Malware Analysis Report

2025-01-22 16:26

Sample ID 241002-tpmzgavhkl
Target http://gfdfd
Tags
gozi banker defense_evasion discovery evasion persistence privilege_escalation ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file http://gfdfd was found to be: Known bad.

Malicious Activity Summary

gozi banker defense_evasion discovery evasion persistence privilege_escalation ransomware trojan

Modifies visibility of file extensions in Explorer

Gozi

Boot or Logon Autostart Execution: Active Setup

System Binary Proxy Execution: Rundll32

Drops startup file

Drops desktop.ini file(s)

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Event Triggered Execution: Accessibility Features

Program crash

Browser Information Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies registry class

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy WMI provider

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer Protected Mode

Checks processor information in registry

Modifies Internet Explorer start page

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-02 16:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-02 16:14

Reported

2024-10-02 16:59

Platform

win7-20240903-en

Max time kernel

1102s

Max time network

2167s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" http://gfdfd

Signatures

Gozi

banker trojan gozi

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\explorer.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username = "a" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "1,1,1,9" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Version = "6,1,7601,17514" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Locale = "*" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "en" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "EN" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,7601,17514" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "EN" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "6,1,7601,17514" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} C:\Windows\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Windows\System32\regsvr32.exe N/A

System Binary Proxy Execution: Rundll32

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\a\Searches\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Desktop\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Favorites\Links for United States\desktop.ini C:\Windows\System32\mctadmin.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\unregmp2.exe N/A
File created C:\Users\a\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Program Files\Windows Mail\WinMail.exe N/A
File opened for modification C:\Users\a\Favorites\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Searches\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Links\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Favorites\Links\desktop.ini C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Users\a\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\unregmp2.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Users\a\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\explorer.exe N/A
File opened for modification C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Contacts\desktop.ini C:\Program Files (x86)\Windows Mail\WinMail.exe N/A
File opened for modification C:\Users\a\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Downloads\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Windows\explorer.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Users\a\Contacts\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Saved Games\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Desktop\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Contacts\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Favorites\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Saved Games\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\Downloads\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1001\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1001\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\regsvr32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\unregmp2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\~ocuments.tmp C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Searches C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Searches\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini C:\Windows\System32\ie4uinit.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms C:\Windows\System32\ie4uinit.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\fwlink[1] C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore C:\Program Files\Windows Mail\WinMail.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms C:\Windows\System32\regsvr32.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg C:\Program Files\Windows Mail\WinMail.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\Shorthand.emf C:\Program Files\Windows Mail\WinMail.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F7E3ED5\12_All_Video.wpl C:\Windows\System32\unregmp2.exe N/A
File created C:\Windows\system32\config\systemprofile\Searches\Indexed Locations.search-ms C:\Windows\System32\regsvr32.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\~ocuments.tmp C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Windows\explorer.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\tmp.edb C:\Program Files\Windows Mail\WinMail.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools C:\Windows\System32\regsvr32.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms~RFf7e6317.TMP C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\~ictures.tmp C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat C:\Windows\system32\RunDll32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Music C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore C:\Program Files\Windows Mail\WinMail.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg C:\Program Files\Windows Mail\WinMail.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\~ocuments.tmp C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Favorites\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\edb.jcp C:\Program Files\Windows Mail\WinMail.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Pictures C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized C:\Windows\System32\ie4uinit.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg C:\Program Files\Windows Mail\WinMail.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Desktop C:\Windows\explorer.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs C:\Program Files\Windows Mail\WinMail.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(inch).wmf C:\Program Files\Windows Mail\WinMail.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\Month_Calendar.emf C:\Program Files\Windows Mail\WinMail.exe N/A
File created C:\Windows\System32\%LOCALAPPDATA%\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Links C:\Windows\System32\regsvr32.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Adobe\Acrobat\9.0\UserCache.bin C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\Contacts\SYSTEM.contact C:\Program Files (x86)\Windows Mail\WinMail.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\Soft Blue.htm C:\Program Files\Windows Mail\WinMail.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.htm C:\Program Files\Windows Mail\WinMail.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low C:\Program Files\Internet Explorer\iexplore.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D53F0163-80DB-11EF-A6BB-F2DF7204BD4F}.dat C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Desktop\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Contacts\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Favorites C:\Windows\System32\regsvr32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\a\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\a\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" C:\Windows\System32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\mshtml.Install\mshtml.Install.DAT C:\Windows\System32\rundll32.exe N/A
File opened for modification C:\Program Files\Uninstall Information\mshtml.Install\mshtml.Install.INI C:\Windows\System32\rundll32.exe N/A
File created C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP C:\Windows\System32\ie4uinit.exe N/A
File created C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.DAT C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.INI C:\Windows\System32\ie4uinit.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Windows\explorer.exe N/A
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Windows\explorer.exe N/A
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\System32\rundll32.exe N/A
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe N/A
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\System32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Windows\explorer.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Accessibility Features

