Analysis Overview
Threat Level: Known bad
The file http://gfdfd was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
Gozi
Boot or Logon Autostart Execution: Active Setup
System Binary Proxy Execution: Rundll32
Drops startup file
Drops desktop.ini file(s)
Enumerates connected drives
Sets desktop wallpaper using registry
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Event Triggered Execution: Accessibility Features
Program crash
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Modifies registry class
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Uses Volume Shadow Copy service COM API
Suspicious use of SetWindowsHookEx
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy WMI provider
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer Protected Mode
Checks processor information in registry
Modifies Internet Explorer start page
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-02 16:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-02 16:14
Reported
2024-10-02 16:59
Platform
win7-20240903-en
Max time kernel
1102s
Max time network
2167s
Command Line
Signatures
Gozi
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\explorer.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username = "a" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "1,1,1,9" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Version = "6,1,7601,17514" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Locale = "*" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "en" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "EN" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,7601,17514" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "EN" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "6,1,7601,17514" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} | C:\Windows\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
System Binary Proxy Execution: Rundll32
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\a\Searches\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Desktop\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Favorites\Links for United States\desktop.ini | C:\Windows\System32\mctadmin.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\unregmp2.exe | N/A |
| File created | C:\Users\a\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| File opened for modification | C:\Users\a\Favorites\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Searches\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Links\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Documents\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Favorites\Links\desktop.ini | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Users\a\Music\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Music\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\unregmp2.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Users\a\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Pictures\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Contacts\desktop.ini | C:\Program Files (x86)\Windows Mail\WinMail.exe | N/A |
| File opened for modification | C:\Users\a\Videos\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Downloads\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Windows\explorer.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Videos\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Users\a\Contacts\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Saved Games\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Pictures\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Documents\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Desktop\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Contacts\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Favorites\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Saved Games\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\Downloads\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1001\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-457978338-2990298471-2379561640-1001\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\a\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\unregmp2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\~ocuments.tmp | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\Searches | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\Searches\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini | C:\Windows\System32\ie4uinit.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms | C:\Windows\System32\ie4uinit.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\fwlink[1] | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\Videos\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms | C:\Windows\System32\regsvr32.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\Shorthand.emf | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F7E3ED5\12_All_Video.wpl | C:\Windows\System32\unregmp2.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\Searches\Indexed Locations.search-ms | C:\Windows\System32\regsvr32.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\~ocuments.tmp | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Windows\explorer.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\tmp.edb | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools | C:\Windows\System32\regsvr32.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms~RFf7e6317.TMP | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\~ictures.tmp | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat | C:\Windows\system32\RunDll32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\Music | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Backup\temp\WindowsMail.MSMessageStore | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\~ocuments.tmp | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\Favorites\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\edb.jcp | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\Pictures | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized | C:\Windows\System32\ie4uinit.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\Desktop | C:\Windows\explorer.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(inch).wmf | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\Month_Calendar.emf | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| File created | C:\Windows\System32\%LOCALAPPDATA%\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\Links | C:\Windows\System32\regsvr32.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Adobe\Acrobat\9.0\UserCache.bin | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\Contacts\SYSTEM.contact | C:\Program Files (x86)\Windows Mail\WinMail.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\Soft Blue.htm | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.htm | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D53F0163-80DB-11EF-A6BB-F2DF7204BD4F}.dat | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\Desktop\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\Contacts\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\Favorites | C:\Windows\System32\regsvr32.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\a\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\a\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" | C:\Windows\System32\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\mshtml.Install\mshtml.Install.DAT | C:\Windows\System32\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\mshtml.Install\mshtml.Install.INI | C:\Windows\System32\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP | C:\Windows\System32\ie4uinit.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.DAT | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.INI | C:\Windows\System32\ie4uinit.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe | C:\Windows\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe | C:\Windows\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Windows\System32\rundll32.exe | N/A |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | N/A |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Windows\System32\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe | C:\Windows\explorer.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Accessibility Features
