad9502eedfdc7c5c1341efcfecf4b9550b1e6896927b1c2a466d3a2774d2f928f7d7b490e702

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

MD5 25f0b2110458c49fb0490a1c3bba36d4
SHA1 2712cac3ddcd2c8d21bbe67a3557ba9df304cb6b
SHA256 daed10ed68732bcc93a5a3296f0e0d64717ea933ebf5be4eb2c0d13a3bb8109b
SHA512 fda1a34d172887db6e9a24f12a8f3f31590ed0f7439420e889ae9ec8a5b26cb6562598f280fac4a350197ed0e671f4d93d1fb0213440853407b5f412f2a841fb

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

MD5 3ee9cd714c66ef6bb4ba53b46711db95
SHA1 17f1bf8c07777a14e4482f9c1f0b96f86c428624
SHA256 6671435ba77b5ddbcf2f7f33dd209204456141a14ee52aaeecc361687248976c
SHA512 d66b8bf8eb99e5d462b3c2cbaef6fb823ab746033ee31d3c58cd3e2e69b1115e986c9990f02dc6968dfdc793785f9cd9280b1ca4354111884270cb8019c07ac4

C:\Users\TEMP\Searches\desktop.ini

MD5 089d48a11bff0df720f1079f5dc58a83
SHA1 88f1c647378b5b22ebadb465dc80fcfd9e7b97c9
SHA256 a9e8ad0792b546a4a8ce49eda82b327ad9581141312efec3ac6f2d3ad5a05f17
SHA512 f0284a3cc46e9c23af22fec44ac7bbde0b72f5338260c402564242c3dd244f8f8ca71dd6ceabf6a2b539cacc85a204d9495f43c74f6876317ee8e808d4a60ed8

C:\Users\TEMP\Searches\Everywhere.search-ms

MD5 0fa26b6c98419b5e7c00efffb5835612
SHA1 d904d6683a548b03950d94da33cdfccbb55a9bc7
SHA256 4094d158e3b0581ba433a46d0dce62f99d8c0fd1b50bb4d0517ddc0a4a1fde24
SHA512 b80a6f2382f99ca75f3545375e30353ed4ccd93f1185f6a15dbe03d47056dad3feea652e09440774872f5cba5ef0db9c023c45e44a839827a4b40e60df9fd042

C:\Users\TEMP\Searches\Indexed Locations.search-ms

MD5 b6acbeb59959aa5412a7565423ea7bab
SHA1 4905f02dbef69c830b807a32e9a4b6206bd01dc6
SHA256 99653a38c445ae1d4c373ee672339fd47fd098e0d0ada5f0be70e3b2bf711d38
SHA512 0058aa67ae9060cb708e34cb2e12cea851505694e328fd0aa6deba99f205afaffdf86af8119c65ada5a3c9b1f8b94923baa6454c2d5ab46a21257d145f9a8162

C:\Users\TEMP\Links\Downloads.lnk

MD5 87c161b973ad5a9f47555d13c44cc086
SHA1 3dd5878e4f3da0a3a570f7f33abcd947e2d76243
SHA256 b607890090d0fa2b2b462555f1dc7b58106c9cb021249591884852f548faadac
SHA512 35d545044207fb4d14677cd336b7faeda346983be3789d37dcd2e90cf378946d5a376ec2696a2891a67e288416404e272884a49af4d2e6ee4c7a6b1dfad98268

C:\Users\TEMP\Links\Desktop.lnk

MD5 f5416c5f93e878a19bd5a67079a40195
SHA1 bdd84bd46fbcfe2db701e593f178f096ef360076
SHA256 0746e46bee4e639c05475331ca66963bec78425508ea7eba9e7c4ef6f39e873a
SHA512 939ae027e1e7af6d27a12b426ef0218bafdcf766d891ab3dca970574f1f00957bd95e07687bbcce76b9f6012cfbd9e582eac275d0c10d241dc47c1c2c4c36838

C:\Users\TEMP\Links\RecentPlaces.lnk

MD5 0025c3a7d7c4e90e58332958b00d83c4
SHA1 01dd4fdb260f66923004acb5a874111a9d14da38
SHA256 36db348143da1b5c16b9074940e85761950ee30b533b7ca75924f2f4ef6b253b
SHA512 b5631c94bad794541d16f2fa3a02018f4b34b680b63a9f3b6a3da4329216567a7ba9ceb8d4bd18165b0e55142f42e039f160ec675c0946237c276de1a6e642c4

C:\Users\TEMP\AppData\Local\Temp\chrome_installer.log

MD5 44b3bc65e8ff2899000e4ad4ce12c735
SHA1 b59de74c7784adf8c0f1ad1b7cfda544f9eada0e
SHA256 ff19492230ba3e44ecf041d9f585778356d73c5eabf4968c14925b0b9650e7c5
SHA512 c0a5fee7bc89f6c3eb517f7c4536f415a0c208c903e76a7a1cd50cf6c7f192242fc75d6b6f683785971ae4a917e2a1ba681789cdcad44d1dcec536283eca77a4

C:\Users\TEMP\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 5b7a57fbc5e4d79e0a268374fe4a3d76
SHA1 afa1eb818312fb08b59949ddb5652b4d00973bda
SHA256 f43fc5167ee9e272f1e7af818d7d006a44152e993f57c0d64cee4839929d3473
SHA512 269bc3c5c67951f464b292cc7568ed28a98473be616e43b4beac40066a6c2aafce441bb233b89286a70f05b7993e74a362763aa05fcf373a4397a5b9b6a7641c

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini

MD5 3a33faac6513738fd86f43dff8989882
SHA1 afd4390e6b63c40e55ca08d27661a23d657b01a2
SHA256 21a4315cbae2b0e8db633e86c344171da86f115bcbbb745680ff6f577668c910
SHA512 8d7a47cba6b4d0da36151221c373625b67e44354b7cde41b5c3657e73a843b22a0a5b0bf92a4cbc32eac70b8292d674821085acf92bb58b94ea4542458c94b57

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk

MD5 c910fa684319586befa06cc4aed635d5
SHA1 c84482597d35aff22ca1eb368a9f21f45a9234f2
SHA256 45b1f0134f7bbe79ffe6153600c169fa1c3c311c73f0de6651b1c8e2824c2ab7
SHA512 a77af54bf1c86af47a8c9486ebbccd9edc69463c6aa126175a53bd9ae14e3d71dd86d3812c7462de93c09c1367900403e64fb1bfc393c14ca8f71f2974c2fd82

C:\Users\TEMP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk

MD5 bb856494f6f923f1ffc2fb56aea3e935
SHA1 5eb8fc5b9a6a6807be52084bb4ca577d862f0291
SHA256 67de94078c5b7109675c26cb5d86ecf9228c3c0be5b04944728190fe09fbc126
SHA512 fd1eae63d854764d31ed94963e563c1a38ef01317f4e98d5ba869baa2fb07e76f763cbf84265885422ec2ec06f3522645d2903b6bfa7013cdcb056bac8e7b10f

C:\Users\TEMP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

MD5 1c61dc21f9b83172d65be1e94b79026f
SHA1 7324473ddda64b87c299bf6e3b9e9aff53f7fd74
SHA256 8e920d7893b682a049f6a5097f880d915dc2d7bf8bc87ae558cd7f14466d5d1b
SHA512 9660cde4d7606826c2fb6623460a2a286339970256e677c8abf8189fd1d58e0284c024bbf5c0bf539189dafa3e8d5269c1e0f7e3717891f2ae4771634731bbd8

C:\Users\TEMP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk

MD5 a7a10adb7f23fa365450c2df9fe7d735
SHA1 0d68ea81e97ef2b6ab37bbff4cf09276adbf11a1
SHA256 5ee0780857bf22aca17996bec48155633f7bc1457ee2fcd57a2307fba3b00cba
SHA512 b1b930b0e524c5f8b14cd584ca2cd97883b6a8af5854875812acb3b010897b23160d9b15d0de1a518c6cdbef7d73d76565802b6c2b9b9b54e9a0196fda187e44

C:\Users\TEMP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk

MD5 47b2e1c4ddd5fa161f4e7314222d7a29
SHA1 f8e0a57ad324aa0ce6eafcbee54361cfc3fac7a4
SHA256 20b9ba1869ed5d109962522c7c9a09e2675c457edd780f3723d33f9b40475772
SHA512 07c8e9fcc6441c45540ced17802aea9fc84197733cc13af77516813c3beb346ae2748445ae99318309cbdc2da8e69e622dd91e658b7e9ba27d424eae6f5acf1b