persistence privilege_escalation

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\runonce.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Mail\WinMail.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\runonce.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Mail\WinMail.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\runonce.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\explorer.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\runonce.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information C:\Windows\system32\csrss.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\csrss.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information C:\Windows\system32\csrss.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\System32\ie4uinit.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\4\IEPropFontName = "Times New Roman" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\13\IEPropFontName = "Shruti" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\Show_ToolBar = "yes" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmx C:\Windows\System32\unregmp2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\Do404Search = 01000000 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\30\IEPropFontName = "Microsoft Yi Baiti" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\12\IEPropFontName = "Raavi" C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Document Windows\x = 00000080 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\29\IEPropFontName = "Plantagenet Cherokee" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\33 C:\Windows\System32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\New Windows\UseSecBand = "1" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\ C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\6\IEPropFontName = "Times New Roman" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\14 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\39\IEFixedFontName = "Mongolian Baiti" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\14\IEPropFontName = "Kalinga" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\37\IEPropFontName = "Khmer UI" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\Local Page = "C:\\Windows\\system32\\blank.htm" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Document Windows C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\Windows\\web\\wallpaper\\Windows\\img0.jpg" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\14\IEFixedFontName = "Kalinga" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\XMLHTTP = "1" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\5\IEFixedFontName = "Courier New" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\23 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\38\IEFixedFontName = "MV Boli" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\SQM C:\Windows\System32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\SQM\InstallDate = "1727886468" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\Cache_Update_Frequency = "Once_Per_Session" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wax C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\SOFTWARE\Microsoft\Internet Explorer\Document Windows C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmd C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName = "Times New Roman" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\7\IEPropFontName = "Sylfaen" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\24\IEPropFontName = "MS PGothic" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\34 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\35 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Desktop\General C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmz C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\6\IEFixedFontName = "Courier New" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\22\IEPropFontName = "Sylfaen" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\24 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\32\IEPropFontName = "Segoe UI Symbol" C:\Windows\System32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\New Windows\PlaySound = "1" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\15\IEPropFontName = "Vijaya" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\23\IEFixedFontName = "GulimChe" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\29\IEFixedFontName = "Plantagenet Cherokee" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\32 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Settings\Anchor Color Visited = "128,0,128" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\958167e7_0 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\Search Page = "http://go.microsoft.com/fwlink/?LinkId=54896" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\SOFTWARE\Microsoft\Internet Explorer\Settings C:\Windows\System32\ie4uinit.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141" C:\Windows\System32\ie4uinit.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WindowMetrics\SmCaptionWidth = "-255" C:\Windows\System32\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA = 000000005400000074000000859822000e00000015000000a06806004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e00470065007400740069006e0067005300740061007200740065006400000000000100000000000000f478befdfe070000900000000000000024d561020000000001000000000000005231befdfe070000020000000000000070d5610200000000b4db610200000000000000000000000000000000000000000404000000000000000000000000000090d6610200000000040400000000000094d6610200000000000000000000000098ba33fefe0700000000000000000000e0a133fefe070000000000000000000050d561020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c049360100000000c877c87b0000000060ea35010000000070b22500000000000000000000000000c0d761020000000020ea6102000000007870c87b00000000507818000000000000d66102000000000095fffefe070000b4db61020000000000000000000000009877b9fdfe070000000000000000000044d7610200000000b4db61020000000040d7610200000000524bc8760000000050d76102000000001d47c876000000003877c87b00000000010000000000000010d761020000000094d66102000000000000000000000000000000000000000000000000000000000000000000000000220024000e00000015000000a06806004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e00470065007400740069006e0067005300740061007200740065006400000000000100000000000000f478befdfe070000900000000000000024d561020000000001000000000000005231befdfe070000020000000000000070d5610200000000b4db610200000000000000000000000000000000000000000404000000000000000000000000000090d6610200000000040400000000000094d6610200000000000000000000000098ba33fefe0700000000000000000000e0a133fefe070000000000000000000050d561020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c049360100000000c877c87b0000000060ea35010000000070b22500000000000000000000000000c0d761020000000020ea6102000000007870c87b00000000507818000000000000d66102000000000095fffefe070000b4db61020000000000000000000000009877b9fdfe070000000000000000000044d7610200000000b4db61020000000040d7610200000000524bc8760000000050d76102000000001d47c876000000003877c87b00000000010000000000000010d761020000000094d66102000000000000000000000000000000000000000000000000000000000000000000000000220024000e00000015000000a06806004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e00470065007400740069006e0067005300740061007200740065006400000000000100000000000000f478befdfe070000900000000000000024d561020000000001000000000000005231befdfe070000020000000000000070d5610200000000b4db610200000000000000000000000000000000000000000404000000000000000000000000000090d6610200000000040400000000000094d6610200000000000000000000000098ba33fefe0700000000000000000000e0a133fefe070000000000000000000050d561020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c049360100000000c877c87b0000000060ea35010000000070b22500000000000000000000000000c0d761020000000020ea6102000000007870c87b00000000507818000000000000d66102000000000095fffefe070000b4db61020000000000000000000000009877b9fdfe070000000000000000000044d7610200000000b4db61020000000040d7610200000000524bc8760000000050d76102000000001d47c876000000003877c87b00000000010000000000000010d761020000000094d6610200000000000000000000000000000000000000000000000000000000000000000000000022002400 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\0\Sizes\0\Size #8 = "18" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\AppEvents\Schemes\Apps\Explorer\SearchProviderDiscovered C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@themeui.dll,-854 = "Windows Classic" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\2\Sizes\0\Size #3 = "20" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0.map\221530b59e42dc5d = ",1,HKCU,Software\\Microsoft\\Internet Explorer\\BrowserEmulation\\ClearableListData,UserFilter," C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\oobefldr.dll,-1220 = "Back up your files" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wpccpl.dll,-100 = "Parental Controls" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Google\Chrome\StabilityMetrics\user_experience_metrics.stability.exited_cleanly = "0" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0.map\343853448aea64b2 = ",33,HKCU,SOFTWARE\\Microsoft\\Internet Explorer\\Main,Cache_Update_Frequency," C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ZrqvnPragre = 000000000d0000000000000000000000000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bfffffffff70536aafe614db0100000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{15f0d5ed-0d3b-46b4-a9d9-1d6d0408a103}\Attributes C:\Windows\system32\utilman.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Show_URLToolBar = "yes" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\microsoft.com C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\oobefldr.dll,-1180 = "Choose when to be notified about changes to your computer" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{fc914843-69ed-11ef-8ad4-806e6f6e6963}\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0\c458348e879991c4 = 2c002c000000 C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{0BF754AA-C967-445C-AB3D-D8FDA9BAE7EF} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f0eec53be714db01 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{fc914844-69ed-11ef-8ad4-806e6f6e6963}\Data = 000000000df0adba41000000080000000000008000000000000000300000000000000000ff00e703ff000000160000000461d1900440000001000000010000000000000000000000000000000000000000005c005c003f005c00530054004f005200410047004500230056006f006c0075006d00650023007b00660063003900310034003800340030002d0036003900650064002d0031003100650066002d0038006100640034002d003800300036006500360066003600650036003900360033007d002300300030003000300030003000300030003100320044003000300030003000300023007b00350033006600350036003300300064002d0062003600620066002d0031003100640030002d0039003400660032002d003000300061003000630039003100650066006200380062007d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005c005c003f005c0056006f006c0075006d0065007b00660063003900310034003800340034002d0036003900650064002d0031003100650066002d0038006100640034002d003800300036006500360066003600650036003900360033007d005c000000570069006e0064006f0077007300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004e005400460053000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffff0000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\1\Sizes\0\Contrast = "0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2001 = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\gnfxzte.rkr = 000000000000000003000000341f0000000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bfffffffff000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International\Scripts\29 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\3\Sizes\0\Color #0 = "16777215" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband\FavoritesChanges = "1" C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0.map\0f573547817bd52a = ",33,HKCU,AppEvents\\Schemes\\Apps\\Explorer\\BlockedPopup\\.current,," C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband\Favorites = 007c01000014001f80c827341f105c1042aa032ee45287d66852003100000000004259828211005461736b426172003c0008000400efbe42598282425982822a000000d3cb01000000070000000000000000000000000000005400610073006b0042006100720000001600140132005005000042597c822000494e5445524e7e312e4c4e4b0000a60008000400efbe42598282425982822a00000007cc010000000400000000000000000056000000000049006e007400650072006e006500740020004500780070006c006f007200650072002e006c006e006b000000400043003a005c00570069006e0064006f00770073005c00530079007300740065006d00330032005c00690065003400750069006e00690074002e006500780065002c002d0037003300310000001c00520000001d00efbe02004d006900630072006f0073006f00660074002e0049006e007400650072006e00650074004500780070006c006f007200650072002e00440065006600610075006c00740000001c00000000ee00000014001f80c827341f105c1042aa032ee45287d66852003100000000004259828210005461736b426172003c0008000400efbe42598282425982822a000000d3cb01000000070000000000000000000000000000005400610073006b004200610072000000160086003200c90800002359462c2000474f4f474c457e312e4c4e4b0000500008000400efbe42598282425982822a000000d6cb010000000700000000000000000000000000000047006f006f0067006c00650020004300680072006f006d0065002e006c006e006b0000001c001a0000001d00efbe02004300680072006f006d00650000001c000000ff C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Templates = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\Templates" C:\Windows\System32\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\2\Sizes\0\Color #16 = "8421504" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #0 = "13158600" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{fc914847-69ed-11ef-8ad4-806e6f6e6963}\Drive Type = "17" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\System32\rundll32.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.106\CheckSetting = 23004100430042006c006f00620000000000000001000000a0000000fe070000f03b4b3ce714db01000000007b00450038003400330033004200370032002d0035003800340032002d0034006400340033002d0038003600340035002d004200430032004300330035003900360030003800330037007d002e006e006f00740069006600690063006100740069006f006e002e003100300036002e0032002d003200360030003000370032003000370034000000000000000900000000000000000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\4\Sizes\0\DisplayName = "@themeui.dll,-2019" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WindowMetrics\CaptionHeight = "-315" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowLeft = "592" C:\Windows\System32\osk.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{fc914847-69ed-11ef-8ad4-806e6f6e6963}\StagingPath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Burn\\Burn" C:\Windows\explorer.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}\metricsid_enableddate = "1727886721" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\3\Sizes\0\Color #25 = "12632256" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Colors\MenuBar = "240 240 240" C:\Windows\System32\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA = 000000005500000083000000535e23000e00000015000000a06806004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e00470065007400740069006e0067005300740061007200740065006400000000000100000000000000f478befdfe070000900000000000000024d561020000000001000000000000005231befdfe070000020000000000000070d5610200000000b4db610200000000000000000000000000000000000000000404000000000000000000000000000090d6610200000000040400000000000094d6610200000000000000000000000098ba33fefe0700000000000000000000e0a133fefe070000000000000000000050d561020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c049360100000000c877c87b0000000060ea35010000000070b22500000000000000000000000000c0d761020000000020ea6102000000007870c87b00000000507818000000000000d66102000000000095fffefe070000b4db61020000000000000000000000009877b9fdfe070000000000000000000044d7610200000000b4db61020000000040d7610200000000524bc8760000000050d76102000000001d47c876000000003877c87b00000000010000000000000010d761020000000094d66102000000000000000000000000000000000000000000000000000000000000000000000000220024000e00000015000000a06806004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e00470065007400740069006e0067005300740061007200740065006400000000000100000000000000f478befdfe070000900000000000000024d561020000000001000000000000005231befdfe070000020000000000000070d5610200000000b4db610200000000000000000000000000000000000000000404000000000000000000000000000090d6610200000000040400000000000094d6610200000000000000000000000098ba33fefe0700000000000000000000e0a133fefe070000000000000000000050d561020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c049360100000000c877c87b0000000060ea35010000000070b22500000000000000000000000000c0d761020000000020ea6102000000007870c87b00000000507818000000000000d66102000000000095fffefe070000b4db61020000000000000000000000009877b9fdfe070000000000000000000044d7610200000000b4db61020000000040d7610200000000524bc8760000000050d76102000000001d47c876000000003877c87b00000000010000000000000010d761020000000094d66102000000000000000000000000000000000000000000000000000000000000000000000000220024000e00000015000000a06806004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e00470065007400740069006e0067005300740061007200740065006400000000000100000000000000f478befdfe070000900000000000000024d561020000000001000000000000005231befdfe070000020000000000000070d5610200000000b4db610200000000000000000000000000000000000000000404000000000000000000000000000090d6610200000000040400000000000094d6610200000000000000000000000098ba33fefe0700000000000000000000e0a133fefe070000000000000000000050d561020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c049360100000000c877c87b0000000060ea35010000000070b22500000000000000000000000000c0d761020000000020ea6102000000007870c87b00000000507818000000000000d66102000000000095fffefe070000b4db61020000000000000000000000009877b9fdfe070000000000000000000044d7610200000000b4db61020000000040d7610200000000524bc8760000000050d76102000000001d47c876000000003877c87b00000000010000000000000010d761020000000094d6610200000000000000000000000000000000000000000000000000000000000000000000000022002400 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{fc914843-69ed-11ef-8ad4-806e6f6e6963}\Generation = "1" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.3g2\MP2.Last = "Custom" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.midi\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.WMA C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wav\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/basic C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\ = "&Play with Windows Media Player" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mpv2\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.dvr-ms C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mpv2 C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wpl\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mid C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/aiff C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioCD\shell\play\ = "&Play" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio C:\Windows\System32\unregmp2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010006000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8c000000000000002000000e8070a004100720067006a0062006500780020002000330020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000400000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000b0780e0de814db0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e8070a004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000001094750ce814db0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000cc0400000000000000000000e8070a00460067007600700078006c00580072006c00660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000090745b0ce814db01000000000000000000000000460067007600700078006c00580072006c0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ce0400000000000000000000e8070a00530076007900670072006500580072006c006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000700000000000000000000000000000000000000000000000000000000000000f0d55d0ce814db01000000000000000000000000530076007900670072006500580072006c0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000076ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-ms-wma C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.AudioCD\Shell\Play\Command C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.m1v\MP2.Last = "Custom" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.m3u C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.aif C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.asx\OpenWithProgIds\WMP11.AssocFile.ASX = "0" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-wm C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wmx C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.wvx\OpenWithProgIds\WMP11.AssocFile.WVX = "0" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-ms-wax C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mp4 C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-mpeg2a C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-wav\Extension = ".wav" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\ = "&Play with Windows Media Player" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.m4a\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/3gpp2\CLSID = "{cd3afa98-b84f-48f0-9393-7edc34128127}" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\NeverDefault C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-aiff\Extension = ".aiff" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DVD\Shell\Play\Command C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mpg C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.MTS\MP2.Last = "Custom" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-wm C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cda\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mov C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rmi C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\NeverDefault C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.wmx C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.m3u\MP2.Last = "Custom" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wvx\MP2.Last = "Custom" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mpa\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mid\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mts C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.MOD\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.m3u\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DVD\Shell C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wmz\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wtv\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Program Files\Windows Mail\WinMail.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files\Windows Mail\WinMail.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\LogonUI.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\LogonUI.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\LogonUI.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files\Windows Mail\WinMail.exe N/A
N/A N/A C:\Program Files\Windows Mail\WinMail.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\System32\Magnify.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\Narrator.exe N/A
N/A N/A C:\Windows\System32\Magnify.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\System32\Magnify.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\Narrator.exe N/A
N/A N/A C:\Program Files\Windows Mail\WinMail.exe N/A
N/A N/A C:\Program Files\Windows Mail\WinMail.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\System32\Magnify.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\Narrator.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\Magnify.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\Narrator.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Windows\System32\osk.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 2176 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2276 wrote to memory of 2176 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2276 wrote to memory of 2176 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2276 wrote to memory of 2176 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2660 wrote to memory of 1744 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2660 wrote to memory of 1744 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2660 wrote to memory of 1744 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 2660 wrote to memory of 1744 N/A C:\Windows\system32\rundll32.exe C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
PID 108 wrote to memory of 2016 N/A C:\Windows\system32\sethc.exe C:\Windows\explorer.exe
PID 108 wrote to memory of 2016 N/A C:\Windows\system32\sethc.exe C:\Windows\explorer.exe
PID 108 wrote to memory of 2016 N/A C:\Windows\system32\sethc.exe C:\Windows\explorer.exe
PID 1916 wrote to memory of 1680 N/A C:\Windows\system32\sethc.exe C:\Windows\explorer.exe
PID 1916 wrote to memory of 1680 N/A C:\Windows\system32\sethc.exe C:\Windows\explorer.exe
PID 1916 wrote to memory of 1680 N/A C:\Windows\system32\sethc.exe C:\Windows\explorer.exe
PID 1680 wrote to memory of 2204 N/A C:\Windows\explorer.exe C:\Windows\System32\regsvr32.exe
PID 1680 wrote to memory of 2204 N/A C:\Windows\explorer.exe C:\Windows\System32\regsvr32.exe
PID 1680 wrote to memory of 2204 N/A C:\Windows\explorer.exe C:\Windows\System32\regsvr32.exe
PID 1680 wrote to memory of 2204 N/A C:\Windows\explorer.exe C:\Windows\System32\regsvr32.exe
PID 1680 wrote to memory of 2204 N/A C:\Windows\explorer.exe C:\Windows\System32\regsvr32.exe
PID 1680 wrote to memory of 1944 N/A C:\Windows\explorer.exe C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 1680 wrote to memory of 1944 N/A C:\Windows\explorer.exe C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 1680 wrote to memory of 1944 N/A C:\Windows\explorer.exe C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 1680 wrote to memory of 1944 N/A C:\Windows\explorer.exe C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 1944 wrote to memory of 920 N/A C:\Program Files (x86)\Windows Mail\WinMail.exe C:\Program Files\Windows Mail\WinMail.exe
PID 1944 wrote to memory of 920 N/A C:\Program Files (x86)\Windows Mail\WinMail.exe C:\Program Files\Windows Mail\WinMail.exe
PID 1944 wrote to memory of 920 N/A C:\Program Files (x86)\Windows Mail\WinMail.exe C:\Program Files\Windows Mail\WinMail.exe
PID 1944 wrote to memory of 920 N/A C:\Program Files (x86)\Windows Mail\WinMail.exe C:\Program Files\Windows Mail\WinMail.exe
PID 1916 wrote to memory of 2324 N/A C:\Windows\system32\sethc.exe C:\Windows\system32\taskmgr.exe
PID 1916 wrote to memory of 2324 N/A C:\Windows\system32\sethc.exe C:\Windows\system32\taskmgr.exe
PID 1916 wrote to memory of 2324 N/A C:\Windows\system32\sethc.exe C:\Windows\system32\taskmgr.exe
PID 1680 wrote to memory of 2616 N/A C:\Windows\explorer.exe C:\Windows\System32\unregmp2.exe
PID 1680 wrote to memory of 2616 N/A C:\Windows\explorer.exe C:\Windows\System32\unregmp2.exe
PID 1680 wrote to memory of 2616 N/A C:\Windows\explorer.exe C:\Windows\System32\unregmp2.exe
PID 1680 wrote to memory of 2332 N/A C:\Windows\explorer.exe C:\Windows\System32\regsvr32.exe
PID 1680 wrote to memory of 2332 N/A C:\Windows\explorer.exe C:\Windows\System32\regsvr32.exe
PID 1680 wrote to memory of 2332 N/A C:\Windows\explorer.exe C:\Windows\System32\regsvr32.exe
PID 1680 wrote to memory of 2332 N/A C:\Windows\explorer.exe C:\Windows\System32\regsvr32.exe
PID 1680 wrote to memory of 2332 N/A C:\Windows\explorer.exe C:\Windows\System32\regsvr32.exe
PID 1916 wrote to memory of 1676 N/A C:\Windows\system32\sethc.exe C:\Windows\system32\cmd.exe
PID 1916 wrote to memory of 1676 N/A C:\Windows\system32\sethc.exe C:\Windows\system32\cmd.exe
PID 1916 wrote to memory of 1676 N/A C:\Windows\system32\sethc.exe C:\Windows\system32\cmd.exe
PID 1680 wrote to memory of 1504 N/A C:\Windows\explorer.exe C:\Windows\SysWOW64\rundll32.exe
PID 1680 wrote to memory of 1504 N/A C:\Windows\explorer.exe C:\Windows\SysWOW64\rundll32.exe
PID 1680 wrote to memory of 1504 N/A C:\Windows\explorer.exe C:\Windows\SysWOW64\rundll32.exe
PID 1680 wrote to memory of 1504 N/A C:\Windows\explorer.exe C:\Windows\SysWOW64\rundll32.exe
PID 1680 wrote to memory of 1504 N/A C:\Windows\explorer.exe C:\Windows\SysWOW64\rundll32.exe
PID 1680 wrote to memory of 1504 N/A C:\Windows\explorer.exe C:\Windows\SysWOW64\rundll32.exe
PID 1680 wrote to memory of 1504 N/A C:\Windows\explorer.exe C:\Windows\SysWOW64\rundll32.exe
PID 1680 wrote to memory of 1928 N/A C:\Windows\explorer.exe C:\Windows\System32\ie4uinit.exe
PID 1680 wrote to memory of 1928 N/A C:\Windows\explorer.exe C:\Windows\System32\ie4uinit.exe
PID 1680 wrote to memory of 1928 N/A C:\Windows\explorer.exe C:\Windows\System32\ie4uinit.exe
PID 1928 wrote to memory of 1056 N/A C:\Windows\System32\ie4uinit.exe C:\Windows\System32\ie4uinit.exe
PID 1928 wrote to memory of 1056 N/A C:\Windows\System32\ie4uinit.exe C:\Windows\System32\ie4uinit.exe
PID 1928 wrote to memory of 1056 N/A C:\Windows\System32\ie4uinit.exe C:\Windows\System32\ie4uinit.exe
PID 1928 wrote to memory of 2128 N/A C:\Windows\System32\ie4uinit.exe C:\Windows\System32\rundll32.exe
PID 1928 wrote to memory of 2128 N/A C:\Windows\System32\ie4uinit.exe C:\Windows\System32\rundll32.exe
PID 1928 wrote to memory of 2128 N/A C:\Windows\System32\ie4uinit.exe C:\Windows\System32\rundll32.exe
PID 1928 wrote to memory of 1076 N/A C:\Windows\System32\ie4uinit.exe C:\Windows\System32\rundll32.exe
PID 1928 wrote to memory of 1076 N/A C:\Windows\System32\ie4uinit.exe C:\Windows\System32\rundll32.exe
PID 1928 wrote to memory of 1076 N/A C:\Windows\System32\ie4uinit.exe C:\Windows\System32\rundll32.exe
PID 1076 wrote to memory of 2464 N/A C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe
PID 1076 wrote to memory of 2464 N/A C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe
PID 1076 wrote to memory of 2464 N/A C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe
PID 1076 wrote to memory of 2356 N/A C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://gfdfd