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\runonce.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows Mail\WinMail.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\runonce.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows Mail\WinMail.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\runonce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\runonce.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\explorer.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\runonce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\runonce.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\System32\ie4uinit.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\4\IEPropFontName = "Times New Roman" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\13\IEPropFontName = "Shruti" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\Show_ToolBar = "yes" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmx | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\Do404Search = 01000000 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\30\IEPropFontName = "Microsoft Yi Baiti" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\12\IEPropFontName = "Raavi" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Document Windows\x = 00000080 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\29\IEPropFontName = "Plantagenet Cherokee" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\33 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\New Windows\UseSecBand = "1" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\ | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\6\IEPropFontName = "Times New Roman" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\14 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\39\IEFixedFontName = "Mongolian Baiti" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\14\IEPropFontName = "Kalinga" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\37\IEPropFontName = "Khmer UI" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\Local Page = "C:\\Windows\\system32\\blank.htm" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Document Windows | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\Windows\\web\\wallpaper\\Windows\\img0.jpg" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\14\IEFixedFontName = "Kalinga" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\XMLHTTP = "1" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\5\IEFixedFontName = "Courier New" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\23 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\38\IEFixedFontName = "MV Boli" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\SQM | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\SQM\InstallDate = "1727886468" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\Cache_Update_Frequency = "Once_Per_Session" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wax | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\SOFTWARE\Microsoft\Internet Explorer\Document Windows | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmd | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName = "Times New Roman" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\7\IEPropFontName = "Sylfaen" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\24\IEPropFontName = "MS PGothic" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\34 | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\35 | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Desktop\General | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmz | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\6\IEFixedFontName = "Courier New" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\22\IEPropFontName = "Sylfaen" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\24 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\32\IEPropFontName = "Segoe UI Symbol" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\New Windows\PlaySound = "1" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\15\IEPropFontName = "Vijaya" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\23\IEFixedFontName = "GulimChe" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\29\IEFixedFontName = "Plantagenet Cherokee" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\International\Scripts\32 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Settings\Anchor Color Visited = "128,0,128" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\958167e7_0 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\Search Page = "http://go.microsoft.com/fwlink/?LinkId=54896" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\SOFTWARE\Microsoft\Internet Explorer\Settings | C:\Windows\System32\ie4uinit.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141" | C:\Windows\System32\ie4uinit.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WindowMetrics\SmCaptionWidth = "-255" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA = 000000005400000074000000859822000e00000015000000a06806004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e00470065007400740069006e0067005300740061007200740065006400000000000100000000000000f478befdfe070000900000000000000024d561020000000001000000000000005231befdfe070000020000000000000070d5610200000000b4db610200000000000000000000000000000000000000000404000000000000000000000000000090d6610200000000040400000000000094d6610200000000000000000000000098ba33fefe0700000000000000000000e0a133fefe070000000000000000000050d561020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c049360100000000c877c87b0000000060ea35010000000070b22500000000000000000000000000c0d761020000000020ea6102000000007870c87b00000000507818000000000000d66102000000000095fffefe070000b4db61020000000000000000000000009877b9fdfe070000000000000000000044d7610200000000b4db61020000000040d7610200000000524bc8760000000050d76102000000001d47c876000000003877c87b00000000010000000000000010d761020000000094d66102000000000000000000000000000000000000000000000000000000000000000000000000220024000e00000015000000a06806004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e00470065007400740069006e0067005300740061007200740065006400000000000100000000000000f478befdfe070000900000000000000024d561020000000001000000000000005231befdfe070000020000000000000070d5610200000000b4db610200000000000000000000000000000000000000000404000000000000000000000000000090d6610200000000040400000000000094d6610200000000000000000000000098ba33fefe0700000000000000000000e0a133fefe070000000000000000000050d561020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c049360100000000c877c87b0000000060ea35010000000070b22500000000000000000000000000c0d761020000000020ea6102000000007870c87b00000000507818000000000000d66102000000000095fffefe070000b4db61020000000000000000000000009877b9fdfe070000000000000000000044d7610200000000b4db61020000000040d7610200000000524bc8760000000050d76102000000001d47c876000000003877c87b00000000010000000000000010d761020000000094d66102000000000000000000000000000000000000000000000000000000000000000000000000220024000e00000015000000a06806004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e00470065007400740069006e0067005300740061007200740065006400000000000100000000000000f478befdfe070000900000000000000024d561020000000001000000000000005231befdfe070000020000000000000070d5610200000000b4db610200000000000000000000000000000000000000000404000000000000000000000000000090d6610200000000040400000000000094d6610200000000000000000000000098ba33fefe0700000000000000000000e0a133fefe070000000000000000000050d561020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c049360100000000c877c87b0000000060ea35010000000070b22500000000000000000000000000c0d761020000000020ea6102000000007870c87b00000000507818000000000000d66102000000000095fffefe070000b4db61020000000000000000000000009877b9fdfe070000000000000000000044d7610200000000b4db61020000000040d7610200000000524bc8760000000050d76102000000001d47c876000000003877c87b00000000010000000000000010d761020000000094d6610200000000000000000000000000000000000000000000000000000000000000000000000022002400 