C:\Users\TEMP\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

MD5 e5a8eb64419f6d85a1b7aed2152616c2
SHA1 f5d94f8953bb235e35fccec0ea4f14ba69443081
SHA256 5266b08d0c1bf229ec5eafdb6dae2a4849b6b394694d34033453cf8a379725a7
SHA512 7c304bc842c81d3b5cff745d34b038a2a867063c65e502f4155439ba0642e8b0643f9b7254f74e85d5b150c134836b9e398a0dcb192550d97dfd431c3d93f1f6

C:\Users\TEMP\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini

MD5 e0fd7e6b4853592ac9ac73df9d83783f
SHA1 2834e77dfa1269ddad948b87d88887e84179594a
SHA256 feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122
SHA512 289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

C:\Users\TEMP\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms

MD5 21c35e62bfddf6f902e8ad9f97faffd6
SHA1 35be7001003a6cb2ddf2a7a61fc52da6d107926d
SHA256 f4963092294e70061d58415572acefca1e555885ea9461c1f5dbd3505604b448
SHA512 ec335f94c3fd1cfb403d2ec58279849715353f24c403fcdb51cf4fed2c2e8a7a4e171408db273c0834c213a1f55490d18d2b8eacf45c0544af5532ead353c786

memory/1956-1090-0x0000000005D70000-0x0000000005D80000-memory.dmp

C:\Users\TEMP\Desktop\CD Drive - Shortcut.lnk

MD5 deab7a7748c0285cb693acadd30a8c13
SHA1 9b44008ad741d9e306a2d590f10831886178018e
SHA256 0dad62dfbd2beda88c6599870027597d7e0732777a97c14b5e7e415c3b8833ec
SHA512 d0977a9e745539fb07ab7c3e0d3a1dcff8c65ccde285fecc339c88f19e8b343d11c140e9fbc56b2e2379d078e7d0e35760bb2dcddcb7eaefc257bfaaa5b377c7

C:\Users\TEMP\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5afe4de1b92fc382.customDestinations-ms

MD5 c2b2993c2cc0a7b48dace17301ad829c
SHA1 4700c4eab7c8e93a7a5ef54ee7361833b21bb25a
SHA256 ba8ff787cd4dde225f26ff73afb9a0bb1e844aaa54a276f65bc99f0aba10494d
SHA512 7bf2c9e9af15a2a4834ffdbd7ce1c0d60ab1cc7f8f366530eb0b637ce0dfdf34df73599d20de446ef7a792b6c54fa670a70538ff5a9a6ca82cb9e88577c53d97

C:\Users\TEMP\AppData\Local\Temp\Guest.bmp

MD5 b0de08b6aada24cdd3458113d175f1a7
SHA1 225797b52f320b3efb2643c55fe55ab3a5618ae9
SHA256 40015814487b93a8372f33284d45586739a4a1e9d2b7961ab8c6d4d9561d10cb
SHA512 fd59488e0223f49d66bb3ca7a70e74b7ca2052769f78790aee0682e0306f6e9421d28ab9a34487bd8934571cccb6798c98040b25934dfe1f0a13c7ca490ecbe2

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\prefs.js

MD5 cb42960c3b07a1f84aa537cceabc6506
SHA1 a399a9cf2c24a0bdb70eff2127f91ad8a29fab54
SHA256 93ed26cfdb58fdc5a43b0620ec9888e77fdaa9b308bc2b6c15a47cff2e7884c6
SHA512 3253bbc028c2795ad1100903d2d1aef540409cc5c3d327b839454c6392e122594be831192f5b229e827ab21fc3cfb44d36ff14b1f0f1e4a0965e6503a426ce48

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 c42345291a013312a00f39e558db8f03
SHA1 2db23a9e18a4a44755715f4eadcd8645f8f4588f
SHA256 90eaf6bb422a84121a50ea235e93ad6067741fa15618a1624a48b546275a837f
SHA512 efdd3e424b38f71e2c95e47257a52f234bc42d3111d4691080184c735500adc1bb833fa2a995d4f534d714cf232d6a12b6f0b05aeb7831fb06b6a08c2a9ae0f0

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\datareporting\glean\pending_pings\55b1a3f8-7d6b-4827-adab-75bf20546261

MD5 f814774d97da756b780fed35643147d6
SHA1 2270f6c0e965822a4128f655140108e09a5b3f6e
SHA256 636956a596d4e98107c4e36bc42cda13188aaec4a11bf587994ed28bac7bbace
SHA512 79f6639ec5c3a84e073508e07fe90c31d1fab1fa071470ea66ed7289b191666fa05e183ee09391ec0e888684d3c44c95a477e4e2e6778cb2da44974b43604f47

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\datareporting\glean\pending_pings\0e699426-0000-49c9-ba92-72f46a1b37fa

MD5 caca83ee7b710341dc38e1b3b4fc5876
SHA1 bef4fae6f2b3a0c770fb254a33afc3eec1c9d9b1
SHA256 5b14d673bf2fa3c701b546338c07aaafd81a95a2f335e9bc346a432b0b00aaee
SHA512 c09d0b1881e43ea40d7f95fbc64fcafc28d5bca210601ee8b9d99b344c3034bbad26fc2f28d7183bac20dbc5942e82a68dde28f2e42b4aa289dab0609fd15a9b

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\datareporting\glean\db\data.safe.bin

MD5 fb86eb9a2c5e6fc31f194e086901186e
SHA1 4107c1da6164865d03abd14fe7a234b9a6eb28b9
SHA256 d99a8d5ecf1fcf6f78f5efdf3abcd269bf500490a176fc2a00a73c4863ef98b7
SHA512 b2b8ee1c3cf38eebdc4d7c08bcf1989c2688223ce72d4f8118ed8becf971a1b2d83082743c0b134d9b6c7654c4675c64cb3721fe8b41c5dcc343411bf38d2355

C:\Users\TEMP\AppData\Local\Mozilla\Firefox\Profiles\nc1i6vih.default-release\activity-stream.discovery_stream.json.tmp

MD5 f0636758907f97570b52c9f0f91b3366
SHA1 1d176bf2e3168ae0f676204b2990684eaef47434
SHA256 b7e79eefb5d48d06dcc85a3c5d3137f7888ce99442eccfba6c2f0e93f20be479
SHA512 655accd3c4ae63021045fc4927c957cc9337b907927d1f4e029c9facc2d0b90b7f10b16236322f64fdf40e49d2ed6719db7b39d04e2648ac98c130c4664a81f6

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\extensions.json.tmp

MD5 ad789187b4f39aae179f3009065c98fb
SHA1 a6c09d65ab866cc44bc80383ec3e43c94b06f25f
SHA256 8f1e61c64c0d391c1645c8822c30b7087ae2a29b000b9d264dc28e53ade24130
SHA512 7e7f95927cf5f4466484b0e623f716ceb684f9f6cc9fe29cb1e0039e1842829527719897d2a963e4e5c5254134b9e700dd1b78c662ff49585a52f42bf0205f9b

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

MD5 7d1d7e1db5d8d862de24415d9ec9aca4
SHA1 f4cdc5511c299005e775dc602e611b9c67a97c78
SHA256 ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda
SHA512 1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 9d14f5b80a5279fd1842240e998ff10c
SHA1 d8c71781c6d63e3831afec6117952e11c43c0108
SHA256 1ba1c814d6fdc5bd70db942b8b7cd0aaeaf1cbf3afff50782070211c68a8c522
SHA512 3f6c8c65f4dee053f563a231c041c03efffa20307a47bb41e1000a4695ea5ea857e461a927d2a65281969fecc16b740c88a395e6e88ce7733c6745742f33fde6

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\search.json.mozlz4

MD5 41d220d4783f67d2b57beec20c135229
SHA1 6e97765e77920b6010fac2cb4abf1e3cea106541
SHA256 5d1881e74d76b95bad59439bb5c7676258a4ae6b6d853074e93b5247cf1715dc
SHA512 dc30ddc4c8cfe598de5e24bc88cebbe4256fbb21a0b1db6c2ec15311053e7d8be6a93a0bcfcfd8a02543f8b9cf9b15a5840154b272a2df71d59d7dfd80984ac0

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\prefs.js

MD5 5e592c971eb9463ff8a8aad65dfebc0b
SHA1 149494cdc52cf4034a6e7f276ab2cd3fde65def8
SHA256 616a41d8c4818eae893f20c706da701acaee6be67c6411af4e69307bf6986d2a
SHA512 8dbe5ab73b8f4bf1930c44710574838b27805146db193a4a74692a5141349dbf7e2531e47d96da8347f97a4e2581a5e2e50272941987e4ee6d660ebe6115ccb6