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2276 CREDAT:275457 /prefetch:2

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\Desktop\BlockPush.bat" "

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\≈└á¼Bru°é∩M╪

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\≈└á¼Bru°é∩M╪"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x520

C:\Windows\system32\sethc.exe

sethc.exe 211

C:\Windows\system32\sethc.exe

sethc.exe 211

C:\Windows\system32\sethc.exe

sethc.exe 211

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\sethc.exe

sethc.exe 211

C:\Windows\explorer.exe

explorer

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\sethc.exe

sethc.exe 211

C:\Windows\explorer.exe

explorer

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll

C:\Windows\system32\rundll32.exe

rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize

C:\Program Files (x86)\Windows Mail\WinMail.exe

"C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE

C:\Program Files\Windows Mail\WinMail.exe

"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE

C:\Windows\system32\taskmgr.exe

taskmgr

C:\Windows\System32\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll

C:\Windows\system32\cmd.exe

cmd

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll,Install

C:\Windows\System32\ie4uinit.exe

"C:\Windows\System32\ie4uinit.exe" -UserConfig

C:\Windows\System32\ie4uinit.exe

C:\Windows\System32\ie4uinit.exe -ClearIconCache

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll

C:\Windows\system32\rundll32.exe

rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize

C:\Program Files\Windows Mail\WinMail.exe

"C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE

C:\Windows\System32\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll,Install

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x13f957688,0x13f957698,0x13f9576a8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x13f957688,0x13f957698,0x13f9576a8

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding

C:\Windows\system32\taskmgr.exe

taskmgr

C:\Windows\system32\net.exe

net user administrator /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator /add

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\sethc.exe

sethc.exe 211

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1547429158-1373902668-2024677874-11184271686434354911401238080-2032904636578202826"

C:\Windows\system32\net.exe

net user a /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user a /add

C:\Windows\system32\taskmgr.exe

taskmgr

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\explorer.exe

explorer

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\ehome\ehshell.exe

"C:\Windows\ehome\ehshell.exe"

C:\Windows\system32\utilman.exe

utilman.exe /debug

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\System32\Narrator.exe

"C:\Windows\System32\Narrator.exe"

C:\Windows\System32\Magnify.exe

"C:\Windows\System32\Magnify.exe"

C:\Windows\System32\Sethc.exe

"C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent

C:\Windows\system32\sethc.exe

sethc.exe 101

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "17135971304426532751096545451-1535480276194882071190331675320802257452019475284"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "208217597674920377146785068-7346953641760398350-14608306121247937012-165444338"

C:\Windows\System32\osk.exe

"C:\Windows\System32\osk.exe"

C:\Windows\System32\Sethc.exe

"C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1647998102-1822959147-706770388-4529340931018650556-2028652654484421602433360860"

C:\Windows\System32\Sethc.exe

"C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1869723594458370052-983901033-766026772-1593374712-989823756-540395622993165723"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 1540

C:\Windows\system32\utilman.exe

utilman.exe /debug

C:\Windows\system32\utilman.exe

utilman.exe /debug

C:\Windows\System32\Narrator.exe

"C:\Windows\System32\Narrator.exe"

C:\Windows\System32\Magnify.exe

"C:\Windows\System32\Magnify.exe"

C:\Windows\system32\sethc.exe

sethc.exe 11

C:\Windows\System32\osk.exe

"C:\Windows\System32\osk.exe"

C:\Windows\System32\Sethc.exe

"C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent

C:\Windows\System32\Sethc.exe

"C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "5714886141392388876-8941102631292183243-1213535129-2027382060-706385686-1124195401"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 496

C:\Windows\system32\atbroker.exe

atbroker.exe

C:\Windows\System32\Narrator.exe

"C:\Windows\System32\Narrator.exe"

C:\Windows\system32\userinit.exe

C:\Windows\system32\userinit.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\Magnify.exe

"C:\Windows\System32\Magnify.exe"

C:\Windows\System32\osk.exe

"C:\Windows\System32\osk.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll

C:\Windows\system32\rundll32.exe

rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize

C:\Program Files (x86)\Windows Mail\WinMail.exe

"C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE

C:\Program Files\Windows Mail\WinMail.exe

"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE

C:\Windows\System32\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll,Install

C:\Windows\System32\ie4uinit.exe

"C:\Windows\System32\ie4uinit.exe" -UserConfig

C:\Windows\System32\ie4uinit.exe

C:\Windows\System32\ie4uinit.exe -ClearIconCache

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll

C:\Windows\system32\rundll32.exe

rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize

C:\Program Files\Windows Mail\WinMail.exe

"C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE

C:\Windows\System32\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll,Install

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\a\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x1402e7688,0x1402e7698,0x1402e76a8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\a\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x1402e7688,0x1402e7698,0x1402e76a8

C:\Windows\System32\se6s8b.exe

"C:\Windows\System32\se6s8b.exe"

C:\Program Files\Windows Sidebar\sidebar.exe

"C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun

C:\Windows\SysWOW64\runonce.exe

C:\Windows\SysWOW64\runonce.exe /Run6432

C:\Windows\System32\mctadmin.exe

"C:\Windows\System32\mctadmin.exe"

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\utilman.exe

utilman.exe /debug

C:\Windows\system32\utilman.exe

utilman.exe /debug

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\sethc.exe

sethc.exe 211

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1055562650-20369968291055028526-161111616171151843-2063975192-1426290071-968131873"

C:\Windows\system32\atbroker.exe

atbroker.exe

C:\Windows\System32\Narrator.exe

"C:\Windows\System32\Narrator.exe"

C:\Windows\System32\Magnify.exe

"C:\Windows\System32\Magnify.exe"

C:\Windows\system32\userinit.exe

C:\Windows\system32\userinit.exe

C:\Windows\System32\osk.exe

"C:\Windows\System32\osk.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\System32\se6s8b.exe

"C:\Windows\System32\se6s8b.exe"

C:\Windows\SysWOW64\runonce.exe

C:\Windows\SysWOW64\runonce.exe /Run6432

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\atbroker.exe

atbroker.exe

C:\Windows\System32\Narrator.exe

"C:\Windows\System32\Narrator.exe"

C:\Windows\System32\Magnify.exe

"C:\Windows\System32\Magnify.exe"

C:\Windows\System32\osk.exe

"C:\Windows\System32\osk.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\system32\sethc.exe

sethc.exe 211

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8753940322127822750-1853342587-16522847008360386631660830970-873430749-740009737"

C:\Windows\explorer.exe

explorer

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 628

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\sethc.exe

sethc.exe 211

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "323112277-10358438-1033016452700847059-1330748291402623858290403121735725508"

C:\Windows\system32\utilman.exe

utilman.exe /debug

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Windows\System32\osk.exe

"C:\Windows\System32\osk.exe"

C:\Windows\system32\sethc.exe

sethc.exe 211

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-19412531421954550781313344011-1615207159-1780950295-864258427-1954857659-815005764"

C:\Windows\explorer.exe

explorer

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\System32\ie4uinit.exe

"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1328 CREDAT:275457 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1412 --field-trial-handle=1308,i,1298212300239402602,17711638018405647607,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1384 --field-trial-handle=1324,i,11259940913827840506,12212444998162921257,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1424 --field-trial-handle=1364,i,7455865877192020830,10640664324816448161,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1400 --field-trial-handle=1268,i,18401267704054357998,12364571754279006801,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1388 --field-trial-handle=1340,i,8776458224816259148,17609408611201864056,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1412 --field-trial-handle=1332,i,14444567473496082356,2121014453400488819,131072 /prefetch:8

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
GB 92.123.128.195:80 www.bing.com tcp
GB 92.123.128.195:80 www.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 clients2.google.com udp
GB 172.217.16.238:443 clients2.google.com tcp

Files

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

MD5 a2d31a04bc38eeac22fca3e30508ba47
SHA1 9b7c7a42c831fcd77e77ade6d3d6f033f76893d2
SHA256 8e00a24ae458effe00a55344f7f34189b4594613284745ff7d406856a196c531
SHA512 ed8233d515d44f79431bb61a4df7d09f44d33ac09279d4a0028d11319d1f82fc923ebbc6c2d76ca6f48c0a90b6080aa2ea91ff043690cc1e3a15576cf62a39a6

C:\Windows\System32\config\systemprofile\Desktop\desktop.ini

MD5 9e36cc3537ee9ee1e3b10fa4e761045b
SHA1 7726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA256 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA512 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini

MD5 17d5d0735deaa1fb4b41a7c406763c0a
SHA1 584e4be752bb0f1f01e1088000fdb80f88c6cae0
SHA256 768b6fde6149d9ebbed1e339a72e8cc8c535e5c61d7c82752f7dff50923b7aed
SHA512 a521e578903f33f9f4c3ebb51b6baa52c69435cb1f9cb2ce9db315a23d53345de4a75668096b14af83a867abc79e0afa1b12f719294ebba94da6ad1effc8b0a3

F:\$RECYCLE.BIN\S-1-5-18\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

C:\Windows\System32\config\systemprofile\Contacts\desktop.ini

MD5 662009dcf01a61351dd2984fdd3a811f
SHA1 7b85a7edbb43624c45d6a781df52a2526d0cf0a8
SHA256 aab2bc02ed2c8bdfbd22d0b8c0100dccb4fc90215fc8bd35ba82bf31536c8e38
SHA512 bcb70a6edabf8eef33682dcbf0064de90aac39d902f9e23c35af71dc2cdd3d6f2319f982daad56c1d9cf6999dd3447a1b98d02567089506717ec1a9568f80c46