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\0\Sizes\0\Size #8 = "18" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\MediaPlayer\Player\Settings | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\AppEvents\Schemes\Apps\Explorer\SearchProviderDiscovered | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@gameux.dll,-10054 = "Chess Titans" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@themeui.dll,-854 = "Windows Classic" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\2\Sizes\0\Size #3 = "20" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0.map\221530b59e42dc5d = ",1,HKCU,Software\\Microsoft\\Internet Explorer\\BrowserEmulation\\ClearableListData,UserFilter," | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\oobefldr.dll,-1220 = "Back up your files" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\System32\wpccpl.dll,-100 = "Parental Controls" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Google\Chrome\StabilityMetrics\user_experience_metrics.stability.exited_cleanly = "0" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0.map\343853448aea64b2 = ",33,HKCU,SOFTWARE\\Microsoft\\Internet Explorer\\Main,Cache_Update_Frequency," | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.ZrqvnPragre = 000000000d0000000000000000000000000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bfffffffff70536aafe614db0100000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Speech\AudioOutput\TokenEnums\MMAudioOut\{0.0.0.00000000}.{15f0d5ed-0d3b-46b4-a9d9-1d6d0408a103}\Attributes | C:\Windows\system32\utilman.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Show_URLToolBar = "yes" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\microsoft.com | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\oobefldr.dll,-1180 = "Choose when to be notified about changes to your computer" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{fc914843-69ed-11ef-8ad4-806e6f6e6963}\ | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0\c458348e879991c4 = 2c002c000000 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{0BF754AA-C967-445C-AB3D-D8FDA9BAE7EF} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000f0eec53be714db01 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{fc914844-69ed-11ef-8ad4-806e6f6e6963}\Data = 000000000df0adba41000000080000000000008000000000000000300000000000000000ff00e703ff000000160000000461d1900440000001000000010000000000000000000000000000000000000000005c005c003f005c00530054004f005200410047004500230056006f006c0075006d00650023007b00660063003900310034003800340030002d0036003900650064002d0031003100650066002d0038006100640034002d003800300036006500360066003600650036003900360033007d002300300030003000300030003000300030003100320044003000300030003000300023007b00350033006600350036003300300064002d0062003600620066002d0031003100640030002d0039003400660032002d003000300061003000630039003100650066006200380062007d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005c005c003f005c0056006f006c0075006d0065007b00660063003900310034003800340034002d0036003900650064002d0031003100650066002d0038006100640034002d003800300036006500360066003600650036003900360033007d005c000000570069006e0064006f0077007300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004e005400460053000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffffffffffffffffffffffffffffffffffff0000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\1\Sizes\0\Contrast = "0" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2001 = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Description = "This zone contains all Web sites that are on your organization's intranet." | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\gnfxzte.rkr = 000000000000000003000000341f0000000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bfffffffff000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International\Scripts\29 | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Action Center\Providers\EventLog | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\3\Sizes\0\Color #0 = "16777215" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband\FavoritesChanges = "1" | C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0.map\0f573547817bd52a = ",33,HKCU,AppEvents\\Schemes\\Apps\\Explorer\\BlockedPopup\\.current,," | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Taskband\Favorites = 007c01000014001f80c827341f105c1042aa032ee45287d66852003100000000004259828211005461736b426172003c0008000400efbe42598282425982822a000000d3cb01000000070000000000000000000000000000005400610073006b0042006100720000001600140132005005000042597c822000494e5445524e7e312e4c4e4b0000a60008000400efbe42598282425982822a00000007cc010000000400000000000000000056000000000049006e007400650072006e006500740020004500780070006c006f007200650072002e006c006e006b000000400043003a005c00570069006e0064006f00770073005c00530079007300740065006d00330032005c00690065003400750069006e00690074002e006500780065002c002d0037003300310000001c00520000001d00efbe02004d006900630072006f0073006f00660074002e0049006e007400650072006e00650074004500780070006c006f007200650072002e00440065006600610075006c00740000001c00000000ee00000014001f80c827341f105c1042aa032ee45287d66852003100000000004259828210005461736b426172003c0008000400efbe42598282425982822a000000d3cb01000000070000000000000000000000000000005400610073006b004200610072000000160086003200c90800002359462c2000474f4f474c457e312e4c4e4b0000500008000400efbe42598282425982822a000000d6cb010000000700000000000000000000000000000047006f006f0067006c00650020004300680072006f006d0065002e006c006e006b0000001c001a0000001d00efbe02004300680072006f006d00650000001c000000ff | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Templates = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\Templates" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\2\Sizes\0\Color #16 = "8421504" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes\0\Color #0 = "13158600" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{fc914847-69ed-11ef-8ad4-806e6f6e6963}\Drive Type = "17" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\System32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Action Center\Checks\{E8433B72-5842-4d43-8645-BC2C35960837}.check.106\CheckSetting = 23004100430042006c006f00620000000000000001000000a0000000fe070000f03b4b3ce714db01000000007b00450038003400330033004200370032002d0035003800340032002d0034006400340033002d0038003600340035002d004200430032004300330035003900360030003800330037007d002e006e006f00740069006600690063006100740069006f006e002e003100300036002e0032002d003200360030003000370032003000370034000000000000000900000000000000000000 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\4\Sizes\0\DisplayName = "@themeui.dll,-2019" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WindowMetrics\CaptionHeight = "-315" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Osk\WindowLeft = "592" | C:\Windows\System32\osk.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{fc914847-69ed-11ef-8ad4-806e6f6e6963}\StagingPath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Burn\\Burn" | C:\Windows\explorer.