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\prefs-1.js

MD5 1dae23d1974bf251f2289018f787491d
SHA1 d25c8d5d5bde52b49da4bef35743dd7d4eef19ed
SHA256 169adfe913acba3f749e8bd98c8f3a4402012f04263bdb18be70c2906ade8d7a
SHA512 6fc663a7b11568e5d2a7bbb905dce512ea2e6988359e6457151ef792b1924d16936f18e2d6f031cdff9b054272e07a6b95d43f92108e06c85d325745d0bfadab

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\prefs-1.js

MD5 41390a0332d5be9d0d73a6f18edacf69
SHA1 ab05e8a8a7817471607a2c2bd1dc642923378d7a
SHA256 92447b9b9b616ee40a69efb99a8d6d61cbbb96793df3cd9129d0e689cbae724a
SHA512 4885207121786a29b6a7f2a34bea68cbf3fd74861ce23a1c12060460d92023b8686c383c9316d70535fcb6cce5611c436d54b49f6f0f076172b29a116534db4a

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\sessionstore-backups\recovery.jsonlz4

MD5 7c25b377d4a547a2b178d6f5378fd214
SHA1 f971f8be0ec89b1c06e972569e673a53b5d0a7e1
SHA256 610268e9ce9845dbebb1ab58d7bc07aed07fbc62f7366763c58c5faaf7fd6a54
SHA512 047322447420f43d24fc518181c443f98e8c4d056c9da92a16da03f757196a0d94680ffe0ffd77556d27447d692732e1501f89d0726ee6b45b33c02644cfdc3a

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\weave\toFetch\tabs.json.tmp

MD5 f20674a0751f58bbd67ada26a34ad922
SHA1 72a8da9e69d207c3b03adcd315cab704d55d5d5f
SHA256 8f05bafd61f29998ca102b333f853628502d4e45d53cff41148d6dd15f011792
SHA512 2bce112a766304daa2725740622d2afb6fe2221b242e4cb0276a8665d631109fbd498a57ca43f9ca67b14e52402abe900f5bac9502eac819a6617d133c1ba6a3

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\prefs-1.js

MD5 8fad475ea97b466f6bc663fc5461277f
SHA1 67f52cc55ab86707cf7edbefdbb1cff16cb968f2
SHA256 e3cdb01c3ff3f6f22f97d51347de710b63c0fe48ddac5acee363fda034f7d76d
SHA512 c1fbca6349db63adfcd74a68478346e81f961b94ae8e894ec56e9eef2af68970b97e74e5e4fedae517c1711b6e1e53da296574c4bc9a7e3e7f156eeb17f88606

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\sessionstore-backups\recovery.jsonlz4

MD5 fdfa8e62467116e4ce444bb80ee9533e
SHA1 78441a0ab6c70cf0d49f19c7140820565bcac0d8
SHA256 bbba0947f2af6f05e53e09497027d085cd6b87bb1baed4cc03d3e6f8847596de
SHA512 72b52e2f2a1356fbd9c7b59497224235085e4eb6e112e9cdd20d7c08a463b210bb5feba8484ab6ee6010b3fc305a9d487655fc2b0f49087f8ba4e5a167eeb455

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\datareporting\glean\db\data.safe.bin

MD5 6a1b2dc38f0259106ec978e2471428c2
SHA1 2115c00d3fdc63b8e82f8da8019b15f91a80fc51
SHA256 f1c7bb1f8cb0d2a43efd6abdce7c46c4ec19ee82655847a9ebee6606dfe96cfb
SHA512 b643489eefa943c26b1e929012c6d0a5b36510e0c57e0eabeb161e67dd2c59e06c593df4a8244f616574a3455c9faa7cc1502804c13619a716d018d6a813f2da

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\key4.db

MD5 4cd99a1b0b538af2a2bccfff88fba713
SHA1 f3b205494e625eb8f3b413daac2b8261cdcd9a60
SHA256 54c106ca52f376d9e0660a6f08abceb4db91dd94eb2680788edfff950b16c960
SHA512 7303fb9dcfd5ccb6dc742dd879b9fd3c4ecf884bb9f99ecf95d9ecc4e4f891a9f52c4f47c3da929f3e0ab5ade46240c02c4aa8d18c3e9f00ccf282fbe9cdd95f

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\sessionstore-backups\recovery.jsonlz4

MD5 56153df2ca7da3e68ce764d58daa3f29
SHA1 3a2caa1f3b1322c8dc20521611a91d060ae81278
SHA256 cf4654e7367bf22f553e91d12e40aa0a482a42f574696768572fd65da3b3ef97
SHA512 d508b1f6957956a3abf4df89e928da352d43842af979e5e0f4be8d30185741c66042caf800b72c2c1b10de4147907a745eb4560a7051c64f5e7faf59897bafe3

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\sessionstore.jsonlz4

MD5 97d378dfa515c9920d399a586f80417f
SHA1 dcbd97692e6f1dc35066f1390fd9c5057e8854c9
SHA256 96508d57f43ebc0e2ff660ef8418a001b64b7b4e10ee9f02261833abea719142
SHA512 61bc67cea8714c3a555901726015b7e4e1c0f159a310e3014f8a56304fe24362e1e0941935419d4aa496747783fc61cc44016d3e996dd404226bde87d7cf6599

C:\Users\TEMP\AppData\Roaming\Mozilla\Firefox\Profiles\nc1i6vih.default-release\prefs-1.js

MD5 fd1634c4d1315242cb903b92715b9d1a
SHA1 5a30073410dc2f0639bca64a7a2fde187f4c13eb
SHA256 f603e10aaf2959ad4011fe144cdfe0f0d96c08e7adfd65073dcaac3a607b8f66
SHA512 aa64c7fce0a8fb94e95fb523eec3f1dd7a2d66ac0696656365bf8ef092bad2c821b84c9cc95dfc4732bf0ca4c444e80617867442b584acc8ad1cab029b4c2b71

C:\Users\TEMP\AppData\Local\Temp\www5034.tmp

MD5 2ce792bc1394673282b741a25d6148a2
SHA1 5835c389ea0f0c1423fa26f98b84a875a11d19b1
SHA256 992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48
SHA512 cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

C:\Users\TEMP\Favorites\Links\Suggested Sites.url

MD5 11cede0563d1d61930e433cd638d6419
SHA1 366b26547292482b871404b33930cefca8810dbd
SHA256 e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9
SHA512 d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

C:\Users\TEMP\AppData\Local\Temp\www5023.tmp

MD5 a1fd5255ed62e10721ac426cd139aa83
SHA1 98a11bdd942bb66e9c829ae0685239212e966b9e
SHA256 d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4
SHA512 51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\TEMP\AppData\Local\Temp\Tar633E.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 366ed95775bb02e821125ccfa43cc7bc
SHA1 1564cbbc25a9c8c824664e25913f5dcd5e150a32
SHA256 1ad8d0ea600923bd22b87b55dac0f9b0dac4c192ad854edf3901f88ae9a50f44
SHA512 0f5332509272cbe00933d3821ef3acdb115e3884ce6620ceae583ad5f25423d5ce9a7699c6c43ea24bfd79968bd0bf7b9e6ab8f1101b78da2d24b92d46adc648

C:\Users\TEMP\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 c3eed15a728c0914737136778f27479e
SHA1 d1c56413c6c067b89dcfb8ad9e4294cfed24dfc9
SHA256 d89ed75db10d77a217e35820850ad245df816803142778b003600bc739e2122d
SHA512 8d634b8a4bc92c88184365bda49ae18653e5a15592ff453ebdfb9dc92d17ef4cee1ec4bc21f4143c660338d6f9eab83edb776c6cd9fa24405469ce2fe64b007f

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4cbacb019c98eb39e0851d317b2f4be
SHA1 7a0d756cde298c84642d80aca28b3ae2c72d3310
SHA256 d29793abe83f4a90dfb12d553a54d930f802ce423cdf2e32e3122fe06fc1d637
SHA512 8a93ba652118754831101c2fe6897f7ea3ea3397ff85eeb84c543b224ee577284c08ce76980b85ec81990e0ccc758d23e3f2ef8eea11c7fc856c54740dfa60fb

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 16621787391075dc8ce71188cf3234fd
SHA1 05b511ed2ca447ea3f7b6b1c2fd639f51e4a2b7c
SHA256 3831486ad0ac73cad19e92d59e4196b167ac2434e58d21c944a164115b786410
SHA512 c474f67cbed63cde363b966aed83860b4d4ba2b75786b83370b8dd99cf54dce881c65af06ebefb91ab4e36ea0857304c448142f689450a0718fe3d7bb9f3007e