C:\Windows\TEMP\WORKGROUP+WOUOSVRD$.bmp

MD5 343fa15c150a516b20cc9f787cfd530e
SHA1 369e8ac39d762e531d961c58b8c5dc84d19ba989
SHA256 d632e9dbacdcd8f6b86ba011ed6b23f961d104869654caa764216ea57a916524
SHA512 7726bd196cfee176f3d2002e30d353f991ffeafda90bac23d0b44c84c104aa263b0c78f390dd85833635667a3ca3863d2e8cd806dad5751f7984b2d34cafdc57

memory/920-83-0x0000000000E60000-0x0000000000E70000-memory.dmp

memory/920-89-0x0000000000F50000-0x0000000000F60000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\edb.log

MD5 4372904ddd8e513fadd14fcff28b2108
SHA1 2eab36d57755074c3c7fb557f3ca3be390d825f2
SHA256 162ef156eeb1d22844569910b6b4105d4f0ff2acd421634047f9b2a3699f0c2e
SHA512 96f2226c4a3a96f1248307b5a3c42cfb8ae590f9e4b4f964270593255ecc7375dec345ba06f51b30d054d2ef9d836cabc374b1e83336ec1b9bac173ce4fa3960

memory/920-102-0x00000000012E0000-0x00000000012E1000-memory.dmp

memory/920-104-0x00000000010B0000-0x00000000010B2000-memory.dmp

memory/920-107-0x00000000010B0000-0x00000000010B2000-memory.dmp

memory/920-115-0x0000000001940000-0x0000000001942000-memory.dmp

memory/920-117-0x0000000001930000-0x0000000001932000-memory.dmp

memory/920-125-0x0000000001930000-0x0000000001932000-memory.dmp

memory/2324-126-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/920-181-0x0000000002040000-0x0000000002042000-memory.dmp

memory/920-182-0x0000000001F30000-0x0000000001F31000-memory.dmp

memory/920-185-0x00000000010C0000-0x00000000010C1000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\tmp.edb

MD5 290708775281bf2f313b4894208b72e5
SHA1 13878cd8b72a64624f44b842178f727bafc1734d
SHA256 c1e6c1de033f540bda5f1c8804b200e325e1b87fab420ef5f20f2993007f432e
SHA512 816aa4baf4684e3fd7ab109e26568ce16cef097eb5bef66a81f91e0c1d4b385ced73fec7cd875be809a1006e0bff18ca1edb18e18603438dd42b5602963c31f8

memory/920-189-0x0000000001080000-0x0000000001082000-memory.dmp

memory/920-191-0x0000000001060000-0x0000000001061000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Windows\System32\config\systemprofile\Contacts\desktop.ini

MD5 449f2e76e519890a212814d96ce67d64
SHA1 a316a38e1a8325bef6f68f18bc967b9aaa8b6ebd
SHA256 48a6703a09f1197ee85208d5821032b77d20b3368c6b4de890c44fb482149cf7
SHA512 c66521ed261dcbcc9062a81d4f19070216c6335d365bac96b64d3f6be73cd44cbfbd6f3441be606616d13017a8ab3c0e7a25d0caa211596e97a9f7f16681b738

C:\Windows\System32\config\systemprofile\Videos\desktop.ini

MD5 50a956778107a4272aae83c86ece77cb
SHA1 10bce7ea45077c0baab055e0602eef787dba735e
SHA256 b287b639f6edd612f414caf000c12ba0555adb3a2643230cbdd5af4053284978
SHA512 d1df6bdc871cacbc776ac8152a76e331d2f1d905a50d9d358c7bf9ed7c5cbb510c9d52d6958b071e5bcba7c5117fc8f9729fe51724e82cc45f6b7b5afe5ed51a

C:\Windows\System32\config\systemprofile\Pictures\desktop.ini

MD5 29eae335b77f438e05594d86a6ca22ff
SHA1 d62ccc830c249de6b6532381b4c16a5f17f95d89
SHA256 88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4
SHA512 5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

MD5 881dfac93652edb0a8228029ba92d0f5
SHA1 5b317253a63fecb167bf07befa05c5ed09c4ccea
SHA256 a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464
SHA512 592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

C:\Windows\System32\config\systemprofile\Music\desktop.ini

MD5 06e8f7e6ddd666dbd323f7d9210f91ae
SHA1 883ae527ee83ed9346cd82c33dfc0eb97298dc14
SHA256 8301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68
SHA512 f7646f8dcd37019623d5540ad8e41cb285bcc04666391258dbf4c42873c4de46977a4939b091404d8d86f367cc31e36338757a776a632c7b5bf1c6f28e59ad98

C:\Windows\System32\config\systemprofile\Documents\desktop.ini

MD5 ecf88f261853fe08d58e2e903220da14
SHA1 f72807a9e081906654ae196605e681d5938a2e6c
SHA256 cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844
SHA512 82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

MD5 82e29e8765f68642bdd340d93575bb33
SHA1 b1ae278523a7e1411cf5bee9309794857d0d3b7f
SHA256 89622204865eafb20be3d3fece5bc7bafbd13cc1466caa292b5eac80e0e3d1f7
SHA512 8fd22f80ebda186070dc422a6678a7716574d3ff0b74ce56730e7cfba4c2589ea23cb7b85bd642baedc61a7a53a1d92cb7ed4cf93ce8508bef3d2868c731f40f

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini

MD5 f107d0270e21a2fe91099fdc15918d44
SHA1 dabc2f24f4a4e90053743166e5c4175dcf2b2d2d
SHA256 eb315c9d165b4916e3b00e4d148b53a6c03a2f0694a6a8821d98e76f935ca6a8
SHA512 b5d51c0d6abe99121d4f4f1d236def4260b7d5c26c501d7735eba4f58e2597db0e89b2b1df16545e49fc39649806e5305efb912328541bdd31c01ff3d2bda49c

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

MD5 0ff56a4620c3221ff64ec61a3a0d3033
SHA1 3a45320be12b585dcdc5ab2af5ea1455b2c919a1
SHA256 0b0a65accca705494739d03b6c2ea769c78cd0eee996bc95b0c6ebc0941f4b1a
SHA512 962a340efeb6d18c85e5872997eebb83374e114be088689690ba438f0db8e2e4df6c24713a35cfaec518f58d5322cf9617638ea55ff279a9d161c4fdf9af74f6

C:\Windows\System32\config\systemprofile\Downloads\desktop.ini

MD5 3a37312509712d4e12d27240137ff377
SHA1 30ced927e23b584725cf16351394175a6d2a9577
SHA256 b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
SHA512 dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

C:\Windows\System32\config\systemprofile\Searches\desktop.ini

MD5 8e11566270550c575d6d2c695c5a4b1f
SHA1 ae9645fad2107b5899f354c9144a4dfc33b66f9e
SHA256 1dc14736f6b0e9b68059324321acc14e156cd3a2890466a23bf7abf365d6c704
SHA512 a9fc4b17d75f85ae64315ba94570cb5317b5510c655d3d5c8fb44091ea37f31e431e99ed5308252897bdd93c34e771bf80f456c4873ef0aa58ca9bbb2e5ff7e0

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

MD5 ba8912714de99b7f9f092359c715c2ba
SHA1 848b2a7ee8e345dfc16058027b97b0d5fb21970e
SHA256 118165d181acca0cf55eeeef80c65f898c6531de85d54dc5b707798700f9211f
SHA512 8b4a90c9226c2e4bdd8dc624f4f97fc37c60f46a999cdc79d625415ac5ec669b78edc30a9fd5dea70f204af94c27478e321a574f9b5b1683043a5d1e3e58f1fd

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

MD5 7f1698bab066b764a314a589d338daae
SHA1 524abe4db03afef220a2cc96bf0428fd1b704342
SHA256 cdb11958506a5ba5478e22ed472fa3ae422fe9916d674f290207e1fc29ae5a76
SHA512 4f94ad0fe3df00838b288a0ef4c12d37e175c37cbf306bdb1336ff44d0e4d126cd545c636642c0e88d8c6b8258dc138a495f4d025b662f40a9977d409d6b5719

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini

MD5 548b310fbc7a26d0b9da3a9f2d604a0c
SHA1 1e20c38b721dff06faa8aa69a69e616c228736c1
SHA256 be49aff1e82fddfc2ab9dfffcb7e7be100800e3653fd1d12b6f8fa6a0957fcac
SHA512 fa5bb7ba547a370160828fe720e6021e7e3a6f3a0ce783d81071292739cef6cac418c4bc57b377b987e69d5f633c2bd97a71b7957338472c67756a02434d89f1

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

MD5 5547a64ee3681b1fca07111e73dcc51a
SHA1 0b16a54ccb7c0284df649594e006ca96e07ac296
SHA256 c6a3db953cc63f23aa5ff66de5fc6b483f6a1106cf1f77cbd73617b2c4340e0e
SHA512 21a6b9b2c578ea8d0bfb22c1b37b0dde47395ec958fa5c73eafeb8b865080db132e565c7e8ce2ab1d2e934f414e23b820f3ff3571a7d737453f3ace76d11cc25

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

MD5 ca2d2c997f17faa46919e88af4492e96
SHA1 a451d16adef01927334923b06d23de4f7795ef7a
SHA256 2f0ff41d51dce10038fe6cf18e086cf9137806be57040c1702cfde48eb7ddb94
SHA512 82de205e1dea3a556449b089004371ff7a5def6254643b2ca28743e621e5d9e274092c47a03cd87e824a565b7449285a74cb22580b2bdc159db012538c08676c

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

MD5 71159b34cff803461ccc828ef5cc14c7
SHA1 bb04181089930fed24a333a0f248866974b288f3
SHA256 38d60aefe7b33bce41f093b23a11a6df768ae5a745ede8a9ec861733491e9b49
SHA512 78091be628ede33b82689188379ea2c52808e78254ac0df9ca811515b9400a8174a77b1168b8380d4ce3af4f80d332a1652aedb5c619e995d4b4576b2e16c2b3

C:\Windows\System32\config\systemprofile\Links\desktop.ini

MD5 98470d9bd7fba55a0c303065f9c4f9be
SHA1 5303b190e29ba48332f7c90a832ef08af5a1953d
SHA256 3830022d5d7ef2ae2ca0a2b6ad73f0d4716b49bf7eeeaa87b618988d531b7c72
SHA512 134e072c3600bbb3c724c2700da399a14ba5b907153969362b3dbff32c480d39e7f5ecceebc9122a5a27265410557a16eb6bf82c9b635b90ef1fa0ae9efb849c

C:\Windows\System32\config\systemprofile\Saved Games\desktop.ini

MD5 b441cf59b5a64f74ac3bed45be9fadfc
SHA1 3da72a52e451a26ca9a35611fa8716044a7c0bbc
SHA256 e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311
SHA512 fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

MD5 453249f95d75eb5e450eb91fa755e1c8
SHA1 3e200e187e8cd21d3d1976ea0f7356626254de18
SHA256 01bef150c18e377a57843965d55f18f0b5cb3fa867c5ab30f1e67eacd6ece48a
SHA512 6125ffc1ab457bc1ba957c78c2a89ca54060c1969c4a981acf71025a1d79760159816d5fc36e351429de3bb5820e755b9bc22386f3d6892bfdf3da67d86f157c

C:\Windows\System32\config\systemprofile\Links\desktop.ini

MD5 de8858093993987d123060097a2bad66
SHA1 0a89e87ba46538cb73aff1a47e4dc0bcfb4760d5
SHA256 4c0d757717dec80eca8c6cbbfdda4706eb38fbbb7624933d5429dafc7bb9f0ec
SHA512 fa348ac4025b599f460cb831338ce010dde8fba87587a6d078d6d594a30fee87ed112e412078c10604553f326cc7bd7627ae93b0e3d8a60cfeda0720cad29f4c

C:\Windows\Temp\RGI50EE.tmp

MD5 3006752a2bcfeda0f75d551ea656b2ef
SHA1 b7198fc772be6d6261ed4e76aca3998e8f7a7bdb
SHA256 dfd64231860c732dced3dc78627a7844a08d5d3e4cd253fd81186bae33cc368a
SHA512 3fcfa7c8f46220852dc7efef5b29caba86825d0461a35559f26dbb2540c487b92059713f42fe1082a00a711d83216db012835673e1c54120ffa079e154950854

C:\Windows\Temp\RGI52B7.tmp

MD5 a828b8c496779bdb61fce06ba0d57c39
SHA1 2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda
SHA256 c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d
SHA512 effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea

C:\Windows\System32\config\systemprofile\Favorites\Links\Web Slice Gallery.url

MD5 873c8643cbbfb8ff63731bc25ac9b18c
SHA1 043cbc1b31b9988d8041c3d01f71ce3393911f69
SHA256 c4ad21379c11da7943c605eadb22f6fc6f54b49783466f8c1f3ad371eb167466
SHA512 356b13b22b7b1717ded0ae1272b07f1839184e839132f3ab891b5d84421e375d4fc45158c291b46a933254f463c52d92574ce6b15c1402dfb00ee5d0a74c9943