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\Current Settings SaveAll\Sizes | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}\metricsid_enableddate = "1727886721" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Control Panel\Appearance\New Schemes\3\Sizes\0\Color #25 = "12632256" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Control Panel\Colors\MenuBar = "240 240 240" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA = 000000005500000083000000535e23000e00000015000000a06806004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e00470065007400740069006e0067005300740061007200740065006400000000000100000000000000f478befdfe070000900000000000000024d561020000000001000000000000005231befdfe070000020000000000000070d5610200000000b4db610200000000000000000000000000000000000000000404000000000000000000000000000090d6610200000000040400000000000094d6610200000000000000000000000098ba33fefe0700000000000000000000e0a133fefe070000000000000000000050d561020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c049360100000000c877c87b0000000060ea35010000000070b22500000000000000000000000000c0d761020000000020ea6102000000007870c87b00000000507818000000000000d66102000000000095fffefe070000b4db61020000000000000000000000009877b9fdfe070000000000000000000044d7610200000000b4db61020000000040d7610200000000524bc8760000000050d76102000000001d47c876000000003877c87b00000000010000000000000010d761020000000094d66102000000000000000000000000000000000000000000000000000000000000000000000000220024000e00000015000000a06806004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e00470065007400740069006e0067005300740061007200740065006400000000000100000000000000f478befdfe070000900000000000000024d561020000000001000000000000005231befdfe070000020000000000000070d5610200000000b4db610200000000000000000000000000000000000000000404000000000000000000000000000090d6610200000000040400000000000094d6610200000000000000000000000098ba33fefe0700000000000000000000e0a133fefe070000000000000000000050d561020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c049360100000000c877c87b0000000060ea35010000000070b22500000000000000000000000000c0d761020000000020ea6102000000007870c87b00000000507818000000000000d66102000000000095fffefe070000b4db61020000000000000000000000009877b9fdfe070000000000000000000044d7610200000000b4db61020000000040d7610200000000524bc8760000000050d76102000000001d47c876000000003877c87b00000000010000000000000010d761020000000094d66102000000000000000000000000000000000000000000000000000000000000000000000000220024000e00000015000000a06806004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e00470065007400740069006e0067005300740061007200740065006400000000000100000000000000f478befdfe070000900000000000000024d561020000000001000000000000005231befdfe070000020000000000000070d5610200000000b4db610200000000000000000000000000000000000000000404000000000000000000000000000090d6610200000000040400000000000094d6610200000000000000000000000098ba33fefe0700000000000000000000e0a133fefe070000000000000000000050d561020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c049360100000000c877c87b0000000060ea35010000000070b22500000000000000000000000000c0d761020000000020ea6102000000007870c87b00000000507818000000000000d66102000000000095fffefe070000b4db61020000000000000000000000009877b9fdfe070000000000000000000044d7610200000000b4db61020000000040d7610200000000524bc8760000000050d76102000000001d47c876000000003877c87b00000000010000000000000010d761020000000094d6610200000000000000000000000000000000000000000000000000000000000000000000000022002400 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{fc914843-69ed-11ef-8ad4-806e6f6e6963}\Generation = "1" | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.3g2\MP2.Last = "Custom" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.midi\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.WMA | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wav\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/basic | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\ = "&Play with Windows Media Player" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mpv2\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.dvr-ms | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mpv2 | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wpl\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mid | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/aiff | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioCD\shell\play\ = "&Play" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1001_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010006000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f8c000000000000002000000e8070a004100720067006a0062006500780020002000330020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000400000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000b0780e0de814db0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e8070a004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000001094750ce814db0100000000000000000000000000000d20218f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000cc0400000000000000000000e8070a00460067007600700078006c00580072006c00660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000000000000000000000000000000000000000000000000000000000090745b0ce814db01000000000000000000000000460067007600700078006c00580072006c0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ce0400000000000000000000e8070a00530076007900670072006500580072006c006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000700000000000000000000000000000000000000000000000000000000000000f0d55d0ce814db01000000000000000000000000530076007900670072006500580072006c0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000076ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-ms-wma | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.AudioCD\Shell\Play\Command | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.m1v\MP2.Last = "Custom" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.m3u | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.aif | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.asx\OpenWithProgIds\WMP11.AssocFile.ASX = "0" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-wm | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wmx | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wvx\OpenWithProgIds\WMP11.AssocFile.WVX = "0" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-ms-wax | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mp4 | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-mpeg2a | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-wav\Extension = ".wav" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\ = "&Play with Windows Media Player" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.m4a\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/3gpp2\CLSID = "{cd3afa98-b84f-48f0-9393-7edc34128127}" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\NeverDefault | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-aiff\Extension = ".aiff" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DVD\Shell\Play\Command | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mpg | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.MTS\MP2.Last = "Custom" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-wm | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.cda\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mov | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.rmi | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Enqueue\NeverDefault | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.wmx | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.m3u\MP2.Last = "Custom" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wvx\MP2.Last = "Custom" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mpa\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mid\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mts | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.MOD\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.m3u\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.DVD\Shell | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wmz\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.wtv\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\ie4uinit.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\ie4uinit.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\ie4uinit.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\ie4uinit.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\ie4uinit.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\ie4uinit.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\ie4uinit.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\rundll32.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\LogonUI.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\LogonUI.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\LogonUI.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://gfdfd