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 10be300bbd2fca4d477ebb19fb7ad084
SHA1 82e00088d531ba32ac1072845268770ca6c063a7
SHA256 7068db5ddeffe50aad8571d97017369b40d70bab3bb5301a5248d45c501cdb45
SHA512 761afee52a7f8d602f70e5bbb9609e7e30743b30803179d6519cfe763b7b1e8e4f4a2292cedd45ff9cfecf03835c76dca37c555e77270ac44c1a7dc7dd3d3b58

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0f3adb25ab3ef01a07341998b3ee0fcc
SHA1 3233b70f7a18d8f1ce2cd91fa28b335a288b995e
SHA256 c60ebd24f02fe0298007ad207c26dea86f93fac904dba01573e7803e22575b99
SHA512 e6ab9953b0c24a4001ffe0e3c1c72c53ff945fcadb62030ec00a263bcb246ad49b7c87fac75477e2e8dcf06c3b13d55259e9d9b33e715aaff1ca94049b3f2013

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 b5134b1966a5ea7bb0a891b9d0d62035
SHA1 faf04450d23189631b0c2a3427e61e2f86abf27a
SHA256 bbe1c610f1f5c1161c253f3b71ce7358d2566212134d60d5501f82dd55409be6
SHA512 c25545cf7d76abf4162cda4b67b83817688bf417a6196724568881cad4bce5b80c53b82f5472eec100084b90b2ac0724c16ee021d35915fb9009eaf685298977

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62b0111f14b7592fc869b880189fdb8c
SHA1 eeafe16965f060a8064952f98ee443e8c8fbe71d
SHA256 388190e12bb65afa8184ff6092af0c8340c0546ab1e30019b2c52bfb73610be8
SHA512 40f336be7bd1c0bbc72d4b1cd1f4f15b9f85f0fc2de01f4c29fbfdf369645a3b80f55a6e8945f2a88c20776a6b8f15149fa57087c40f4315834abcc160f46481

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6818ea680729a2eca969b4698ac7d05
SHA1 5e9c921d3660f4ac1caf055599c53eda044637cb
SHA256 2a02b15e069e4b62a26c7a08680dfafc06274bc119c519f453a9e12095bf5384
SHA512 9d1847398c75f8f774b8c32f813fdf3a221fc32e546a1e75c608df2daf7d2690bab9c999d85312fb4508eae418750c7656ece4c93a3fc6dd0e85bab7399450a1

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be4f65694703a3f9111973a435ebeff0
SHA1 ec4376f3b556e2f84991cdf2c1807fd07a3b6035
SHA256 acf2caae4f29b4df8a9d7318dc275c188338687413482b759262e076a30d4147
SHA512 14e4faa6a238108e2340fd793dd82bbfaa4f99cbe63b2a3defa9a69e57190bab9eb0ac134b50843111ce6851a833193b0c08c2cbfb61ff2ae1e18866ccf08a39

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac7531707fe11810c9c4b79950f750e9
SHA1 9639437f43ea98fae254a50dab7f2838b22a2236
SHA256 d318394e40cd65cda5ec4be318f5cc3994bd067037716ee348c889ca8cc9ff40
SHA512 29d810d1a79c0e5283678226a9048338179ce8ceb78dbcd4726d66da3f3f8d1e14e0ee7d5f3190ff53944d47e4656de22f3178780995a21a2743748740df9cd0

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee898d37c1c8a9dda68ca1ed7b651e5c
SHA1 910ebf7cfa7c119fd30e73b73b5a13d6085e9370
SHA256 cc28e98ceca93f4dab153da4d7483a01e48c8cef0b27da41bbc0bb92b2b4493d
SHA512 31db5e71be9149ce3f8a44640d2163df7e526b981fd96e72534fc9d03ec3b77e62c570a03e938c7d2b20e77d221742638010102e4d9d7246636a82ac95403a76

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb1abc81d23cd65db4e6e37c37783d04
SHA1 fc49ea871f3e26fe022a3827aeae5e3c82ccfed8
SHA256 aa6c68268473383b4796df8203558a0b7134404be80584cca5976d0f2f4f7efe
SHA512 08dfc0f56160691a0e88abdc5b0d63f12818587069f533ae4c8e569b597c8e180055983675818c95e3890bc46465667a8b4278c21ec550915a3e2a65f9d95e3d

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d91dd76eae2882d33a1d4a15067cf959
SHA1 73e418d94245ab321c73b96d66cd9f2c8741ce2c
SHA256 b9a5aacea2cd5d937b64127ee22604e041bba927f29be76fd1db333ecd4c09ec
SHA512 76d2f8a60840389611754ab6a3597b5878fa2f62127b94c5f66e856f473a30cfd29e4094831fdff0056351811c14ce8b09be389631f7fe9870bef80beb4eacd9

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60044ea0766d376dc81bddbe2bd6e47d
SHA1 6793465245b137d5ad054767d8c7eb34b2bd1e08
SHA256 60af97b5cc288d7e57059edad9c84ac6deb64ddec99b61026f093f413948ce81
SHA512 797135c7e554ebf29773e24d4cb34303fb5fe8a897ef67db6177b4c24c2eae02b23d41e883fed823bfa95d90d941aa26f5fbe47bc1539fedb3a8802a74ecea42

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ef7069722aa5d525155931672cb6e1e
SHA1 70813eab23b3097eeac641195ed783c502b70483
SHA256 6ddaab44d0ad42e1e37b6208421adf6680be9184c3578aa48467bcdabae772db
SHA512 2359f005fab43772c5a238f8f6fd1967d6cd93dfac6324c2fcce4289c441ab9c2b0c8ed6a1a6db1c384e1acbf4049cb131d91ec5ec836e54884845f176a4172a

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 655c2b41eb2a1ec5d261793eed86146c
SHA1 2201b3f5761c2e4974f036ceb792b2ac70cce53b
SHA256 ff16fb4a3c59f4a26e1f3222ea959ed361f34bb9a926d5eb276ddebb58e8d839
SHA512 2b98651a4ac8290bed1fd130745ecfceacb8b271d049819bf5a4b3ec5f72f830f9da83335911bf30392fa515028a52ff4a64753b2d36c4dabf2c9535952f7a2e

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61e96a2b3a3de24425f14cec6fc042c4
SHA1 5cab44816025ce430b8ed76f3a5277592aec4db2
SHA256 b866f0e4a8d3e499659890dc63a684f7f3929a55ef684b61d6d9b1201cb76fd6
SHA512 f6c3cef8ae4c5745e66c7d0d241add524ef6b0ed79edd253a68e177d3608c8e40a36d4ebb481c0a80b424610dc7d94f5b8fd841d3cc3354faa92dc884d4035da

C:\Users\TEMP\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f5c6fbec8517bdef4a745b656877f6c
SHA1 08b607ae10e5cd2d60cfe6f38ae05154ab0e7eff
SHA256 dc4d9bce70b8bd00a528fe6a2f1ae0a825dbd7ddce48a3ce7b19e36bbd599bad
SHA512 d32b7b4e8476637e47badccf4cf92543bd37923169b63a44aad031e2a8081f540e17bd0168031ec73c707df02ed5cfa03165d130fe257a5505d9429c7d3e00f4

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-11 13:04

Reported

2024-08-11 13:11

Platform

win10v2004-20240802-en

Max time kernel

392s

Max time network

366s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lolhahahackerwowohnoo\hello.bat"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\Update\\OneDriveSetup.exe\"" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Delete Cached Standalone Update Binary = "C:\\Windows\\system32\\cmd.exe /q /c del /q \"C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe\"" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A

Detected potential entity reuse from brand microsoft.