C:\Windows\Temp\www5671.tmp

MD5 ad93eaac4ac4a095f8828f14790c1f8c
SHA1 f84f24c4ca9d04485a0005770e3ef1ca30eede55
SHA256 729111c923821a7ad0bb23d1a1dea03edbf503cd8b732e2d7eb36cf88eaa0cac
SHA512 f561b98836233849c016227a3366fcf8449db662f21aecd4bd45eb988f6316212685ce7ce6e0461fb2604f664ed03a7847a237800d3cdca8ba23a41a49f68769

C:\Windows\Temp\www5670.tmp

MD5 c2858b664c882dcce6042c40041f6108
SHA1 52eeaa0c7b9d17a8f56217f2ac912ba8fdc5041a
SHA256 b4a6fb97b5e3f87bcd9fae49a9174e3f5b230a37767d7a70bf33d151702eff91
SHA512 51522e67f426ba96495be5e7f8346e6bb32233a59810df2a3712ecd754a2b5d54d0049c8ea374bd4d20629500c3f68f40e4845f6bb236d6cca7d00da589b2260

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

MD5 da288dceaafd7c97f1b09c594eac7868
SHA1 b433a6157cc21fc3258495928cd0ef4b487f99d3
SHA256 6ea9f8468c76aa511a5b3cfc36fb212b86e7abd377f147042d2f25572bf206a2
SHA512 9af8cb65ed6a46d4b3d673cea40809719772a7aaf4a165598dc850cd65afb6b156af1948aab80487404bb502a34bc2cce15c502c6526df2427756e2338626062

C:\Windows\system32\config\systemprofile\Contacts\SYSTEM.contact

MD5 7a9e94a2e036d09e99069c34e14a5e7b
SHA1 789ffb876a3eb6b5eb353e65ee584edd828caae4
SHA256 260c733f537855faee6c022dac35bb7a3246dddc381095b0e1e8adf57538aafe
SHA512 ec7f6fe811a53b596ab5d0ec1333c1a6679e74a15182ab76a096cef73c4f8b7b23ab961d850c14ce751afead0df62e5d9974886c3c5218eaf7d1a468411eb40d

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore

MD5 d78032acd1c8dd515415073bba52b834
SHA1 3c4a449eefbbf1fea3c195e41716b4e35aab4247
SHA256 251b1c4fe4b12b65cb9554dd0ee94840ab9eafc2e6b88b685b3fe3a761bbaa33
SHA512 14ee576fafad88fb12386919d7dbba962dc45d33ee3ae34841dde90049c63cb0ffce38887ce810ce072bc3153aed9a249b5a64e3ca55cb3309deccecce2be3e8

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\edb.chk

MD5 109240ed103d3d4a1b9e30bccbdaa663
SHA1 d6686324732f98ef9a1f363611b4ab4bc58e86e4
SHA256 fd7a7193bd945a35305b01eb63bcea90e7f4394194266b2a29971069176d9385
SHA512 74cf470e563a376d6c707ac62b4fa7889c34789f0ebdab9be79203a6a39def319112fe0642a4abc0662fb9b915e1398ef692a7b5dc846cb3a395455732a14bf0

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\edb.log

MD5 c109eb4e2160ba5d5aeb4ce40baf0659
SHA1 53196582e44a26c705d81228de540a6a0363e418
SHA256 7f21e8f231e3643d6a72ca9706542b59fa176be8fe158f04762f831fd5ed140b
SHA512 0be526aa00cb14ce94cbc6a64438548adecb7838ccb1e06459efb080b20838a8c79c5dcd979196af6cf0edaf6d7278b89167f1da01d040033b8887689036094d

memory/2744-660-0x00000000010E0000-0x00000000010E2000-memory.dmp

memory/2744-663-0x0000000001250000-0x0000000001251000-memory.dmp

memory/2744-670-0x0000000000FE0000-0x0000000000FE2000-memory.dmp

memory/2744-672-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

C:\Windows\TEMP\wmsetup.log

MD5 031123bd86b265bf6126fb7b2f406fde
SHA1 3a79714b3ad96ff6a46f1d6171b0973b22fae6f2
SHA256 767dadef28d530722307b8f30183d04b23593f2f432a7119edabe6b91cc7846f
SHA512 f5118c7647179665db33bee1706f861ab09e3c866fac331921c54269bc9900b1dfaed240a70316e64f580d7ddf25fae904a61b5e6d2564b2e8b4176e25fbef33

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb

MD5 44fa566c0521a2d3fd76a63c50a55db3
SHA1 8e7bcd498d59895eca9cc9a7e863c6e392d7ff5f
SHA256 f1f2eff3221ab30881dd6979c583812cfe3a723328625097ce2c957f3693c54a
SHA512 4289004abed9b93cdd9a488ff86d4aca0584f59cc9ce209f4dee131f111633f8483f854d1ce9a9383c914f569acecdebad4a4fc713e7f14a73dccbb0cba83f83

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 985af2a51256e8b3561934cfd501cd0c
SHA1 2e8cf9c730c2da0b49a692498cff29f4c20d5e00
SHA256 977188078ba4f9c390243977b1d0f4ed4478a2ad4407be861d757d73273a56b9
SHA512 855fded3e4af0b021c9f195307e70922f351524044579fc4a7cb369520d1f8441656ea672665cbec8eebdadf1653aceb36e9af4b7188077106663cd690a2d496

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini

MD5 46a4eca2a791d84afecfd9f129a567df
SHA1 004f2926d9377cc23c5b68ce26907435b8539643
SHA256 06b6d34db7e9ebecc07e0b53fedb2a9bc2d4563b1d2037b7630fbc002942baf7
SHA512 dbeecf882210add0dd4ac57f75ccdf6a9604c3308e92f70747313f89a7f9c590f4e1cdd507e53ee37e0a1b7e437320dc6ec1299d406ef34ddd67dfd900fddd98

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini

MD5 e4e50dfa455b2cbe356dffdf7aa1fcaf
SHA1 c58be9d954b5e2dd0e5efa23a0a3d95ab8119205
SHA256 9284bd835c20f5da3f76bc1d8c591f970a74e62a7925422858e5b9fbec08b927
SHA512 bef1fad5d4b97a65fec8c350fe663a443bc3f7406c12184c79068f9a635f13f9127f89c893e7a807f1258b45c84c1a4fc98f6bd6902f7b72b02b6ffbc7e37169

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

MD5 aa8cd4830f0b395931c20e0fcddebd39
SHA1 d951f7eb9aab2f9c71b585da50fd04af30556657
SHA256 fb834f07bd23e31fe943be778dd24f50fc5a419e44cb800dea1234467825d4f4
SHA512 9a8c828c17f106dcfe35df1fe529bed42356beeb0a5ce35fc4cf80f05a79cae85af0bc979fbcba0ef9e94112be6eec710311268764cf617371ac7defdd113020

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk

MD5 9629eec059619f6bc69af29c43db8df6
SHA1 5eac910525991a377c4b26f56c445062aa2e6fee
SHA256 be25aed4dd8b6caea5885fe17f19318180b28183d8592fa2058085ee0d7cc826
SHA512 a1019ce17fa50174fc9dab7fed868cec5094c76d781f608dff80ad8e15f1bbc370715185459ed14ad40ccda36387286c11abeeb1154933f9023c596831acf7a6

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

MD5 901cc4a96ebb6a7f2da932b48cf7f42d
SHA1 5179a95a931f289c2a6757a3cddc905b19141edf
SHA256 e7fbb1ead34b0845a33c9282aa9a33b5b4778f81a67e1f1feb08e84a93adfbb0
SHA512 5902f4321899dba5a69fe21cbca5711a529a625f9854c47b5619c700fde7ab44de3812a4ee0f6d8371b54f28063a7b544ac6bdc1f0925d9687a15fc84962baea

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

MD5 9267c0fefe13ed1244cc75a84bb4cf47
SHA1 8ec9579323be9cf7af7ad1a06abc8f13cab1e76f
SHA256 4cc5d1b0ebf0eb12548bb71cedf7449190a797e9e67e8bf6ed77af90b22da86e
SHA512 27085c1432607646a35991cb8ac81204cb1a514092e98b23747bdcbe24496ac8ae7931306eaa0898ba5589da43da92bf9e2f4b3ac45d05205b83b39bc67c613a

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

MD5 a484a0671307fd752f8bd6d3458fafbe
SHA1 8af5008198fa36aca96237195dd911223c52acd9
SHA256 8991eee70e43ff028231708ae0ec3f5b591b81d1ca29dcbfd86fb9f99d37cb76
SHA512 23fc45b9ac2878c112c2b22147c10c7bb6114731d7e0e57db657b2161a1852713aaf75f98adb2001ca403994edd3a519f8e3763fde02cc4b7d76f1dbe35612da

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

MD5 a6384e51890fa743886d0f091520b27f
SHA1 677b32ab80879e1bad4855f8ead853746728a002
SHA256 12b99d8c15ff048e562ed79ad5b2426f1b65900fb761d3134697c9a6f85ad93d
SHA512 239b163bc421029c782d4289ab3af8f3af41504d45d3a5c36084a222e8debb643489c857792caf42a46a09ee934a983bb53d83224f8c5a97b1ceaa0529d8d2e3

C:\Windows\system32\config\systemprofile\Searches\desktop.ini

MD5 089d48a11bff0df720f1079f5dc58a83
SHA1 88f1c647378b5b22ebadb465dc80fcfd9e7b97c9
SHA256 a9e8ad0792b546a4a8ce49eda82b327ad9581141312efec3ac6f2d3ad5a05f17
SHA512 f0284a3cc46e9c23af22fec44ac7bbde0b72f5338260c402564242c3dd244f8f8ca71dd6ceabf6a2b539cacc85a204d9495f43c74f6876317ee8e808d4a60ed8

C:\Windows\System32\config\systemprofile\Links\RecentPlaces.lnk

MD5 0025c3a7d7c4e90e58332958b00d83c4
SHA1 01dd4fdb260f66923004acb5a874111a9d14da38
SHA256 36db348143da1b5c16b9074940e85761950ee30b533b7ca75924f2f4ef6b253b
SHA512 b5631c94bad794541d16f2fa3a02018f4b34b680b63a9f3b6a3da4329216567a7ba9ceb8d4bd18165b0e55142f42e039f160ec675c0946237c276de1a6e642c4

C:\Windows\system32\config\systemprofile\Searches\Everywhere.search-ms

MD5 0fa26b6c98419b5e7c00efffb5835612
SHA1 d904d6683a548b03950d94da33cdfccbb55a9bc7
SHA256 4094d158e3b0581ba433a46d0dce62f99d8c0fd1b50bb4d0517ddc0a4a1fde24
SHA512 b80a6f2382f99ca75f3545375e30353ed4ccd93f1185f6a15dbe03d47056dad3feea652e09440774872f5cba5ef0db9c023c45e44a839827a4b40e60df9fd042

C:\Windows\system32\config\systemprofile\Searches\Indexed Locations.search-ms

MD5 b6acbeb59959aa5412a7565423ea7bab
SHA1 4905f02dbef69c830b807a32e9a4b6206bd01dc6
SHA256 99653a38c445ae1d4c373ee672339fd47fd098e0d0ada5f0be70e3b2bf711d38
SHA512 0058aa67ae9060cb708e34cb2e12cea851505694e328fd0aa6deba99f205afaffdf86af8119c65ada5a3c9b1f8b94923baa6454c2d5ab46a21257d145f9a8162

memory/2324-946-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Windows\System32\config\systemprofile\Links\Downloads.lnk

MD5 52f58ef75be09db19cd18e257d52f8df
SHA1 ac66f2887d9dc44471718212232269f04192ba06
SHA256 d21f9765a1482f7ee5893b65929eb87967ddc6116dfa5761a03bd86bd2506e53
SHA512 f9891c92e252229aca176e9801c33821777782b9ebca31788fcd84f604d14b22b52b78dcbb731945f23ec914ede5a0342e80703643215e1b16b73a692d5187ff

C:\Windows\System32\config\systemprofile\Links\Desktop.lnk

MD5 c7508731a2b6c49a6aa82fc9dba9830f
SHA1 34a0049e9e93dded00997c8ec20772ca77f377e0
SHA256 2e80ea99eb5b7145104e37637ebc9225840990cb73e221da607c2c64239a24d6
SHA512 716df8757008d75c14d6dc6c9fa22382d740cce534c7ecb5769e552e2d2952439526275468a83345532dcbfa2dddef1acd439526392ce8a651f43a28b4802703