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2276 CREDAT:275457 /prefetch:2
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\BlockPush.bat" "
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\≈└á¼Bru°é∩M╪
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\≈└á¼Bru°é∩M╪"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520
C:\Windows\system32\sethc.exe
sethc.exe 211
C:\Windows\system32\sethc.exe
sethc.exe 211
C:\Windows\system32\sethc.exe
sethc.exe 211
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\sethc.exe
sethc.exe 211
C:\Windows\explorer.exe
explorer
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\sethc.exe
sethc.exe 211
C:\Windows\explorer.exe
explorer
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
C:\Program Files (x86)\Windows Mail\WinMail.exe
"C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE
C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
C:\Windows\system32\taskmgr.exe
taskmgr
C:\Windows\System32\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
C:\Windows\system32\cmd.exe
cmd
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll,Install
C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -UserConfig
C:\Windows\System32\ie4uinit.exe
C:\Windows\System32\ie4uinit.exe -ClearIconCache
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE
C:\Windows\System32\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll,Install
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x13f957688,0x13f957698,0x13f9576a8
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x13f957688,0x13f957698,0x13f9576a8
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
C:\Windows\system32\taskmgr.exe
taskmgr
C:\Windows\system32\net.exe
net user administrator /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator /add
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\sethc.exe
sethc.exe 211
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1547429158-1373902668-2024677874-11184271686434354911401238080-2032904636578202826"
C:\Windows\system32\net.exe
net user a /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user a /add
C:\Windows\system32\taskmgr.exe
taskmgr
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\explorer.exe
explorer
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\ehome\ehshell.exe
"C:\Windows\ehome\ehshell.exe"
C:\Windows\system32\utilman.exe
utilman.exe /debug
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\System32\Narrator.exe
"C:\Windows\System32\Narrator.exe"
C:\Windows\System32\Magnify.exe
"C:\Windows\System32\Magnify.exe"
C:\Windows\System32\Sethc.exe
"C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent
C:\Windows\system32\sethc.exe
sethc.exe 101
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17135971304426532751096545451-1535480276194882071190331675320802257452019475284"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "208217597674920377146785068-7346953641760398350-14608306121247937012-165444338"
C:\Windows\System32\osk.exe
"C:\Windows\System32\osk.exe"
C:\Windows\System32\Sethc.exe
"C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1647998102-1822959147-706770388-4529340931018650556-2028652654484421602433360860"
C:\Windows\System32\Sethc.exe
"C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1869723594458370052-983901033-766026772-1593374712-989823756-540395622993165723"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1540
C:\Windows\system32\utilman.exe
utilman.exe /debug
C:\Windows\system32\utilman.exe
utilman.exe /debug
C:\Windows\System32\Narrator.exe
"C:\Windows\System32\Narrator.exe"
C:\Windows\System32\Magnify.exe
"C:\Windows\System32\Magnify.exe"
C:\Windows\system32\sethc.exe
sethc.exe 11
C:\Windows\System32\osk.exe
"C:\Windows\System32\osk.exe"
C:\Windows\System32\Sethc.exe
"C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent
C:\Windows\System32\Sethc.exe
"C:\Windows\System32\Sethc.exe" /AccessibilitySoundAgent
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5714886141392388876-8941102631292183243-1213535129-2027382060-706385686-1124195401"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 496
C:\Windows\system32\atbroker.exe
atbroker.exe
C:\Windows\System32\Narrator.exe
"C:\Windows\System32\Narrator.exe"
C:\Windows\system32\userinit.exe
C:\Windows\system32\userinit.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\Magnify.exe
"C:\Windows\System32\Magnify.exe"
C:\Windows\System32\osk.exe
"C:\Windows\System32\osk.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
C:\Program Files (x86)\Windows Mail\WinMail.exe
"C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE
C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
C:\Windows\System32\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll,Install
C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -UserConfig
C:\Windows\System32\ie4uinit.exe
C:\Windows\System32\ie4uinit.exe -ClearIconCache
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE
C:\Windows\System32\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll,Install
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\a\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x1402e7688,0x1402e7698,0x1402e76a8
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\a\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x15c,0x160,0x164,0x130,0x168,0x1402e7688,0x1402e7698,0x1402e76a8
C:\Windows\System32\se6s8b.exe
"C:\Windows\System32\se6s8b.exe"
C:\Program Files\Windows Sidebar\sidebar.exe
"C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
C:\Windows\SysWOW64\runonce.exe
C:\Windows\SysWOW64\runonce.exe /Run6432
C:\Windows\System32\mctadmin.exe
"C:\Windows\System32\mctadmin.exe"
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\utilman.exe
utilman.exe /debug
C:\Windows\system32\utilman.exe
utilman.exe /debug
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\sethc.exe
sethc.exe 211
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1055562650-20369968291055028526-161111616171151843-2063975192-1426290071-968131873"
C:\Windows\system32\atbroker.exe
atbroker.exe
C:\Windows\System32\Narrator.exe
"C:\Windows\System32\Narrator.exe"
C:\Windows\System32\Magnify.exe
"C:\Windows\System32\Magnify.exe"
C:\Windows\system32\userinit.exe
C:\Windows\system32\userinit.exe
C:\Windows\System32\osk.exe
"C:\Windows\System32\osk.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\System32\se6s8b.exe
"C:\Windows\System32\se6s8b.exe"
C:\Windows\SysWOW64\runonce.exe
C:\Windows\SysWOW64\runonce.exe /Run6432
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\atbroker.exe
atbroker.exe
C:\Windows\System32\Narrator.exe
"C:\Windows\System32\Narrator.exe"
C:\Windows\System32\Magnify.exe
"C:\Windows\System32\Magnify.exe"
C:\Windows\System32\osk.exe
"C:\Windows\System32\osk.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\system32\sethc.exe
sethc.exe 211
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8753940322127822750-1853342587-16522847008360386631660830970-873430749-740009737"
C:\Windows\explorer.exe