phishing microsoft

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lolhahahackerwowohnoo\\wowcoolfile.png" C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\system32\wwahost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft C:\Windows\system32\wwahost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "233" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_CLASSES\ODOPEN\DEFAULTICON C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_CLASSES\INTERFACE\{944903E8-B03F-43A0-8341-872200D2DA9C}\PROXYSTUBCLSID32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1\ = "SyncEngineFileInfoProvider Class" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\ = "FileSyncOutOfProcServices Class" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\Interface\{d8c80ebb-099c-4208-afa3-fbc4d11f8a3c}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_CLASSES\INTERFACE\{DA82E55E-FA2F-45B3-AEC3-E7294106EF52}\TYPELIB C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\ProgID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cloudexperiencehost_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cloudexperiencehos = "0" C:\Windows\system32\wwahost.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\LOCALSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_CLASSES\WOW6432NODE\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\INPROCSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_CLASSES\TYPELIB\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\FLAGS C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\FileSyncClient.FileSyncClient\ = "FileSyncClient Class" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\NucleusToastActivator.NucleusToastActivator C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\CLSID\ = "{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "PSFactoryBuffer" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\Interface\{da82e55e-fa2f-45b3-aec3-e7294106ef52}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_CLASSES\WOW6432NODE\INTERFACE\{FAC14B75-7862-4CEB-BE41-F53945A61C17}\PROXYSTUBCLSID32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_CLASSES\TYPELIB\{F904F88C-E60D-4327-9FA2-865AD075B400}\1.0\0\WIN32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\ = "UpToDateUnpinnedOverlayHandler Class" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider.1 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\Interface\{1196AE48-D92B-4BC7-85DE-664EC3F761F1} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Interface\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\ = "IFileSyncOutOfProcServices" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_CLASSES\WOW6432NODE\INTERFACE\{A87958FF-B414-7748-9183-DBF183A25905}\TYPELIB C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Interface\{D0ED5C72-6197-4AAD-9B16-53FE461DD85C}\ = "IFileUploadCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\Interface\{22A68885-0FD9-42F6-9DED-4FB174DC7344}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_CLASSES\WOW6432NODE\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\LOCALSERVER32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\Interface\{A87958FF-B414-7748-9183-DBF183A25905} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\VERSIONINDEPENDENTPROGID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Interface\{1EDD003E-C446-43C5-8BA0-3778CC4792CC} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\mssharepointclient\shell C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\amd64\\FileSyncShell64.dll" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Interface\{10C9242E-D604-49B5-99E4-BF87945EF86C}\ = "ISyncChangesCallback" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\TypeLib\{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\21.220.1024.0005" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\OOBERequestHandler.OOBERequestHandler\ = "OOBERequestHandler Class" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Interface\{B54E7079-90C9-4C62-A6B8-B2834C33A04A}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_CLASSES\TYPELIB\{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32 C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_CLASSES\WOW6432NODE\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\TYPELIB C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_CLASSES\WOW6432NODE\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\VERSIONINDEPENDENTPROGID C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\WOW6432Node\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40}\TypeLib C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: 35 N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wwahost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wwahost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wwahost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 64 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 64 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2084 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2084 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2084 wrote to memory of 4520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2084 wrote to memory of 4664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2084 wrote to memory of 4664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2084 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2084 wrote to memory of 2664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2084 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 4200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2084 wrote to memory of 4200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2084 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2084 wrote to memory of 4612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2084 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 4608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2084 wrote to memory of 2320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2084 wrote to memory of 1568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 1568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 3944 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 3944 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 3840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2084 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1516 wrote to memory of 2268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\dashost.exe
PID 1516 wrote to memory of 2268 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\dashost.exe
PID 2648 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
PID 2648 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
PID 2648 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
PID 3788 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
PID 3788 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
PID 3788 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lolhahahackerwowohnoo\hello.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Add-Type -TypeDefinition @'

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\lolhahahackerwowohnoo\wowcoolfile.png" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\msg.exe

msg * "Error 404: Productivity not found. Did you try turning it off and on again?"

C:\Windows\system32\timeout.exe

timeout /t 4 /nobreak

C:\Windows\system32\msg.exe

msg * "Error 500: Coffee is empty. Time to panic"

C:\Windows\system32\timeout.exe

timeout /t 4 /nobreak

C:\Windows\system32\msg.exe

msg * "Error 403: Access to Netflix denied. Go outside for a change"

C:\Windows\system32\timeout.exe

timeout /t 4 /nobreak

C:\Windows\system32\msg.exe

msg * "Error 301: Memes not loading. Did you check your WiFi connection?"

C:\Windows\system32\timeout.exe

timeout /t 4 /nobreak

C:\Windows\system32\msg.exe

msg * "Error 999: The 'Enter' key is broken. Please perform a ritual dance to fix it."

C:\Windows\system32\timeout.exe

timeout /t 4 /nobreak

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Invoke-WebRequest -Uri 'https://mirrors.cicku.me/linuxmint/iso/stable/22/linuxmint-22-cinnamon-64bit.iso' -OutFile 'C:\Users\Admin\AppData\Local\Temp\lolhahahackerwowohnoo\linuxmint-22-cinnamon-64bit.iso'"

C:\Windows\system32\timeout.exe

timeout /t 5 /nobreak

C:\Windows\system32\timeout.exe

timeout /t 2 /nobreak

C:\Windows\system32\timeout.exe

timeout /t 1 /nobreak

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Windows\system32\dashost.exe

dashost.exe {e1f77d4f-4b07-4c5b-a59dcb731f570f46}

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe

/updateInstalled /background

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k SDRSVC

C:\Windows\system32\wwahost.exe

"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa

C:\Windows\system32\SystemSettingsAdminFlows.exe

"C:\Windows\system32\SystemSettingsAdminFlows.exe" EditUser S-1-5-21-786284298-625481688-3210388970-1001

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa38ba055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 mirrors.cicku.me udp
US 104.18.130.116:443 mirrors.cicku.me tcp
US 8.8.8.8:53 116.130.18.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 92.129.74.13.in-addr.arpa udp
US 8.8.8.8:53 23.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 132.194.113.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 cxcs.microsoft.net udp
GB 23.206.78.251:443 cxcs.microsoft.net tcp
GB 184.28.176.112:443 www.bing.com tcp
US 8.8.8.8:53 112.176.28.184.in-addr.arpa udp
US 8.8.8.8:53 251.78.206.23.in-addr.arpa udp
US 8.8.8.8:53 account.live.com udp
US 13.107.42.22:443 account.live.com tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 51.140.242.104:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 acctcdn.msftauth.net udp
US 152.199.21.175:443 acctcdn.msftauth.net tcp
US 152.199.21.175:443 acctcdn.msftauth.net tcp
US 152.199.21.175:443 acctcdn.msftauth.net tcp
US 152.199.21.175:443 acctcdn.msftauth.net tcp
US 152.199.21.175:443 acctcdn.msftauth.net tcp
US 152.199.21.175:443 acctcdn.msftauth.net tcp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 172.165.69.228:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 22.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
US 8.8.8.8:53 175.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
DE 51.116.253.169:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 169.253.116.51.in-addr.arpa udp
US 8.8.8.8:53 fpt.live.com udp
US 52.167.30.171:443 fpt.live.com tcp
US 8.8.8.8:53 171.30.167.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/64-0-0x00007FF958F03000-0x00007FF958F05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v4kslw2v.avv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/64-6-0x000001CAB2840000-0x000001CAB2862000-memory.dmp

memory/64-11-0x00007FF958F00000-0x00007FF9599C1000-memory.dmp

memory/64-12-0x00007FF958F00000-0x00007FF9599C1000-memory.dmp

memory/64-13-0x00007FF958F00000-0x00007FF9599C1000-memory.dmp

memory/64-16-0x00007FF958F00000-0x00007FF9599C1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Public\Music

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json

MD5 e516a60bc980095e8d156b1a99ab5eee
SHA1 238e243ffc12d4e012fd020c9822703109b987f6
SHA256 543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA512 9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\THHXO5RX\update100[1].xml

MD5 53244e542ddf6d280a2b03e28f0646b7
SHA1 d9925f810a95880c92974549deead18d56f19c37
SHA256 36a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d
SHA512 4aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe

MD5 fb4aa59c92c9b3263eb07e07b91568b5
SHA1 6071a3e3c4338b90d892a8416b6a92fbfe25bb67
SHA256 e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9
SHA512 60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini

MD5 2e002908fe738397797b75a953ead7ba
SHA1 48d8aa92540fae557366fcfd6be5ac9208f8e9c3
SHA256 e20431d572f0419121fbe50da467fdbbd43cd2705d469689df95b717738a356a
SHA512 cd367f4b1074e3a5d7f0be78622b450df3115eeaab487839b73fee3b150de88e25fa6eabf120489c7557c938640012bfc292b9ea684158377fe12dd8aaa36fa3

C:\Users\Admin\AppData\Local\Temp\tmpC867.tmp

MD5 5b16ef80abd2b4ace517c4e98f4ff551
SHA1 438806a0256e075239aa8bbec9ba3d3fb634af55
SHA256 bbc70091b3834af5413b9658b07269badd4cae8d96724bf1f7919f6aab595009
SHA512 69a22b063ab92ca7e941b826400c62be41ae0317143387c8aa8c727b5c9ee3528ddd4014de22a2a2e2cbae801cb041fe477d68d2684353cdf6c83d7ee97c43d4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