C:\Windows\TEMP\chrome_installer.log

MD5 f5fbcfb612f0c4708a3a8d550b944dc5
SHA1 c784b63a222944f9d0043dd8d139223637a68e3e
SHA256 ed1bb1ed8bfc88f823538a01d77d683e48f56dfa327a02d642737ee270009cbc
SHA512 63eea439a9b5f9bb0fc823a9f84959205b7b97ea77ab98f3e8496e94ccc92653b7544133338741f8cf46af5553a86bb42d3e9b4416707445d65ffe4e78f8d230

C:\Windows\TEMP\Crashpad\settings.dat

MD5 fbc2c08eb2fde2d2fea94fe2af628140
SHA1 828e80b533e172694a8a6a53c4bf4ea0edd0b1a4
SHA256 84dd05237b7e2969c2d17967c915548a8e52d8845553db732208e24269edaf0f
SHA512 cfc8c236d3845d51e71f3883b07bf5cd86d84cc016aaadbedd45359aa41735cfe56bef6eb972311e1673fcccf57bb68da7c76b64cc10cd3fab3f31ea377c982e

C:\Program Files\Google\Chrome\Application\SetupMetrics\3fc83643-ed31-4a72-9931-c0e9faddc34b.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk

MD5 df676f824e04bcb8a9c2018348421b7e
SHA1 a7c30cd2e2ffc83db3380e0ec1a15995f7aebbac
SHA256 8c0dd38dfb440eb9b9574e2fba8730555b448a36317e1e2009d1baec9b402ed8
SHA512 b01fc1785ef04eea68a160da74232ca8fc36b50c5c247e75adda6969020b605513821384e91da5d77aff2918d66cdd6368bd58354f7deeaaa1c39c504065afc4

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini

MD5 44b4076a3a5c5aff04af9700023b4f9b
SHA1 ac9834f3467586fd221ff56b9c2f6d265ade4446
SHA256 edcbf380dd69d3da4fb353f892aac892bd9e1b0f9b31f73bec13d99ec4751720
SHA512 8415546192b733bccb57d4db2aa6186008aca8e6af566bba6f43b8ff8177438e431f7a1152bcc24312e43951e470bff1875c3097465229524a9f03b06d6ed2d6

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk

MD5 cdc7913e0136040eba8a7c699f0def75
SHA1 a70d6038a8e4752fcc131615a5beb297ec84202f
SHA256 69fab77531bd464c292aa5701cf0a56ed6a7951d36e35b88749ea4d656c87741
SHA512 f60d5086d38e879a774fb9c79c04f8fe4f02963cd310f40cf4aae1bdb939907bfa529af4f5fc43b29cbd910907e1972545ae1c0bf086969c75438668d235ce9c

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

MD5 f905d54dbb3f9be52ec48963750452f6
SHA1 16c98d1292323a44d1719374ec165511dcb5d980
SHA256 62d266a207c9f75ddc78b62e22218df9bdf5c8362f33bae69fd4cc02ea1256ec
SHA512 cbc9abf8b31597c2e786c7da58896aae17fa53a3b3a2e5eb7612350387081b3d36e3e08f39cf6bcedd266bcbae0b0d4a5aba767b3274950c1fb2da7248693200

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini

MD5 e0fd7e6b4853592ac9ac73df9d83783f
SHA1 2834e77dfa1269ddad948b87d88887e84179594a
SHA256 feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122
SHA512 289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

memory/2324-1058-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2324-1071-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1680-1073-0x0000000003BF0000-0x0000000003C00000-memory.dmp

memory/2324-1093-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2300-1096-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2300-1097-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2300-1098-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2300-1099-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2324-1102-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2300-1103-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2300-1104-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2324-1101-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2324-1106-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2324-1105-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2300-1108-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2300-1107-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1728-1115-0x000000001C950000-0x000000001CF58000-memory.dmp

memory/1728-1116-0x000000001CF60000-0x000000001D0E4000-memory.dmp

memory/1728-1118-0x000000001B9E0000-0x000000001BA98000-memory.dmp

memory/1728-1117-0x000000001A760000-0x000000001A7FE000-memory.dmp

memory/2324-1119-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2324-1120-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2300-1121-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2300-1122-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2324-1123-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2324-1125-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1728-1126-0x000000001E040000-0x000000001E077000-memory.dmp

memory/2300-1127-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2300-1128-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2300-1135-0x0000000000C60000-0x0000000000C61000-memory.dmp

C:\Users\a\Contacts\desktop.ini

MD5 eefa7f76ff11a5ec21bb777b798ac46c
SHA1 2e7a65ea8427d13a92ea159a5b8859ff99d2a836
SHA256 840b46ed74821b5b61ca9ddc51a91cfe9151d11a494c89f183fadc02a78ac8ae
SHA512 111301e33c0b33c154ffff274db5eb167de0ddb4e769cab9a2d9fcd2882e6192053149abbcb00d17ae5f7661bafecc1111aff2025c89d07b247633bbccb0e3ef

C:\Users\a\AppData\Local\Microsoft\Windows Mail\edb.log

MD5 00a56766f684e4576a1c172eddfcac14
SHA1 dc7544b6a988e14e47803d005335626c2ca05976
SHA256 e2fc8aed0503ed7a78e28f4a786d47b0bcc079a652b6816e2ed2d7123f0f6880
SHA512 0b73e300069865aec4903c14ec2c4f1fde9b40257ee4822c1e1e9ba3ff21fb6fc670a95d2a1184df1aa0d7530cbb14d39624b03bc590ab159e1f0bbb070281cb

C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\01_Music_auto_rated_at_5_stars.wpl

MD5 3094088e14afdc15d7427b093b8b7b17
SHA1 ed10bf7cf3df61ba95f45dca39042473efe07197
SHA256 b2b5080d83a1853fbec424e6b179b784c57716600e1b58dd8b2c5fee0e098fe5
SHA512 50cc06540177f4d9c5ae4d458f16ad725410388fbb36109e09a47b08c5dd6fca1a764858c5259c5cb781f8962cfc81226d79c5877f5cddfc47b84dbdd5966f45

C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\06_Pictures_rated_4_or_5_stars.wpl

MD5 0a8a40ca87323dc16893194b00c7fe77
SHA1 b88a42a85053e0a7483e331b66ba5a40a6290e10
SHA256 9aa433bed2e090cc6904f1c24d5a7b5a1ed6d8f71a997e661b886c69383fd53e
SHA512 5932f09106d622054e6d624221d754ff471e3f37d9f585ed23db7f7327fe1e2f624b22a8f7f2827b607fdb9a30683b8f20c48a39cd35a57ad5cb78467af2c20e

C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\05_Pictures_taken_in_the_last_month.wpl

MD5 821d2be672f05514127c117cef460c6e
SHA1 1c75f314e7658a3dcdcad315e301f2bae6d47b31
SHA256 3abdb6cbd88ad1557054ece3f10dd1a8494ed32f423b3cf8321b18decc489474
SHA512 146d6293173b80ffe3721ae6e61293cc1d838e8a72713be8b859ce33c69ef753408057be9ce15a78d573e253548ee674ca3fea77efa3d330ce8c8a50f8a8a988

C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\09_Music_played_the_most.wpl

MD5 467e71aa2fd951eb0a1af3d6bb8378e8
SHA1 fb654c0b2663d4fa5fd0f1658097d936dd0429ed
SHA256 a54bc2cad63ced4fd9ff2a3a094a26e264e8a5ce8139193896d13236f494e2ee
SHA512 f9242a4925b910f4a114652967a6e2f49444a3f0d9f35402fef28cc8d39c58720930084112baf92eb6716af541fd76e3803ccc1e742cec07f1d4fb6abc13a42c

C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\11_All_Pictures.wpl

MD5 74294ef495559ed32731f19096d70312
SHA1 fdc6cc849270016d2a382d7d0daabf44a4556cd9
SHA256 db34d82f2cd23e6e55a64e12d2a0a9c27ac2ded156483238f22a336ca6825110
SHA512 b068d903b83945f146abd4cf384da99af608643c62b647ea65db33c3b0e0face4727a74be3210a9c6469bbc403d1f5c59d92cbd57722737e992b0e4f5e66662a

C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\10_All_Music.wpl

MD5 51aeed11707741118e0706c1259df22e
SHA1 6434e915b018c6d15898fe0a4d006bbe3e1edb60
SHA256 ec286113e5ad77ac34063589a137a6dc4b4cab8845cd9c5386519983fa3b48f0
SHA512 a674487f9cabe1fb2809cd98958dce696f7f066d3738bfb30317201ed804df3c72f2d24d6f9c0832cf446c8a965e21f3ea50aada1c69860a12340d6eca88e942

C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\12_All_Video.wpl

MD5 372d0beebea5460409a6a1c53ac52a18
SHA1 1b5a925e00f9a4cc3a18feb8f74a2e39ef11eeb6
SHA256 5b8b62b35e5dd8a46ccccaf3fc3743be9e0965d24cbcd20da2681065eeb37ef3
SHA512 efb412e3a17f4eab84fb9f99b9e420d18e23610a9a66bcd7298c3ba68fd24abe0c1f2e58faa411e059788d34f4cede45f9e25c6578d13faefb8ee79acd50f2e0

C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\08_Video_rated_at_4_or_5_stars.wpl

MD5 a3787a42b81fce0e448976ad158edd93
SHA1 45ff275c0c32eab1f0b56e8b61e8ead18cfd1675
SHA256 94bc17ac59bde92fbca00fcc69aed68fcbfe2c1754dd45f4810765f5fdf774ff
SHA512 b36ca10f580ec9d455fb57149bce1897fe48fda6023b2fb55b6b4b80a91f1754311b91edd72c13103e0da9ed90b696c28d6904ea91984ade69ed50791f4065ae

C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\07_TV_recorded_in_the_last_week.wpl

MD5 b9987b1f9df6d0afc01558b907e62a16
SHA1 ef202d5d6f90b37c71cb757f3babb0857ce54d86
SHA256 0892efdb8459d81d4c5e1085239734d9910b9c6a1debd7189cf385141f0b19d1
SHA512 6bc86075632c3e56ffe1d371f4178299e93e014f5c5c83dfdca2dc9efd1155633409c79ec87cfe2afd4374b83771ae56a3eb7fac00f83921b433cb49216037f9

C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\04_Music_played_in_the_last_month.wpl

MD5 f8d3a4cacf055f5ec5c62218ea50d290
SHA1 974474ce3fe345d8015863bd6ea7242ba118532b
SHA256 201f2170812cf8041964c4d3c5ef539d96adeba6a68b69ecaed0affe3ae8e25f
SHA512 ac32cbeb05fae672047705679043aecf9b56314baa09c2d3abb7eac655710d7cb2c967ea1772767e366bb502e8ad6de375302f51ca62a76d962ee539b45bfc21

C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\03_Music_rated_at_4_or_5_stars.wpl

MD5 6d791b697af46d6777182af7f18c2955
SHA1 d73e8b5f4ee646c1c4ab6d23f3cb3394cb833ca8
SHA256 4825eb90140f6b2f4f7ed0df66b24e10ff5d0da70af53ea495fd30b3aa791870
SHA512 268cf327a9f471d547ad1dae47833cf6d722c08f9cbf5e7867a422282ce52dc320340ded93473a598903bfee9bf6a1a3393779468dbeb27d3390dbd59e6d20ba

C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\02_Music_added_in_the_last_month.wpl

MD5 907bfc98ce854ae312127c952d8be0f2
SHA1 02defe8c5f9cc85742e45ba55e4fcfe326fd960c
SHA256 c475dc7423c2ad60f25adaac754cd8b68b57ff04f26ecef78f3e5961b986a324
SHA512 db4045f992bad6ad660769a22345c5e0d965ae521d6828d612b15f0163622c629992c313a41bc9e381f9b0f098117eef840d33100af4c6a3634eb0013a7fe1c7

C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

MD5 696bffbc8cd1ad6400f10220607837c6
SHA1 4f7aa526dcfe9b2931d58e3730d68aec56ba8c15
SHA256 5ccaea1aa0a029d4c535f919ff30467be23ffc8f4c20c213a29e1b7da74407a7
SHA512 7552a73d36c23f85df32dca367d9719dc699ce6823d55f03fa11e27ed1becc80b5e8842ca9e102cda1fcddc508149349f5ed939e7596ff04820a1139f0799363

C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

MD5 328eb61b3b6dc7e61ac91ece9750060d
SHA1 19d1b7f65a2831aaa9c4ec8fd00d49618ee4b2e2
SHA256 5172eab55cbbbc37e7a744a5d575cae6f6d99f1ec2e6c79f8511020506ad103d
SHA512 f766b2ad48c9487b4af00670e062c5e7c5ca5ebbf42518175c68092e8ec84472329e0199d3623dfd71c7c2c187cd342003d17c1d3f96aff3cfeaad6c5dd7bfec