explorer
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 628
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\sethc.exe
sethc.exe 211
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "323112277-10358438-1033016452700847059-1330748291402623858290403121735725508"
C:\Windows\system32\utilman.exe
utilman.exe /debug
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
C:\Windows\System32\osk.exe
"C:\Windows\System32\osk.exe"
C:\Windows\system32\sethc.exe
sethc.exe 211
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19412531421954550781313344011-1615207159-1780950295-864258427-1954857659-815005764"
C:\Windows\explorer.exe
explorer
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1328 CREDAT:275457 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1412 --field-trial-handle=1308,i,1298212300239402602,17711638018405647607,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1384 --field-trial-handle=1324,i,11259940913827840506,12212444998162921257,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Windows\TEMP\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Windows\TEMP\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Windows\TEMP\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc4,0xc8,0xcc,0x98,0xd0,0x7fef5199758,0x7fef5199768,0x7fef5199778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1424 --field-trial-handle=1364,i,7455865877192020830,10640664324816448161,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1400 --field-trial-handle=1268,i,18401267704054357998,12364571754279006801,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1388 --field-trial-handle=1340,i,8776458224816259148,17609408611201864056,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1412 --field-trial-handle=1332,i,14444567473496082356,2121014453400488819,131072 /prefetch:8
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| GB | 92.123.128.195:80 | www.bing.com | tcp |
| GB | 92.123.128.195:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 172.217.16.238:443 | clients2.google.com | tcp |
Files
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
| MD5 | a2d31a04bc38eeac22fca3e30508ba47 |
| SHA1 | 9b7c7a42c831fcd77e77ade6d3d6f033f76893d2 |
| SHA256 | 8e00a24ae458effe00a55344f7f34189b4594613284745ff7d406856a196c531 |
| SHA512 | ed8233d515d44f79431bb61a4df7d09f44d33ac09279d4a0028d11319d1f82fc923ebbc6c2d76ca6f48c0a90b6080aa2ea91ff043690cc1e3a15576cf62a39a6 |
C:\Windows\System32\config\systemprofile\Desktop\desktop.ini
| MD5 | 9e36cc3537ee9ee1e3b10fa4e761045b |
| SHA1 | 7726f55012e1e26cc762c9982e7c6c54ca7bb303 |
| SHA256 | 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026 |
| SHA512 | 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
| MD5 | 17d5d0735deaa1fb4b41a7c406763c0a |
| SHA1 | 584e4be752bb0f1f01e1088000fdb80f88c6cae0 |
| SHA256 | 768b6fde6149d9ebbed1e339a72e8cc8c535e5c61d7c82752f7dff50923b7aed |
| SHA512 | a521e578903f33f9f4c3ebb51b6baa52c69435cb1f9cb2ce9db315a23d53345de4a75668096b14af83a867abc79e0afa1b12f719294ebba94da6ad1effc8b0a3 |
F:\$RECYCLE.BIN\S-1-5-18\desktop.ini
| MD5 | a526b9e7c716b3489d8cc062fbce4005 |
| SHA1 | 2df502a944ff721241be20a9e449d2acd07e0312 |
| SHA256 | e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066 |
| SHA512 | d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88 |
C:\Windows\System32\config\systemprofile\Contacts\desktop.ini
| MD5 | 662009dcf01a61351dd2984fdd3a811f |
| SHA1 | 7b85a7edbb43624c45d6a781df52a2526d0cf0a8 |
| SHA256 | aab2bc02ed2c8bdfbd22d0b8c0100dccb4fc90215fc8bd35ba82bf31536c8e38 |
| SHA512 | bcb70a6edabf8eef33682dcbf0064de90aac39d902f9e23c35af71dc2cdd3d6f2319f982daad56c1d9cf6999dd3447a1b98d02567089506717ec1a9568f80c46 |
C:\Windows\TEMP\WORKGROUP+WOUOSVRD$.bmp
| MD5 | 343fa15c150a516b20cc9f787cfd530e |
| SHA1 | 369e8ac39d762e531d961c58b8c5dc84d19ba989 |
| SHA256 | d632e9dbacdcd8f6b86ba011ed6b23f961d104869654caa764216ea57a916524 |
| SHA512 | 7726bd196cfee176f3d2002e30d353f991ffeafda90bac23d0b44c84c104aa263b0c78f390dd85833635667a3ca3863d2e8cd806dad5751f7984b2d34cafdc57 |
memory/920-83-0x0000000000E60000-0x0000000000E70000-memory.dmp
memory/920-89-0x0000000000F50000-0x0000000000F60000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\edb.log
| MD5 | 4372904ddd8e513fadd14fcff28b2108 |
| SHA1 | 2eab36d57755074c3c7fb557f3ca3be390d825f2 |
| SHA256 | 162ef156eeb1d22844569910b6b4105d4f0ff2acd421634047f9b2a3699f0c2e |
| SHA512 | 96f2226c4a3a96f1248307b5a3c42cfb8ae590f9e4b4f964270593255ecc7375dec345ba06f51b30d054d2ef9d836cabc374b1e83336ec1b9bac173ce4fa3960 |
memory/920-102-0x00000000012E0000-0x00000000012E1000-memory.dmp
memory/920-104-0x00000000010B0000-0x00000000010B2000-memory.dmp
memory/920-107-0x00000000010B0000-0x00000000010B2000-memory.dmp
memory/920-115-0x0000000001940000-0x0000000001942000-memory.dmp
memory/920-117-0x0000000001930000-0x0000000001932000-memory.dmp
memory/920-125-0x0000000001930000-0x0000000001932000-memory.dmp
memory/2324-126-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/920-181-0x0000000002040000-0x0000000002042000-memory.dmp
memory/920-182-0x0000000001F30000-0x0000000001F31000-memory.dmp
memory/920-185-0x00000000010C0000-0x00000000010C1000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\tmp.edb
| MD5 | 290708775281bf2f313b4894208b72e5 |
| SHA1 | 13878cd8b72a64624f44b842178f727bafc1734d |
| SHA256 | c1e6c1de033f540bda5f1c8804b200e325e1b87fab420ef5f20f2993007f432e |
| SHA512 | 816aa4baf4684e3fd7ab109e26568ce16cef097eb5bef66a81f91e0c1d4b385ced73fec7cd875be809a1006e0bff18ca1edb18e18603438dd42b5602963c31f8 |
memory/920-189-0x0000000001080000-0x0000000001082000-memory.dmp
memory/920-191-0x0000000001060000-0x0000000001061000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Windows\System32\config\systemprofile\Contacts\desktop.ini
| MD5 | 449f2e76e519890a212814d96ce67d64 |
| SHA1 | a316a38e1a8325bef6f68f18bc967b9aaa8b6ebd |
| SHA256 | 48a6703a09f1197ee85208d5821032b77d20b3368c6b4de890c44fb482149cf7 |
| SHA512 | c66521ed261dcbcc9062a81d4f19070216c6335d365bac96b64d3f6be73cd44cbfbd6f3441be606616d13017a8ab3c0e7a25d0caa211596e97a9f7f16681b738 |
C:\Windows\System32\config\systemprofile\Videos\desktop.ini
| MD5 | 50a956778107a4272aae83c86ece77cb |
| SHA1 | 10bce7ea45077c0baab055e0602eef787dba735e |
| SHA256 | b287b639f6edd612f414caf000c12ba0555adb3a2643230cbdd5af4053284978 |
| SHA512 | d1df6bdc871cacbc776ac8152a76e331d2f1d905a50d9d358c7bf9ed7c5cbb510c9d52d6958b071e5bcba7c5117fc8f9729fe51724e82cc45f6b7b5afe5ed51a |
C:\Windows\System32\config\systemprofile\Pictures\desktop.ini
| MD5 | 29eae335b77f438e05594d86a6ca22ff |
| SHA1 | d62ccc830c249de6b6532381b4c16a5f17f95d89 |
| SHA256 | 88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4 |
| SHA512 | 5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17 |
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini
| MD5 | 881dfac93652edb0a8228029ba92d0f5 |
| SHA1 | 5b317253a63fecb167bf07befa05c5ed09c4ccea |
| SHA256 | a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464 |
| SHA512 | 592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810 |
C:\Windows\System32\config\systemprofile\Music\desktop.ini
| MD5 | 06e8f7e6ddd666dbd323f7d9210f91ae |
| SHA1 | 883ae527ee83ed9346cd82c33dfc0eb97298dc14 |
| SHA256 | 8301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68 |
| SHA512 | f7646f8dcd37019623d5540ad8e41cb285bcc04666391258dbf4c42873c4de46977a4939b091404d8d86f367cc31e36338757a776a632c7b5bf1c6f28e59ad98 |
C:\Windows\System32\config\systemprofile\Documents\desktop.ini
| MD5 | ecf88f261853fe08d58e2e903220da14 |
| SHA1 | f72807a9e081906654ae196605e681d5938a2e6c |
| SHA256 | cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844 |
| SHA512 | 82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms
| MD5 | 82e29e8765f68642bdd340d93575bb33 |
| SHA1 | b1ae278523a7e1411cf5bee9309794857d0d3b7f |
| SHA256 | 89622204865eafb20be3d3fece5bc7bafbd13cc1466caa292b5eac80e0e3d1f7 |