MD5 cc04d6015cd4395c9b980b280254156e
SHA1 87b176f1330dc08d4ffabe3f7e77da4121c8e749
SHA256 884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e
SHA512 d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.exe

MD5 c2938eb5ff932c2540a1514cc82c197c
SHA1 2d7da1c3bfa4755ba0efec5317260d239cbb51c3
SHA256 5d8273bf98397e4c5053f8f154e5f838c7e8a798b125fcad33cab16e2515b665
SHA512 5deb54462615e39cf7871418871856094031a383e9ad82d5a5993f1e67b7ade7c2217055b657c0d127189792c3bcf6c1fcfbd3c5606f6134adfafcccfa176441

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-100.png

MD5 72747c27b2f2a08700ece584c576af89
SHA1 5301ca4813cd5ff2f8457635bc3c8944c1fb9f33
SHA256 6f028542f6faeaaf1f564eab2605bedb20a2ee72cdd9930bde1a3539344d721b
SHA512 3e7f84d3483a25a52a036bf7fd87aac74ac5af327bb8e4695e39dada60c4d6607d1c04e7769a808be260db2af6e91b789008d276ccc6b7e13c80eb97e2818aba

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-400.png

MD5 e01cdbbd97eebc41c63a280f65db28e9
SHA1 1c2657880dd1ea10caf86bd08312cd832a967be1
SHA256 5cb8fd670585de8a7fc0ceede164847522d287ef17cd48806831ea18a0ceac1f
SHA512 ffd928e289dc0e36fa406f0416fb07c2eb0f3725a9cdbb27225439d75b8582d68705ec508e3c4af1fc4982d06d70ef868cafbfc73a637724dee7f34828d14850

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-200.png

MD5 f1c75409c9a1b823e846cc746903e12c
SHA1 f0e1f0cf35369544d88d8a2785570f55f6024779
SHA256 fba9104432cbb8ebbd45c18ef1ba46a45dd374773e5aa37d411bb023ded8efd6
SHA512 ed72eb547e0c03776f32e07191ce7022d08d4bcc66e7abca4772cdd8c22d8e7a423577805a4925c5e804ed6c15395f3df8aac7af62f1129e4982685d7e46bd85

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png

MD5 2c7a9e323a69409f4b13b1c3244074c4
SHA1 3c77c1b013691fa3bdff5677c3a31b355d3e2205
SHA256 8efeacefb92d64dfb1c4df2568165df6436777f176accfd24f4f7970605d16c2
SHA512 087c12e225c1d791d7ad0bf7d3544b4bed8c4fb0daaa02aee0e379badae8954fe6120d61fdf1a11007cbcdb238b5a02c54f429b6cc692a145aa8fbd220c0cb2d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png

MD5 552b0304f2e25a1283709ad56c4b1a85
SHA1 92a9d0d795852ec45beae1d08f8327d02de8994e
SHA256 262b9a30bb8db4fc59b5bc348aa3813c75e113066a087135d0946ad916f72535
SHA512 9559895b66ef533486f43274f7346ad3059c15f735c9ce5351adf1403c95c2b787372153d4827b03b6eb530f75efcf9ae89db1e9c69189e86d6383138ab9c839

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png

MD5 f4e9f958ed6436aef6d16ee6868fa657
SHA1 b14bc7aaca388f29570825010ebc17ca577b292f
SHA256 292cac291af7b45f12404f968759afc7145b2189e778b14d681449132b14f06b
SHA512 cd5d78317e82127e9a62366fd33d5420a6f25d0a6e55552335e64dc39932238abd707fe75d4f62472bc28a388d32b70ff08b6aa366c092a7ace3367896a2bd98

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-400.png

MD5 e593676ee86a6183082112df974a4706
SHA1 c4e91440312dea1f89777c2856cb11e45d95fe55
SHA256 deb0ec0ee8f1c4f7ea4de2c28ff85087ee5ff8c7e3036c3b0a66d84bae32b6bb
SHA512 11d7ed45f461f44fa566449bb50bcfce35f73fc775744c2d45ea80aeb364fe40a68a731a2152f10edc059dea16b8bab9c9a47da0c9ffe3d954f57da0ff714681

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-200.png

MD5 13e6baac125114e87f50c21017b9e010
SHA1 561c84f767537d71c901a23a061213cf03b27a58
SHA256 3384357b6110f418b175e2f0910cffe588c847c8e55f2fe3572d82999a62c18e
SHA512 673c3bec7c2cd99c07ebfca0f4ab14cd6341086c8702fe9e8b5028aed0174398d7c8a94583da40c32cd0934d784062ad6db71f49391f64122459f8bb00222e08

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-150.png

MD5 a23c55ae34e1b8d81aa34514ea792540
SHA1 3b539dfb299d00b93525144fd2afd7dd9ba4ccbf
SHA256 3df4590386671e0d6fee7108e457eb805370a189f5fdfeaf2f2c32d5adc76abd
SHA512 1423a2534ae71174f34ee527fe3a0db38480a869cac50b08b60a2140b5587b3944967a95016f0b00e3ca9ced1f1452c613bb76c34d7ebd386290667084bce77d

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-125.png

MD5 d03b7edafe4cb7889418f28af439c9c1
SHA1 16822a2ab6a15dda520f28472f6eeddb27f81178
SHA256 a5294e3c7cd855815f8d916849d87bd2357f5165eb4372f248fdf8b988601665
SHA512 59d99f0b9a7813b28bae3ea1ae5bdbbf0d87d32ff621ff20cbe1b900c52bb480c722dd428578dea5d5351cc36f1fa56b2c1712f2724344f026fe534232812962

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.scale-100.png

MD5 57a6876000151c4303f99e9a05ab4265
SHA1 1a63d3dd2b8bdc0061660d4add5a5b9af0ff0794
SHA256 8acbdd41252595b7410ca2ed438d6d8ede10bd17fe3a18705eedc65f46e4c1c4
SHA512 c6a2a9124bc6bcf70d2977aaca7e3060380a4d9428a624cc6e5624c75ebb6d6993c6186651d4e54edf32f3491d413714ef97a4cdc42bae94045cd804f0ad7cba

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-400.png

MD5 adbbeb01272c8d8b14977481108400d6
SHA1 1cc6868eec36764b249de193f0ce44787ba9dd45
SHA256 9250ef25efc2a9765cf1126524256fdfc963c8687edfdc4a2ecde50d748ada85
SHA512 c15951cf2dc076ed508665cd7dac2251c8966c1550b78549b926e98c01899ad825535001bd65eeb2f8680cd6753cd47e95606ecf453919f5827ed12bca062887

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-150.png

MD5 de5ba8348a73164c66750f70f4b59663
SHA1 1d7a04b74bd36ecac2f5dae6921465fc27812fec
SHA256 a0bbe33b798c3adac36396e877908874cffaadb240244095c68dff840dcbbf73
SHA512 85197e0b13a1ae48f51660525557cceaeed7d893dd081939f62e6e8921bb036c6501d3bb41250649048a286ff6bac6c9c1a426d2f58f3e3b41521db26ef6a17c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-125.png

MD5 8347d6f79f819fcf91e0c9d3791d6861
SHA1 5591cf408f0adaa3b86a5a30b0112863ec3d6d28
SHA256 e8b30bfcee8041f1a70e61ca46764416fd1df2e6086ba4c280bfa2220c226750
SHA512 9f658bc77131f4ac4f730ed56a44a406e09a3ceec215b7a0b2ed42d019d8b13d89ab117affb547a5107b5a84feb330329dc15e14644f2b52122acb063f2ba550

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-white_scale-100.png

MD5 19876b66df75a2c358c37be528f76991
SHA1 181cab3db89f416f343bae9699bf868920240c8b
SHA256 a024fc5dbe0973fd9267229da4ebfd8fc41d73ca27a2055715aafe0efb4f3425
SHA512 78610a040bbbb026a165a5a50dfbaf4208ebef7407660eea1a20e95c30d0d42ef1d13f647802a2f0638443ae2253c49945ebe018c3499ddbf00cfdb1db42ced1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png

MD5 22e17842b11cd1cb17b24aa743a74e67
SHA1 f230cb9e5a6cb027e6561fabf11a909aa3ba0207
SHA256 9833b80def72b73fca150af17d4b98c8cd484401f0e2d44320ecd75b5bb57c42
SHA512 8332fc72cd411f9d9fd65950d58bf6440563dc4bd5ce3622775306575802e20c967f0ee6bab2092769a11e2a4ea228dab91a02534beeb8afde8239dd2b90f23a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-200.png