C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

MD5 aa4238553d2ed26c73021359686b1cb2
SHA1 e14f8be45c0fa3a445420d9865132c3fc5281fa1
SHA256 9f795de97f11345ba27e33a1d576a1f526f7d129e658257c11629bd7a5e23886
SHA512 c4bff8763338af4cae951a22a468ce0ab0c3a808d3717719a90f338997de839dde038b5c86af810a16dd94c71ab29b055564ab43b49d5a5b6c87a2aee8aeed78

C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

MD5 3fc669f0e1f30f354f677dd13a210821
SHA1 763f14287caa2785c1d257fc1056c5b48457d63b
SHA256 487d8830b8e13a1bd4ee6a8f1c6e0b43418157773c7359a0578dee2f62171ec0
SHA512 b3779f4af5d00e854f1bdf0900f51d4836a4e2f2fdde61b300b4a9f064510c4324fddbeb1a6d6aeba9f20d5ddf56dd8bcd14a8b5f7dbee76a8938cdc6f530594

C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

MD5 4f92139cd322a396d7e0d25e5d151301
SHA1 67f94e2990106d9481e78ae08356d7a4ec1737d1
SHA256 f47afaacc544f681170b9d6ec201dd92d2a166966da9ea1274675b1a9d6c4b96
SHA512 cf135d6a55e5744b905d2ab65d7d021133c353161a431a1026055632f0988e5760c7f0b334d17f3dd3ef1d98320efd207c36db1948adc00d2fa6035a172498dd

C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

MD5 e05237c9f82a4d653a2ebe00c6209598
SHA1 1775c48921edfcc3c5b16e6c3fc995b76d592a8d
SHA256 7068e350bf2de30330f5aece55e2afa09f715c6039e485d7465b543eb916ba98
SHA512 dc6694a0caa5d48512792539abb2cd1fe2d72c0560ac9c7eb9657a38f97996e5460652b35c20c130d58a3e9bde8b43f760a68852e29fc54cb3a0b192af427cb2

C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

MD5 7e40f5e4b5efd5dda70bf756a98ac8d4
SHA1 838770370b9a7c2a44520e1496a52b03ce260629
SHA256 3a20029b5abed0cb1a6de9d1addbb2cb3ad5648fddcb5b4cb9e4a66dc3a90263
SHA512 240a1b362d6bf82d0e8cc5e4c9614e04e3526ce44a15e8215a48c5147152694090b132bce1aba728305afcc0284b8369caf12c908178e0399bd44ddced7396f2

C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

MD5 9deb94fd6bdbf6c96f855e746f9201d6
SHA1 99d050c590bdc0f8c6ab614fd1603e224144783f
SHA256 fa2436544ff7499f1deda8ff7ca58b6edfbd25317d640e1d90487dc23203d333
SHA512 a4eb6786692859b6f8e088a21c0175e07e70a6f9ed0d6a679e96b39586838861399dc972d288b132348559e9748cc4b9403b596da20577a7e642346fd44c9373

C:\Users\a\Links\desktop.ini

MD5 f458374ae40c626735132badbc5b0370
SHA1 3d65ce3308dd1e4bdc2edb5f082aa6d15984d08f
SHA256 c053541e6dfaebf133f0e0c6712d42e9905de896814d4c10b8e728f0345700c7
SHA512 e076d1f2a20fae037dd2dd7197d20b41687c9652d2e42e3c567806a0775a2a5427b3c481dc502315c5bfdf58cde908ee89e073e0124393972211ff5375f454e0

C:\Users\a\Links\desktop.ini

MD5 92adc8410cd8cb1d0481e2adbb62c7dd
SHA1 bac1444ebe0bac748966f3bee84ee11e151a4810
SHA256 4a3d7ccddac5c1b437fb687e90589015b9b9ae7708ea35eed9917d1190f65694
SHA512 d7c3a5df50b28e336ff24f828cdf225554d199d3c2a857e2a7baa1f2bc1fee21944733edee52bd665ebaee999f5668d03497e9bfe88d58d380b74e6046ec5d62

C:\Users\a\Favorites\Links\desktop.ini

MD5 3c106f431417240da12fd827323b7724
SHA1 2345cc77576f666b812b55ea7420b8d2c4d2a0b5
SHA256 e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57
SHA512 c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

C:\Users\a\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms

MD5 2b2994c64755e836b0c3e6b746c0c3f7
SHA1 c23ebfcfbbc0653519ee8f696e0ef0e6e67e922e
SHA256 41e259349b059b6e4a86cb0d22ce6cd3049f9e57333a0d2ee4d0ca5fc598af05
SHA512 6306a00536133d18b5e8766b949fba9cfe7d64246dbb688245fa17ef58d3cc4617cc79a25f4bf2d559dd7e997a37e8db429d6d3d40b791191d73adced571edb5

C:\Users\a\AppData\Local\Microsoft\Windows Mail\edb.log

MD5 e60000f14095f2834871c99e186779ca
SHA1 e302effdb5156d36fd508e7d25043ad0c3a55181
SHA256 368123ab6244d6f2ca8ee44cacb14d48c8f59e76d4ee10d35d719f1882dd61a0
SHA512 01ab5871ca480efba1a224259ae7e5395b88ae929802e2ae301df1bb97400d6f9a06add39dde05038555b7f4e18a448a93c196b7f3a5cefa0bc029578a0c8b12

C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

MD5 4bf7ee430909cc0b6e4e7a2ed41141e0
SHA1 d51e1c3394a8751cf5f1c1bcb04082a6ef7a0f58
SHA256 791e27eb0b16a97a26d6290c2a8f8aba449ca938e3cd631efe5702b2188bb02b
SHA512 0e26090e9bc7e1d5d4a76922efce091f2fe0dac89386c5c27bad84a9430baf51850810c79723ab2c7331820158c6bbcbceeb8e73b5e0ef8be3102a46c6b989c0

C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

MD5 5becd01e6a16dac437399d7ffd2cdcb5
SHA1 ca8129c8692bcb4c6d73898bfb4d2fcd815e2994
SHA256 f3b4bbae539d7a7a4fec7579aa12ba57cae5784bcfb9f327673a8c3130723568
SHA512 20960af6abe59dff0c1bc09d2b2ae72345fd92bb8535349e203d8c0d6506e2fd70febe9dcb297b8e49c0e083e9d828ea8a86160c069d8f47b0ca4adb6cee7c36

C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

MD5 c145df9d736dcb660bb30fe020062487
SHA1 fa3bdf46fcfecaa6f0b74d0aede96be362713a27
SHA256 c50b793b306ae27de1535c6dd94bc20ec61c134ca2147b17b87bcb3ec83829db
SHA512 02f5bba735c0b262f1037e7049ffbd4f937ce02e898a7ddb9b79bda970525d3785411a9c33583a63afb8698bb382fc0dcc253197e9b9b2ef83e116af40c7a988

C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

MD5 2d6517a607b00b244fb26c46ae7687a8
SHA1 f6066a70cc0f5ae832dec2150c6285b10d23e0a7
SHA256 57d5a53874a31417ff1a34f16bdd956e2fa35129a041a37c9440f2c4cc2d9e46
SHA512 dc7b220523dfa03c9293e854b423eec1bc8cc45256221ef8e4c1811b549395dc459a94f1d5299476148e282f48f8ed201c9ed395629a5b0fcda4def2d48919d3

C:\Users\a\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5afe4de1b92fc382.customDestinations-ms

MD5 706ce9871e07e561a9dca8cfd4e20e37
SHA1 927b4b444f80a2e11f5b02b794f5aedfad3eab34
SHA256 ae624b734dee593e191690da75f4e3b929c5d0d0f1a99c01ef439f5c94bb71a2
SHA512 67c5da8ec9e6bd0e6172a253feafa5997929987e2572cfd7a8b84f7b7aa2716aa880e24a7c7ab624314ea9ea2573124feec49a21ab04a0435dc731ef13c5ace7

C:\Users\a\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk

MD5 7e02f61f0d0074633ea6f14465d8a254
SHA1 43e005bf8403134c87b9c88bbbd959c120160213
SHA256 1c9436f575489f2e9a3a89792f98ba435baceffeea04889e0f406e28cab72d64
SHA512 86f24576884c869dd77cd22466617dd62678b208abd3f8bc63d36415089adc478764f220b58889ad21e1c9c2c023595ce870c82976205b1b91799a19ea41fb49

C:\Users\a\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

MD5 1c61dc21f9b83172d65be1e94b79026f
SHA1 7324473ddda64b87c299bf6e3b9e9aff53f7fd74
SHA256 8e920d7893b682a049f6a5097f880d915dc2d7bf8bc87ae558cd7f14466d5d1b
SHA512 9660cde4d7606826c2fb6623460a2a286339970256e677c8abf8189fd1d58e0284c024bbf5c0bf539189dafa3e8d5269c1e0f7e3717891f2ae4771634731bbd8

C:\Users\a\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

MD5 9a1b13fd914dd7054b83bc1760c99ab8
SHA1 340c37602b11cd3cb9ae681d09bfc4c81f733742
SHA256 7f0a9cc0be951d60d6c8e60d1a612bfa65fa390020d7c0c80f212ba2a47a4aa3
SHA512 50d48a348c71fb9e89ab01e59fe599b692a1701f19d2c9de6ae09678e0a44ba95020b1989f9c776edcacacc5f2b2b348b0f31aa28c04850e69e47cda6dcaf88e

C:\Users\a\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk

MD5 47b2e1c4ddd5fa161f4e7314222d7a29
SHA1 f8e0a57ad324aa0ce6eafcbee54361cfc3fac7a4
SHA256 20b9ba1869ed5d109962522c7c9a09e2675c457edd780f3723d33f9b40475772
SHA512 07c8e9fcc6441c45540ced17802aea9fc84197733cc13af77516813c3beb346ae2748445ae99318309cbdc2da8e69e622dd91e658b7e9ba27d424eae6f5acf1b

C:\Users\a\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

MD5 e5a8eb64419f6d85a1b7aed2152616c2
SHA1 f5d94f8953bb235e35fccec0ea4f14ba69443081
SHA256 5266b08d0c1bf229ec5eafdb6dae2a4849b6b394694d34033453cf8a379725a7
SHA512 7c304bc842c81d3b5cff745d34b038a2a867063c65e502f4155439ba0642e8b0643f9b7254f74e85d5b150c134836b9e398a0dcb192550d97dfd431c3d93f1f6

C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

MD5 2578ef0db08f1e1e7578068186a1be0f
SHA1 87dca2f554fa51a98726f0a7a9ac0120be0c4572
SHA256 bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3
SHA512 b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

C:\Windows\Temp\www4FF5.tmp

MD5 2ce792bc1394673282b741a25d6148a2
SHA1 5835c389ea0f0c1423fa26f98b84a875a11d19b1
SHA256 992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48
SHA512 cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

MD5 11cede0563d1d61930e433cd638d6419
SHA1 366b26547292482b871404b33930cefca8810dbd
SHA256 e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9
SHA512 d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

C:\Windows\Temp\www4FF4.tmp

MD5 a1fd5255ed62e10721ac426cd139aa83
SHA1 98a11bdd942bb66e9c829ae0685239212e966b9e
SHA256 d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4
SHA512 51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

C:\Windows\Temp\Cab6177.tmp

MD5 d59a6b36c5a94916241a3ead50222b6f
SHA1 e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256 a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA512 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

C:\Windows\Temp\Tar63CA.tmp

MD5 b13f51572f55a2d31ed9f266d581e9ea
SHA1 7eef3111b878e159e520f34410ad87adecf0ca92
SHA256 725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512 f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Windows\Temp\Tar65F3.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a625f00a81ef7f22e6e2fda767d1f23f
SHA1 82a5a176d18ae60729d4df4fc7b3d72106102fcf
SHA256 ffb9554f4c3756d9f2dbfa6a6b5f8f90202791d9f33b9c3d5df6aa9af57bb3ee
SHA512 62f4f541650963a80d249e31ade6879a192e49fb5eb67b9ee7a10efcf4a3d38e0035a181b5bce9a768936ecb3328cb97ec4447769e167a70494a65a6df577b2a

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 17fd88a50649176f195c2122d912a5e6
SHA1 591a028a05af350b997c007fe844a0eea20b71d5
SHA256 63ec71e3b74a4096059c3bf4169a58cecdef04e0f05f007b405e24c99b3d2828
SHA512 7e0024b7a0c155c91904a14b0572fdacfbea39e8744d769354bc00ec3b39f7617328e0e6445cbf1294e489772fbab0b7788143874daa7f827a70f53106f742fb