| SHA512 | 8fd22f80ebda186070dc422a6678a7716574d3ff0b74ce56730e7cfba4c2589ea23cb7b85bd642baedc61a7a53a1d92cb7ed4cf93ce8508bef3d2868c731f40f |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini
| MD5 | f107d0270e21a2fe91099fdc15918d44 |
| SHA1 | dabc2f24f4a4e90053743166e5c4175dcf2b2d2d |
| SHA256 | eb315c9d165b4916e3b00e4d148b53a6c03a2f0694a6a8821d98e76f935ca6a8 |
| SHA512 | b5d51c0d6abe99121d4f4f1d236def4260b7d5c26c501d7735eba4f58e2597db0e89b2b1df16545e49fc39649806e5305efb912328541bdd31c01ff3d2bda49c |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
| MD5 | 0ff56a4620c3221ff64ec61a3a0d3033 |
| SHA1 | 3a45320be12b585dcdc5ab2af5ea1455b2c919a1 |
| SHA256 | 0b0a65accca705494739d03b6c2ea769c78cd0eee996bc95b0c6ebc0941f4b1a |
| SHA512 | 962a340efeb6d18c85e5872997eebb83374e114be088689690ba438f0db8e2e4df6c24713a35cfaec518f58d5322cf9617638ea55ff279a9d161c4fdf9af74f6 |
C:\Windows\System32\config\systemprofile\Downloads\desktop.ini
| MD5 | 3a37312509712d4e12d27240137ff377 |
| SHA1 | 30ced927e23b584725cf16351394175a6d2a9577 |
| SHA256 | b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3 |
| SHA512 | dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05 |
C:\Windows\System32\config\systemprofile\Searches\desktop.ini
| MD5 | 8e11566270550c575d6d2c695c5a4b1f |
| SHA1 | ae9645fad2107b5899f354c9144a4dfc33b66f9e |
| SHA256 | 1dc14736f6b0e9b68059324321acc14e156cd3a2890466a23bf7abf365d6c704 |
| SHA512 | a9fc4b17d75f85ae64315ba94570cb5317b5510c655d3d5c8fb44091ea37f31e431e99ed5308252897bdd93c34e771bf80f456c4873ef0aa58ca9bbb2e5ff7e0 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms
| MD5 | ba8912714de99b7f9f092359c715c2ba |
| SHA1 | 848b2a7ee8e345dfc16058027b97b0d5fb21970e |
| SHA256 | 118165d181acca0cf55eeeef80c65f898c6531de85d54dc5b707798700f9211f |
| SHA512 | 8b4a90c9226c2e4bdd8dc624f4f97fc37c60f46a999cdc79d625415ac5ec669b78edc30a9fd5dea70f204af94c27478e321a574f9b5b1683043a5d1e3e58f1fd |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
| MD5 | 7f1698bab066b764a314a589d338daae |
| SHA1 | 524abe4db03afef220a2cc96bf0428fd1b704342 |
| SHA256 | cdb11958506a5ba5478e22ed472fa3ae422fe9916d674f290207e1fc29ae5a76 |
| SHA512 | 4f94ad0fe3df00838b288a0ef4c12d37e175c37cbf306bdb1336ff44d0e4d126cd545c636642c0e88d8c6b8258dc138a495f4d025b662f40a9977d409d6b5719 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini
| MD5 | 548b310fbc7a26d0b9da3a9f2d604a0c |
| SHA1 | 1e20c38b721dff06faa8aa69a69e616c228736c1 |
| SHA256 | be49aff1e82fddfc2ab9dfffcb7e7be100800e3653fd1d12b6f8fa6a0957fcac |
| SHA512 | fa5bb7ba547a370160828fe720e6021e7e3a6f3a0ce783d81071292739cef6cac418c4bc57b377b987e69d5f633c2bd97a71b7957338472c67756a02434d89f1 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
| MD5 | 5547a64ee3681b1fca07111e73dcc51a |
| SHA1 | 0b16a54ccb7c0284df649594e006ca96e07ac296 |
| SHA256 | c6a3db953cc63f23aa5ff66de5fc6b483f6a1106cf1f77cbd73617b2c4340e0e |
| SHA512 | 21a6b9b2c578ea8d0bfb22c1b37b0dde47395ec958fa5c73eafeb8b865080db132e565c7e8ce2ab1d2e934f414e23b820f3ff3571a7d737453f3ace76d11cc25 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms
| MD5 | ca2d2c997f17faa46919e88af4492e96 |
| SHA1 | a451d16adef01927334923b06d23de4f7795ef7a |
| SHA256 | 2f0ff41d51dce10038fe6cf18e086cf9137806be57040c1702cfde48eb7ddb94 |
| SHA512 | 82de205e1dea3a556449b089004371ff7a5def6254643b2ca28743e621e5d9e274092c47a03cd87e824a565b7449285a74cb22580b2bdc159db012538c08676c |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms
| MD5 | 71159b34cff803461ccc828ef5cc14c7 |
| SHA1 | bb04181089930fed24a333a0f248866974b288f3 |
| SHA256 | 38d60aefe7b33bce41f093b23a11a6df768ae5a745ede8a9ec861733491e9b49 |
| SHA512 | 78091be628ede33b82689188379ea2c52808e78254ac0df9ca811515b9400a8174a77b1168b8380d4ce3af4f80d332a1652aedb5c619e995d4b4576b2e16c2b3 |
C:\Windows\System32\config\systemprofile\Links\desktop.ini
| MD5 | 98470d9bd7fba55a0c303065f9c4f9be |
| SHA1 | 5303b190e29ba48332f7c90a832ef08af5a1953d |
| SHA256 | 3830022d5d7ef2ae2ca0a2b6ad73f0d4716b49bf7eeeaa87b618988d531b7c72 |
| SHA512 | 134e072c3600bbb3c724c2700da399a14ba5b907153969362b3dbff32c480d39e7f5ecceebc9122a5a27265410557a16eb6bf82c9b635b90ef1fa0ae9efb849c |
C:\Windows\System32\config\systemprofile\Saved Games\desktop.ini
| MD5 | b441cf59b5a64f74ac3bed45be9fadfc |
| SHA1 | 3da72a52e451a26ca9a35611fa8716044a7c0bbc |
| SHA256 | e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311 |
| SHA512 | fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
| MD5 | 453249f95d75eb5e450eb91fa755e1c8 |
| SHA1 | 3e200e187e8cd21d3d1976ea0f7356626254de18 |
| SHA256 | 01bef150c18e377a57843965d55f18f0b5cb3fa867c5ab30f1e67eacd6ece48a |
| SHA512 | 6125ffc1ab457bc1ba957c78c2a89ca54060c1969c4a981acf71025a1d79760159816d5fc36e351429de3bb5820e755b9bc22386f3d6892bfdf3da67d86f157c |
C:\Windows\System32\config\systemprofile\Links\desktop.ini
| MD5 | de8858093993987d123060097a2bad66 |
| SHA1 | 0a89e87ba46538cb73aff1a47e4dc0bcfb4760d5 |
| SHA256 | 4c0d757717dec80eca8c6cbbfdda4706eb38fbbb7624933d5429dafc7bb9f0ec |
| SHA512 | fa348ac4025b599f460cb831338ce010dde8fba87587a6d078d6d594a30fee87ed112e412078c10604553f326cc7bd7627ae93b0e3d8a60cfeda0720cad29f4c |
C:\Windows\Temp\RGI50EE.tmp
| MD5 | 3006752a2bcfeda0f75d551ea656b2ef |
| SHA1 | b7198fc772be6d6261ed4e76aca3998e8f7a7bdb |
| SHA256 | dfd64231860c732dced3dc78627a7844a08d5d3e4cd253fd81186bae33cc368a |
| SHA512 | 3fcfa7c8f46220852dc7efef5b29caba86825d0461a35559f26dbb2540c487b92059713f42fe1082a00a711d83216db012835673e1c54120ffa079e154950854 |
C:\Windows\Temp\RGI52B7.tmp
| MD5 | a828b8c496779bdb61fce06ba0d57c39 |
| SHA1 | 2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda |
| SHA256 | c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d |
| SHA512 | effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea |
C:\Windows\System32\config\systemprofile\Favorites\Links\Web Slice Gallery.url
| MD5 | 873c8643cbbfb8ff63731bc25ac9b18c |
| SHA1 | 043cbc1b31b9988d8041c3d01f71ce3393911f69 |
| SHA256 | c4ad21379c11da7943c605eadb22f6fc6f54b49783466f8c1f3ad371eb167466 |
| SHA512 | 356b13b22b7b1717ded0ae1272b07f1839184e839132f3ab891b5d84421e375d4fc45158c291b46a933254f463c52d92574ce6b15c1402dfb00ee5d0a74c9943 |
C:\Windows\Temp\www5671.tmp
| MD5 | ad93eaac4ac4a095f8828f14790c1f8c |
| SHA1 | f84f24c4ca9d04485a0005770e3ef1ca30eede55 |
| SHA256 | 729111c923821a7ad0bb23d1a1dea03edbf503cd8b732e2d7eb36cf88eaa0cac |
| SHA512 | f561b98836233849c016227a3366fcf8449db662f21aecd4bd45eb988f6316212685ce7ce6e0461fb2604f664ed03a7847a237800d3cdca8ba23a41a49f68769 |
C:\Windows\Temp\www5670.tmp
| MD5 | c2858b664c882dcce6042c40041f6108 |
| SHA1 | 52eeaa0c7b9d17a8f56217f2ac912ba8fdc5041a |
| SHA256 | b4a6fb97b5e3f87bcd9fae49a9174e3f5b230a37767d7a70bf33d151702eff91 |
| SHA512 | 51522e67f426ba96495be5e7f8346e6bb32233a59810df2a3712ecd754a2b5d54d0049c8ea374bd4d20629500c3f68f40e4845f6bb236d6cca7d00da589b2260 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
| MD5 | da288dceaafd7c97f1b09c594eac7868 |
| SHA1 | b433a6157cc21fc3258495928cd0ef4b487f99d3 |
| SHA256 | 6ea9f8468c76aa511a5b3cfc36fb212b86e7abd377f147042d2f25572bf206a2 |
| SHA512 | 9af8cb65ed6a46d4b3d673cea40809719772a7aaf4a165598dc850cd65afb6b156af1948aab80487404bb502a34bc2cce15c502c6526df2427756e2338626062 |
C:\Windows\system32\config\systemprofile\Contacts\SYSTEM.contact
| MD5 | 7a9e94a2e036d09e99069c34e14a5e7b |
| SHA1 | 789ffb876a3eb6b5eb353e65ee584edd828caae4 |
| SHA256 | 260c733f537855faee6c022dac35bb7a3246dddc381095b0e1e8adf57538aafe |
| SHA512 | ec7f6fe811a53b596ab5d0ec1333c1a6679e74a15182ab76a096cef73c4f8b7b23ab961d850c14ce751afead0df62e5d9974886c3c5218eaf7d1a468411eb40d |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
| MD5 | d78032acd1c8dd515415073bba52b834 |
| SHA1 | 3c4a449eefbbf1fea3c195e41716b4e35aab4247 |
| SHA256 | 251b1c4fe4b12b65cb9554dd0ee94840ab9eafc2e6b88b685b3fe3a761bbaa33 |