MD5 09773d7bb374aeec469367708fcfe442
SHA1 2bfb6905321c0c1fd35e1b1161d2a7663e5203d6
SHA256 67d1bb54fcb19c174de1936d08b5dbdb31b98cfdd280bcc5122fb0693675e4f2
SHA512 f500ea4a87a24437b60b0dc3ec69fcc5edbc39c2967743ddb41093b824d0845ffddd2df420a12e17e4594df39f63adad5abb69a29f8456fed03045a6b42388bc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-150.png

MD5 771bc7583fe704745a763cd3f46d75d2
SHA1 e38f9d7466eefc6d3d2aaa327f1bd42c5a5c7752
SHA256 36a6aad9a9947ab3f6ac6af900192f5a55870d798bca70c46770ccf2108fd62d
SHA512 959ea603abec708895b7f4ef0639c3f2d270cfdd38d77ac9bab8289918cbd4dbac3c36c11bb52c6f01b0adae597b647bb784bba513d77875979270f4962b7884

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDrive.VisualElementsManifest.xml

MD5 5ae2d05d894d1a55d9a1e4f593c68969
SHA1 a983584f58d68552e639601538af960a34fa1da7
SHA256 d21077ad0c29a4c939b8c25f1186e2b542d054bb787b1d3210e9cab48ec3080c
SHA512 152949f5b661980f33608a0804dd8c43d70e056ae0336e409006e764664496fef6e60daa09fecb8d74523d3e7928c0dbd5d8272d8be1cf276852d88370954adc

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Resources.pri

MD5 7473be9c7899f2a2da99d09c596b2d6d
SHA1 0f76063651fe45bbc0b5c0532ad87d7dc7dc53ac
SHA256 e1252527bc066da6838344d49660e4c6ff2d1ddfda036c5ec19b07fdfb90c8c3
SHA512 a4a5c97856e314eedbad38411f250d139a668c2256d917788697c8a009d5408d559772e0836713853704e6a3755601ae7ee433e07a34bd0e7f130a3e28729c45

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-400.png

MD5 096d0e769212718b8de5237b3427aacc
SHA1 4b912a0f2192f44824057832d9bb08c1a2c76e72
SHA256 9a0b901e97abe02036c782eb6a2471e18160b89fd5141a5a9909f0baab67b1ef
SHA512 99eb3d67e1a05ffa440e70b7e053b7d32e84326671b0b9d2fcfcea2633b8566155477b2a226521bf860b471c5926f8e1f8e3a52676cacb41b40e2b97cb3c1173

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveStandaloneUpdater.exe

MD5 9cdabfbf75fd35e615c9f85fedafce8a
SHA1 57b7fc9bf59cf09a9c19ad0ce0a159746554d682
SHA256 969fbb03015dd9f33baf45f2750e36b77003a7e18c3954fab890cddc94046673
SHA512 348923f497e615a5cd0ed428eb1e30a792dea310585645b721235d48f3f890398ad51d8955c1e483df0a712ba2c0a18ad99b977be64f5ee6768f955b12a4a236

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-200.png

MD5 d9d00ecb4bb933cdbb0cd1b5d511dcf5
SHA1 4e41b1eda56c4ebe5534eb49e826289ebff99dd9
SHA256 85823f7a5a4ebf8274f790a88b981e92ede57bde0ba804f00b03416ee4feda89
SHA512 8b53dec59bba8b4033e5c6b2ff77f9ba6b929c412000184928978f13b475cd691a854fee7d55026e48eab8ac84cf34fc7cb38e3766bbf743cf07c4d59afb98f4

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-150.png

MD5 ed306d8b1c42995188866a80d6b761de
SHA1 eadc119bec9fad65019909e8229584cd6b7e0a2b
SHA256 7e3f35d5eb05435be8d104a2eacf5bace8301853104a4ea4768601c607ddf301
SHA512 972a42f7677d57fcb8c8cb0720b21a6ffe9303ea58dde276cfe2f26ee68fe4cc8ae6d29f3a21a400253de7c0a212edf29981e9e2bca49750b79dd439461c8335

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-125.png

MD5 09f3f8485e79f57f0a34abd5a67898ca
SHA1 e68ae5685d5442c1b7acc567dc0b1939cad5f41a
SHA256 69e432d1eec44bed4aad35f72a912e1f0036a4b501a50aec401c9fa260a523e3
SHA512 0eafeaf735cedc322719049db6325ccbf5e92de229cace927b78a08317e842261b7adbda03ec192f71ee36e35eb9bf9624589de01beaec2c5597a605fc224130

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.scale-100.png

MD5 1f156044d43913efd88cad6aa6474d73
SHA1 1f6bd3e15a4bdb052746cf9840bdc13e7e8eda26
SHA256 4e11167708801727891e8dd9257152b7391fc483d46688d61f44b96360f76816
SHA512 df791d7c1e7a580e589613b5a56ba529005162d3564fffd4c8514e6afaa5eccea9cea9e1ac43bd9d74ee3971b2e94d985b103176db592e3c775d5feec7aac6d1

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png

MD5 3c29933ab3beda6803c4b704fba48c53
SHA1 056fe7770a2ba171a54bd60b3c29c4fbb6d42f0c
SHA256 3a7ef7c0bda402fdaff19a479d6c18577c436a5f4e188da4c058a42ef09a7633
SHA512 09408a000a6fa8046649c61ccef36afa1046869506f019f739f67f5c1c05d2e313b95a60bd43d9be882688df1610ad7979dd9d1f16a2170959b526ebd89b8ef7

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogoImages\OneDriveMedTile.contrast-black_scale-125.png

MD5 b83ac69831fd735d5f3811cc214c7c43
SHA1 5b549067fdd64dcb425b88fabe1b1ca46a9a8124
SHA256 cbdcf248f8a0fcd583b475562a7cdcb58f8d01236c7d06e4cdbfe28e08b2a185
SHA512 4b2ee6b3987c048ab7cc827879b38fb3c216dab8e794239d189d1ba71122a74fdaa90336e2ea33abd06ba04f37ded967eb98fd742a02463b6eb68ab917155600

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe

MD5 57bd9bd545af2b0f2ce14a33ca57ece9
SHA1 15b4b5afff9abba2de64cbd4f0989f1b2fbc4bf1
SHA256 a3a4b648e4dcf3a4e5f7d13cc3d21b0353e496da75f83246cc8a15fada463bdf
SHA512 d134f9881312ddbd0d61f39fd62af5443a4947d3de010fef3b0f6ebf17829bd4c2f13f6299d2a7aad35c868bb451ef6991c5093c2809e6be791f05f137324b39

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LoggingPlatform.dll

MD5 4ffef06099812f4f86d1280d69151a3f
SHA1 e5da93b4e0cf14300701a0efbd7caf80b86621c3
SHA256 d5a538a0a036c602492f9b2b6f85de59924da9ec3ed7a7bbf6ecd0979bee54d3
SHA512 d667fd0ae46039914f988eb7e407344114944a040468e4ec5a53d562db2c3241737566308d8420bb4f7c89c6ef446a7881b83eaac7daba3271b81754c5c0f34a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\msvcp140.dll

MD5 ce8a66d40621f89c5a639691db3b96b4
SHA1 b5f26f17ddd08e1ba73c57635c20c56aaa46b435
SHA256 545bb4a00b29b4b5d25e16e1d0969e99b4011033ce3d1d7e827abef09dd317e7
SHA512 85fc18e75e4c7f26a2c83578356b1947e12ec002510a574da86ad62114f1640128e58a6858603189317c77059c71ac0824f10b6117fa1c83af76ee480d36b671

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Telemetry.dll

MD5 50ea1cd5e09e3e2002fadb02d67d8ce6
SHA1 c4515f089a4615d920971b28833ec739e3c329f3
SHA256 414f6f64d463b3eb1e9eb21d9455837c99c7d9097f6bb61bd12c71e8dce62902
SHA512 440ededc1389b253f3a31c4f188fda419daf2f58096cf73cad3e72a746bdcde6bde049ce74c1eb521909d700d50fbfddbf802ead190cd54927ea03b5d0ce81b3

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\vcruntime140.dll

MD5 cefcd5d1f068c4265c3976a4621543d4
SHA1 4d874d6d6fa19e0476a229917c01e7c1dd5ceacd
SHA256 c79241aec5e35cba91563c3b33ed413ce42309f5145f25dc92caf9c82a753817
SHA512 d934c43f1bd47c5900457642b3cbdcd43643115cd3e78b244f3a28fee5eea373e65b6e1cb764e356839090ce4a7a85d74f2b7631c48741d88cf44c9703114ec9