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 1a6201b3c9033ac177ea25bdb5cb82e6
SHA1 685e1084221b55d2a9ff7ac776fd02c448604fdd
SHA256 6bfb2a5b8624dcbc38379697961b48cd27c809c6b374e808527cb369388db230
SHA512 9834924ba35926b317181c3692a518b415d62670ce7d269e4ea0a76670109c596f522e9aa58064670ca0356ee1f0c042f97359e55b02d209f65de32f1231cf0b

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3a9c9d147c226ce90e62a8a2831463d
SHA1 5d91a215108843196b58d34ef4dd283501fadc5b
SHA256 c5e9fee401caa430854fe85d6b042c7a01233c88c1cae1c7f596f0e4edfe5997
SHA512 d4398afdbfc783725b30cde25166558832e99fd77a6af9537cf0176376bcde7499668b9f4f6271698e76ab899efb08cd1fcc90d9f71804255b020e24e5407f35

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 f2802e0c0b70dd5ef831e29dba2fb1dc
SHA1 0dc5e607a2f237c672b5731587b1f33385a2628c
SHA256 f438f6e3c76cb0b441695b7c5c5a8bc393fe3c2b2e868f993cb6e30bdd0d5f2c
SHA512 fbf693de43b0e5a856800dc2a9020354683846a8039312472f5b00e5ef430aa469f5fa476e93fec640911a62863effbf54aaa44cb8e464777cdfbe7916b181bc

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 013c60c02047d81bec06d552eb5a3697
SHA1 7cb5fffda182b48c5e76b68aa7a27f93ce8a5619
SHA256 3160bec785b0e43b0a12730810d571b5821ecee28917a185b905f73ec408af85
SHA512 560dc6f8042d5bf2517a6004a329f9eae1c9dea525a8094ae5c82abb3a4f5c816e9556e1c623ef67e710f04e60990726df04e6c5996dc7246deb8505d1f50d75

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b8e50ae5e0cdd1c65b4367fcd5b0f9e
SHA1 55c6966a8dd677524319547b3b46b110bbe8d129
SHA256 a282b07beb1ab06eebbb3c8230c0a7dd5adede080160b41759207295717447a9
SHA512 7dd60e199c97a764ae429b67463dab58131471d5e67352a3f933a23fde083b389920eeb11baf47c88632defe8b3a92dca5a634771998d13fea4e114c12cc0cea

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75b20037416ad8771f5dbb4ff01ea30e
SHA1 01e4b9e338ba791bfb713ff9d89f4a8cdbf67e02
SHA256 112e22670f31189038c2a8cfed7fa8071c1978962a463895ceeea4c08bc90316
SHA512 3483353c0761274650826a8805eafcff8115c0b38e351a46cb456eabc25d5c47f3796cd8498157ddf82385d03d6a5b5279f3b6dbe81bccaaa8ed1e40343f1fb7

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 babaa757228a482bcb94e0c697dd005d
SHA1 fd0367c941070306d6cc35f0e1e10f0db3ef5bde
SHA256 458ecaf2c37dc6a1bb71f9cf70d04f1d7d39ca983fc15464e89ba0008655cbb7
SHA512 e6755107f9985b62780223c9a2ba8e06486898eeae00f506d654e603058fa12692bff8e836510463563f7419a98417a17fa12c1dde765183a123dde8fe82a1db

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d068b7c1d5e1c77cfc2ae726112cf928
SHA1 5984a5458bb7a862773cf55cf7bc7ad02c14de90
SHA256 b2ba74c93d014bb663f30027b5cbcee263a479af06754fd19e5e751d814a4cec
SHA512 6f9c1fcaf295d16a46560f0c8cf36d7c5773b6b101e59d223b3befae333f10b855a7b321053790974b2cf0e33f3d6d884271d2f6d794ed6a19381633d217d4e5

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ad4dd4e899970ae347e256e95beac89
SHA1 cea57bb43f4ae695032bbdce265ea4cdd0683356
SHA256 ecb3733000b69af27765a8b89ac5259bc72a3fdda925e168d99e1e1a4f6eef28
SHA512 d84c025b15608e900816337634ec1e07662e5e7e1e379bf9ef4c8b1a7a1c1a8ad1beb21f56ac500eb30c4a13b5092d07c6b4cd93f498fb5ed2e5c0ac5a71528d

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c3f6b4c843e4d39ade71a294d8097a8
SHA1 e513134617c36a55a990d027357790f316add38a
SHA256 c5e5804be6b8beff86d2440d1a51e964230745072b739e150c0f691ae4ebb985
SHA512 eb58e3d00d2c13cc788d67bc254eb5217258931ba6581c0e3558000dac33fa64192be78ede235773d18143a0bda9fc7c9c1e56982998460b0e20e5089f4b0998

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12d5130ae9b7dcdba375b11954f0e08f
SHA1 77c6de12630c0c808602004b515d52381db3f662
SHA256 830eccbd1b55e3c0720723f10418af5c5e4a4d5d7478eb3b18b3c8eb2f850a32
SHA512 6a4ad406e12adbb664d66fb1e95852447155b71199934b9ba353df13e5eb4c280b44edd621ef641b823a49d1ad052f1f1c46a5a887ef73126cdb3820510ed781

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3853ca05d048d88706c7af740f170d8d
SHA1 c38325d07b91ed3bbdf397814f0b6205d3533464
SHA256 5f0ef3475e11f0db8960414f4d6457a2d1143164e99ceaf0504df492c0327ff5
SHA512 f3eb022b9f1a9c6e708a6189bc511ab1b4617c684c5ed2fad3b924756d3af1fd63716a587b8a8d000754ee4cdfe1f2a5a26bf29e8b6d32edd6d5d106c28a5c52

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1d9ae37c20c4380ca2d31e9eb8e771c
SHA1 2ff117445c5ee107b2ee3aeb4dc0f5fc0041016f
SHA256 fd9b574004799870bce80fcf2294e54a4a23dd817febbaca29d239e25e6f4e64
SHA512 deb2c94b4316ec17704fc7a6f195ed51957514fe72f49234ab4b319df8b56e9d83c14ae60669a56ff160f21b5fffabfd9b7e90b8bcf743dc82d073fdb0a2e201

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 809df1e5e55f44eb9cc4e951236b43dc
SHA1 771fd8c00da9cc0f48495cbb17a62f521feacd94
SHA256 bd87bfa27c01d5bf406702065fa2f028d189d073be140c0e5b36940b58e02ea7
SHA512 6c24c59d6b2ba5ff3e7c4db1dce73e1100468ce5da818200c62bf78bc6f8a6d2c6baac97ed118cd27f007b729d1eadf7fe16831f491d8ef9ae3e195ad7d5fee7

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82cf22207f5da71cfa81d6a94eaf9349
SHA1 21cfbdbf4855a504b818c79d9efed7ad1c4b0f3d
SHA256 97700b0dfc8199e180aac6c173e55662e3e0df9c46801e1ae6746eac3298acf3
SHA512 8bfd21f1aac91c4673f2bf989df82514aac6328a366af293e86520eaf8b51dd980d9cfe047c4343cf53e27b9051034966906deac2ae283868c8e9ccd64b91ff3

C:\Windows\Temp\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Windows\Temp\Google\Chrome\User Data\Default\Extension Scripts\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Windows\Temp\Google\Chrome\User Data\Default\Site Characteristics Database\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85c77e9e763d2484c9579a67b117d967
SHA1 7f36425e401fdd9ecf7abc47e68b9705652ce597
SHA256 98eb90f27fec410588395334d8a9ca543c79dc0eb5eb32e8e0f1d581efd01cd7
SHA512 4731d3d6d8cd4845354dec37d525f538655e07bc82982481603b74c5bb0082bd623b432e9cee50c7f32a62ca8b339a460a4f1edd112d28f46f3fd278c737618e

C:\Windows\Temp\Google\Chrome\User Data\Crashpad\settings.dat

MD5 ae15450d42303c9d12c39b4b8f0e01ce
SHA1 1810f6bed6b321c5062a0d05c88007a14e3e5118
SHA256 a3b21087e1e2e4f31aa44b1197312ad18e6ac3c61d5104ea63f7050e9c77a119
SHA512 6bb148aa28fbd68d5fa64b2127737a4e5a3302bd3e616e5b894b5b289eebecfb78168642e13f0cb0ef62f4da355cdbdaa23361b7efe073a9a4621e629efe1fcf

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a543494899902d37e5e3c5d64d6e3c63
SHA1 d1fe14780269f1f15dfe1bb4fcfb74a99ea9db05
SHA256 06a9595af4dd5a181510410102e99b0c4f434ad92d5bf66e70edc9ce1e8365a1
SHA512 7b2e5b0c546d53bd929b6dc438d8de8598f3dc1bdd602a589192c06dde5a31435142411717bb5949d29a8eb7e3f31f298440848e9a0cdcf5640934c61478b9c2

C:\Windows\Temp\Google\Chrome\User Data\Crashpad\metadata

MD5 6fd87ff8617aa1d2bdcaedcfffa69da5
SHA1 f68dccffc76dbcb8ab1d5e2265a5b75de7d888e9
SHA256 23f28ff11e6ef0e595dc16bb5e565388e23badb7eefda05868ae484fea1ab1e5
SHA512 f356c6c77670c122f4d2a0c3714718b7390a2b956de42d007c26c4486ba8e77218d6e7fe06e4a6406cd26e7513c0b6b663791c1ad2710e826c1eef3e251e87cd

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a42a72cbfdfa53e63dea519422cce036
SHA1 945f126b83d678ace95d3a1e098837f23a5f039e
SHA256 3b51a2d2440ad7505bd54bcf62132d96a9388fcc5de9d8144b87cf58643d685d
SHA512 bb04c9788762c22874d88ad9e55d73fb1eb3216be290e1a1d0b8b49c3e114bb4cffe6ca78cc597d1a0c037365cab16c3bf62c558fab81fbcfac47547691d487f

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7f1095a4c348131f2a30e11fa067ab9
SHA1 ac68bbb8042ab92322fc73144f715713e8b4ff40
SHA256 423fff071655da3ea34a944c609c00d46fee312ccfc6564f3d39bb32354743d7
SHA512 886d9bde421278a097d9788c4e59aed60afe1d015522a534ddb4d8163af7054b76faf1e082581c29e4144b733bee1a078d0575442eb23aa5788af4ea80697758

C:\Windows\Temp\Google\Chrome\User Data\bd930e86-bb72-40e5-a7a3-34ca9b731f18.tmp

MD5 2073621a7201ebd7a501e48221dbf199
SHA1 d6582267489d0bb3b599f3fcb37f03006dee71f6
SHA256 b4f5976ccb16f37973a7ef56060449d3a53a806f8c656a017e16bae3b9e71a61
SHA512 fa723037191b0f78783a7561c6ca18186ca8a9009a4da8749d7abe7ae0d803fc3c63a6458c9fa4d4852d2b5e52365b10a497565a0fd41a479a47eb79a8098de7

C:\Windows\Temp\Google\Chrome\User Data\ShaderCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Windows\Temp\Google\Chrome\User Data\ShaderCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Windows\Temp\Google\Chrome\User Data\ShaderCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Windows\Temp\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Windows\Temp\Google\Chrome\User Data\76a11e55-b001-4154-b29c-9cd900986c9f.tmp

MD5 fb34ec3affab6fd27e24d2a77e9ec96f
SHA1 437f7c8edf5a0f02c4e6b377cd796ff668e2cee6
SHA256 b87058e6a3f5af72ed8d3be6166921ccaf905e44d94683eae84a5a9040a0e1c1
SHA512 4f5601d8c7cbf949d72f693dc8729bc46455d1f8eee5a630fff0190189b13e8b5ee6b74e442ff811b7b585c18111c64bba6a58e8a59c2d78b58e419992b8d89c

C:\Windows\Temp\Google\Chrome\User Data\9815d094-1ce6-451e-bae4-9df402a95fac.tmp

MD5 780050e80e73a00807c61c1cbfef1c05
SHA1 bd50f08752472ad7a76afa5dd902a2b4262cbdc8
SHA256 9de5cb6a221714372f42fc4b56d10b4b0f3c1203ed0978b6408400b7614be791
SHA512 4c707fa945a4e6532f35cbfbe7c7538a30d1bea19320a33ed1e4758ddc5009878803371ee2e501b9c0da677accd27a2d8fd92bb38cfddde14129c1ae0104138f