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\UpdateRingSettings.dll

MD5 037df27be847ef8ab259be13e98cdd59
SHA1 d5541dfa2454a5d05c835ec5303c84628f48e7b2
SHA256 9fb3abcafd8e8b1deb13ec0f46c87b759a1cb610b2488052ba70e3363f1935ec
SHA512 7e1a04368ec469e4059172c5b44fd08d4ea3d01df98bfd6d4cc91ac45f381862ecf89fe9c6bedce985a12158d840cd6cfa06ce9d22466fbf6110140465002205

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\ucrtbase.dll

MD5 7a333d415adead06a1e1ce5f9b2d5877
SHA1 9bd49c3b960b707eb5fc3ed4db1e2041062c59c7
SHA256 5ade748445d8da8f22d46ad46f277e1e160f6e946fc51e5ac51b9401ce5daf46
SHA512 d388cb0d3acc7f1792eadfba519b37161a466a8c1eb95b342464adc71f311165a7f3e938c7f6a251e10f37c9306881ea036742438191226fb9309167786fa59a

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\OneDriveTelemetryStable.dll

MD5 6e8ae346e8e0e35c32b6fa7ae1fc48c3
SHA1 ca0668ddb59e5aa98d9a90eceba90a0ee2fb7869
SHA256 146811735589450058048408f05644a93786a293c09ccb8d74420fb87c0a4d56
SHA512 aa65ef969b1868a54d78a4f697e6edbded31b118f053bbe8a19a599baaf63821dc05f75b2ac87452cb414ab6572b8d9b349093931e64601c47f8ebbb49c431cd

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncClient.dll

MD5 2df24cd5c96fb3fadf49e04c159d05f3
SHA1 4b46b34ee0741c52b438d5b9f97e6af14804ae6e
SHA256 3d0250f856970ff36862c99f3329a82be87b0de47923debefe21443c76cddf88
SHA512 a973bc6fd96221252f50ebb8b49774ccfd2a72e6b53e9a412582b0b37f585608e1b73e68f5d916e66b77247b130b4fc58bf49f5bf7a06e39b6931c5f7dac93ab

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\Qt5Core.dll

MD5 3f7e824274680aa09589d590285132a5
SHA1 9105067dbd726ab9798e9eec61ce49366b586376
SHA256 ad44dbb30520d85f055595f0bc734b16b9f2fb659f17198310c0557b55a76d70
SHA512 cc467c92eec097dc40072d044dfb7a50e427c38d789c642e01886ea724033cab9f2035404b4a500d58f1d102381fe995e7b214c823019d51ef243af3b86a8339

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\adal.dll

MD5 fe837e65648bf84a3b19c08bbc79351f
SHA1 b1ad96bcb627565dd02d823b1df3316bba3dac42
SHA256 55234df27deb004b09c18dc15ca46327e48b26b36dfb43a92741f86300bd8e9e
SHA512 64ce9573485341439a1d80d1bdc76b44d63c79fb7ec3de6fb084a86183c13c383ec63516407d82fbc86854568c717764efdec26eaf1f4ed05cdb9f974804d263

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\WebView2Loader.dll

MD5 925531f12a2f4a687598e7a4643d2faa
SHA1 26ca3ee178a50d23a09754adf362e02739bc1c39
SHA256 41a13ba97534c7f321f3f29ef1650bd445bd3490153a2bb2d57e0fbc70d339c1
SHA512 221934308658f0270e8a6ed89c9b164efb3516b2cc877216adb3fbd1dd5b793a3189afe1f6e2a7ef4b6106e988210eeb325b6aa78685e68964202e049516c984

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncViews.dll

MD5 8e9ef192850f858f60dd0cc588bbb691
SHA1 80d5372e58abfe0d06ea225f48281351411b997c
SHA256 146740eddcb439b1222d545b4d32a1a905641d02b14e1da61832772ce32e76ba
SHA512 793ad58741e8b9203c845cbacc1af11fb17b1c610d307e0698c6f3c2e8d41c0d13ceb063c7a61617e5b59403edc5e831ababb091e283fb06262add24d154bf58

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\LogUploader.dll

MD5 03f13c5ec1922f3a0ec641ad4df4a261
SHA1 b23c1c6f23e401dc09bfbf6ce009ce4281216d7e
SHA256 fe49f22bb132fedf1412e99169d307fa715dbdd84fe71c3e3ff12300d30d4987
SHA512 b47dbd9fad9467f72d4d0d5ca9df508247176f9e11b537c750837e8b3782a2d20f31fad361153d816ddf7f5e8109a614f3c6e4e2307af69cd3e2506cc0515d81

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\SyncEngine.DLL

MD5 0e57c5bc0d93729f40e8bea5f3be6349
SHA1 7895bfd4d7ddced3c731bdc210fb25f0f7c6e27e
SHA256 51b13dd5d598367fe202681dce761544ee3f7ec4f36d0c7c3c8a3fca32582f07
SHA512 1e64aaa7eaad0b2ea109b459455b745de913308f345f3356eabe427f8010db17338806f024de3f326b89bc6fd805f2c6a184e5bae7b76a8dcb9efac77ed4b95b

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncSessions.dll

MD5 ae97076d64cdc42a9249c9de5f2f8d76
SHA1 75218c3016f76e6542c61d21fe6b372237c64f4d
SHA256 1e0c26ceecee602b5b4a25fb9b0433c26bac05bd1eee4a43b9aa75ae46ccf115
SHA512 0668f6d5d1d012ec608341f83e67ce857d68b4ea9cfa9b3956d4fc5c61f8a6acd2c2622977c2737b936a735f55fdcce46477034f55e5a71e5ef4d115ee09bfec

C:\Users\Admin\AppData\Local\Temp\aria-debug-2648.log

MD5 e3d14a77d6b7352e642b3823a5dca7cf
SHA1 d2b98b88bec9c9eec461ed7904933545d6c300d5
SHA256 36c77120a51786c0ea7134eba226e049fa1597008cb061f624e9d78848999ec0
SHA512 c8dd4b772b2c6ee2a9f74e8f297988ce9e2468391cf4e5c845fa5e2c0e2f770d08c73d89f9654f978f5d691d27f44f345b5f6dc6f660589973645beea63f0eee

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncTelemetryExtensions.dll

MD5 51b6038293549c2858b4395ca5c0376e
SHA1 93bf452a6a750b52653812201a909c6bc1f19fa3
SHA256 a742c9e35d824b592b3d9daf15efb3d4a28b420533ddf35a1669a5b77a00bb75
SHA512 b8cfdab124ee424b1b099ff73d0a6c6f4fd0bf56c8715f7f26dbe39628a2453cd63d5e346dbf901fcbfb951dfbd726b288466ff32297498e63dea53289388c0c

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\settings\Personal\logUploaderSettings_temp.ini

MD5 5220d7a0142fdcf275465e08fd6c046b
SHA1 54ed46d5dfa0a49aa0fbc65d19705267f75b465c
SHA256 64d5dcb5f48785e4b8f21e6ad5ba67381c5160d7471ec2e1116499e1c4c18a12
SHA512 c8b5b77b6b9f3d822ab5b2645895a45bf6ec1329709e50c5de1ff63e2d63b66100dff6510d32c394d30664cc1abb76386ca2fe77730a7f71652970eee8cd5738

memory/3292-1182-0x0000020EEFF70000-0x0000020EEFF90000-memory.dmp

memory/3292-1291-0x0000020EF2CD0000-0x0000020EF2CF0000-memory.dmp

memory/3292-1300-0x0000020EF5A40000-0x0000020EF5B40000-memory.dmp

memory/3292-1346-0x0000020EF5E10000-0x0000020EF5F10000-memory.dmp

memory/3292-1320-0x0000020EF5E10000-0x0000020EF5F10000-memory.dmp

memory/3292-1478-0x0000020EF7960000-0x0000020EF7A60000-memory.dmp

memory/3292-1467-0x0000020EF69F0000-0x0000020EF6AF0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3LOPQ2ZV\account.live[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

memory/3292-1684-0x0000020EF6E90000-0x0000020EF6F90000-memory.dmp

memory/3292-1708-0x0000020EF9510000-0x0000020EF9530000-memory.dmp

memory/3292-2223-0x0000020EF6E50000-0x0000020EF6E70000-memory.dmp