| SHA512 | 14ee576fafad88fb12386919d7dbba962dc45d33ee3ae34841dde90049c63cb0ffce38887ce810ce072bc3153aed9a249b5a64e3ca55cb3309deccecce2be3e8 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\edb.chk
| MD5 | 109240ed103d3d4a1b9e30bccbdaa663 |
| SHA1 | d6686324732f98ef9a1f363611b4ab4bc58e86e4 |
| SHA256 | fd7a7193bd945a35305b01eb63bcea90e7f4394194266b2a29971069176d9385 |
| SHA512 | 74cf470e563a376d6c707ac62b4fa7889c34789f0ebdab9be79203a6a39def319112fe0642a4abc0662fb9b915e1398ef692a7b5dc846cb3a395455732a14bf0 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows Mail\edb.log
| MD5 | c109eb4e2160ba5d5aeb4ce40baf0659 |
| SHA1 | 53196582e44a26c705d81228de540a6a0363e418 |
| SHA256 | 7f21e8f231e3643d6a72ca9706542b59fa176be8fe158f04762f831fd5ed140b |
| SHA512 | 0be526aa00cb14ce94cbc6a64438548adecb7838ccb1e06459efb080b20838a8c79c5dcd979196af6cf0edaf6d7278b89167f1da01d040033b8887689036094d |
memory/2744-660-0x00000000010E0000-0x00000000010E2000-memory.dmp
memory/2744-663-0x0000000001250000-0x0000000001251000-memory.dmp
memory/2744-670-0x0000000000FE0000-0x0000000000FE2000-memory.dmp
memory/2744-672-0x0000000000FC0000-0x0000000000FC1000-memory.dmp
C:\Windows\TEMP\wmsetup.log
| MD5 | 031123bd86b265bf6126fb7b2f406fde |
| SHA1 | 3a79714b3ad96ff6a46f1d6171b0973b22fae6f2 |
| SHA256 | 767dadef28d530722307b8f30183d04b23593f2f432a7119edabe6b91cc7846f |
| SHA512 | f5118c7647179665db33bee1706f861ab09e3c866fac331921c54269bc9900b1dfaed240a70316e64f580d7ddf25fae904a61b5e6d2564b2e8b4176e25fbef33 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb
| MD5 | 44fa566c0521a2d3fd76a63c50a55db3 |
| SHA1 | 8e7bcd498d59895eca9cc9a7e863c6e392d7ff5f |
| SHA256 | f1f2eff3221ab30881dd6979c583812cfe3a723328625097ce2c957f3693c54a |
| SHA512 | 4289004abed9b93cdd9a488ff86d4aca0584f59cc9ce209f4dee131f111633f8483f854d1ce9a9383c914f569acecdebad4a4fc713e7f14a73dccbb0cba83f83 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
| MD5 | 985af2a51256e8b3561934cfd501cd0c |
| SHA1 | 2e8cf9c730c2da0b49a692498cff29f4c20d5e00 |
| SHA256 | 977188078ba4f9c390243977b1d0f4ed4478a2ad4407be861d757d73273a56b9 |
| SHA512 | 855fded3e4af0b021c9f195307e70922f351524044579fc4a7cb369520d1f8441656ea672665cbec8eebdadf1653aceb36e9af4b7188077106663cd690a2d496 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
| MD5 | 46a4eca2a791d84afecfd9f129a567df |
| SHA1 | 004f2926d9377cc23c5b68ce26907435b8539643 |
| SHA256 | 06b6d34db7e9ebecc07e0b53fedb2a9bc2d4563b1d2037b7630fbc002942baf7 |
| SHA512 | dbeecf882210add0dd4ac57f75ccdf6a9604c3308e92f70747313f89a7f9c590f4e1cdd507e53ee37e0a1b7e437320dc6ec1299d406ef34ddd67dfd900fddd98 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
| MD5 | e4e50dfa455b2cbe356dffdf7aa1fcaf |
| SHA1 | c58be9d954b5e2dd0e5efa23a0a3d95ab8119205 |
| SHA256 | 9284bd835c20f5da3f76bc1d8c591f970a74e62a7925422858e5b9fbec08b927 |
| SHA512 | bef1fad5d4b97a65fec8c350fe663a443bc3f7406c12184c79068f9a635f13f9127f89c893e7a807f1258b45c84c1a4fc98f6bd6902f7b72b02b6ffbc7e37169 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
| MD5 | aa8cd4830f0b395931c20e0fcddebd39 |
| SHA1 | d951f7eb9aab2f9c71b585da50fd04af30556657 |
| SHA256 | fb834f07bd23e31fe943be778dd24f50fc5a419e44cb800dea1234467825d4f4 |
| SHA512 | 9a8c828c17f106dcfe35df1fe529bed42356beeb0a5ce35fc4cf80f05a79cae85af0bc979fbcba0ef9e94112be6eec710311268764cf617371ac7defdd113020 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
| MD5 | 9629eec059619f6bc69af29c43db8df6 |
| SHA1 | 5eac910525991a377c4b26f56c445062aa2e6fee |
| SHA256 | be25aed4dd8b6caea5885fe17f19318180b28183d8592fa2058085ee0d7cc826 |
| SHA512 | a1019ce17fa50174fc9dab7fed868cec5094c76d781f608dff80ad8e15f1bbc370715185459ed14ad40ccda36387286c11abeeb1154933f9023c596831acf7a6 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms
| MD5 | 901cc4a96ebb6a7f2da932b48cf7f42d |
| SHA1 | 5179a95a931f289c2a6757a3cddc905b19141edf |
| SHA256 | e7fbb1ead34b0845a33c9282aa9a33b5b4778f81a67e1f1feb08e84a93adfbb0 |
| SHA512 | 5902f4321899dba5a69fe21cbca5711a529a625f9854c47b5619c700fde7ab44de3812a4ee0f6d8371b54f28063a7b544ac6bdc1f0925d9687a15fc84962baea |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms
| MD5 | 9267c0fefe13ed1244cc75a84bb4cf47 |
| SHA1 | 8ec9579323be9cf7af7ad1a06abc8f13cab1e76f |
| SHA256 | 4cc5d1b0ebf0eb12548bb71cedf7449190a797e9e67e8bf6ed77af90b22da86e |
| SHA512 | 27085c1432607646a35991cb8ac81204cb1a514092e98b23747bdcbe24496ac8ae7931306eaa0898ba5589da43da92bf9e2f4b3ac45d05205b83b39bc67c613a |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms
| MD5 | a484a0671307fd752f8bd6d3458fafbe |
| SHA1 | 8af5008198fa36aca96237195dd911223c52acd9 |
| SHA256 | 8991eee70e43ff028231708ae0ec3f5b591b81d1ca29dcbfd86fb9f99d37cb76 |
| SHA512 | 23fc45b9ac2878c112c2b22147c10c7bb6114731d7e0e57db657b2161a1852713aaf75f98adb2001ca403994edd3a519f8e3763fde02cc4b7d76f1dbe35612da |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms
| MD5 | a6384e51890fa743886d0f091520b27f |
| SHA1 | 677b32ab80879e1bad4855f8ead853746728a002 |
| SHA256 | 12b99d8c15ff048e562ed79ad5b2426f1b65900fb761d3134697c9a6f85ad93d |
| SHA512 | 239b163bc421029c782d4289ab3af8f3af41504d45d3a5c36084a222e8debb643489c857792caf42a46a09ee934a983bb53d83224f8c5a97b1ceaa0529d8d2e3 |
C:\Windows\system32\config\systemprofile\Searches\desktop.ini
| MD5 | 089d48a11bff0df720f1079f5dc58a83 |
| SHA1 | 88f1c647378b5b22ebadb465dc80fcfd9e7b97c9 |
| SHA256 | a9e8ad0792b546a4a8ce49eda82b327ad9581141312efec3ac6f2d3ad5a05f17 |
| SHA512 | f0284a3cc46e9c23af22fec44ac7bbde0b72f5338260c402564242c3dd244f8f8ca71dd6ceabf6a2b539cacc85a204d9495f43c74f6876317ee8e808d4a60ed8 |
C:\Windows\System32\config\systemprofile\Links\RecentPlaces.lnk
| MD5 | 0025c3a7d7c4e90e58332958b00d83c4 |
| SHA1 | 01dd4fdb260f66923004acb5a874111a9d14da38 |
| SHA256 | 36db348143da1b5c16b9074940e85761950ee30b533b7ca75924f2f4ef6b253b |
| SHA512 | b5631c94bad794541d16f2fa3a02018f4b34b680b63a9f3b6a3da4329216567a7ba9ceb8d4bd18165b0e55142f42e039f160ec675c0946237c276de1a6e642c4 |
C:\Windows\system32\config\systemprofile\Searches\Everywhere.search-ms
| MD5 | 0fa26b6c98419b5e7c00efffb5835612 |
| SHA1 | d904d6683a548b03950d94da33cdfccbb55a9bc7 |
| SHA256 | 4094d158e3b0581ba433a46d0dce62f99d8c0fd1b50bb4d0517ddc0a4a1fde24 |
| SHA512 | b80a6f2382f99ca75f3545375e30353ed4ccd93f1185f6a15dbe03d47056dad3feea652e09440774872f5cba5ef0db9c023c45e44a839827a4b40e60df9fd042 |
C:\Windows\system32\config\systemprofile\Searches\Indexed Locations.search-ms
| MD5 | b6acbeb59959aa5412a7565423ea7bab |
| SHA1 | 4905f02dbef69c830b807a32e9a4b6206bd01dc6 |
| SHA256 | 99653a38c445ae1d4c373ee672339fd47fd098e0d0ada5f0be70e3b2bf711d38 |
| SHA512 | 0058aa67ae9060cb708e34cb2e12cea851505694e328fd0aa6deba99f205afaffdf86af8119c65ada5a3c9b1f8b94923baa6454c2d5ab46a21257d145f9a8162 |
memory/2324-946-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Windows\System32\config\systemprofile\Links\Downloads.lnk
| MD5 | 52f58ef75be09db19cd18e257d52f8df |
| SHA1 | ac66f2887d9dc44471718212232269f04192ba06 |
| SHA256 | d21f9765a1482f7ee5893b65929eb87967ddc6116dfa5761a03bd86bd2506e53 |
| SHA512 | f9891c92e252229aca176e9801c33821777782b9ebca31788fcd84f604d14b22b52b78dcbb731945f23ec914ede5a0342e80703643215e1b16b73a692d5187ff |
C:\Windows\System32\config\systemprofile\Links\Desktop.lnk
| MD5 | c7508731a2b6c49a6aa82fc9dba9830f |
| SHA1 | 34a0049e9e93dded00997c8ec20772ca77f377e0 |
| SHA256 | 2e80ea99eb5b7145104e37637ebc9225840990cb73e221da607c2c64239a24d6 |
| SHA512 | 716df8757008d75c14d6dc6c9fa22382d740cce534c7ecb5769e552e2d2952439526275468a83345532dcbfa2dddef1acd439526392ce8a651f43a28b4802703 |
C:\Windows\TEMP\chrome_installer.log
| MD5 | f5fbcfb612f0c4708a3a8d550b944dc5 |
| SHA1 | c784b63a222944f9d0043dd8d139223637a68e3e |
| SHA256 | ed1bb1ed8bfc88f823538a01d77d683e48f56dfa327a02d642737ee270009cbc |
| SHA512 | 63eea439a9b5f9bb0fc823a9f84959205b7b97ea77ab98f3e8496e94ccc92653b7544133338741f8cf46af5553a86bb42d3e9b4416707445d65ffe4e78f8d230 |
C:\Windows\TEMP\Crashpad\settings.dat
| MD5 | fbc2c08eb2fde2d2fea94fe2af628140 |
| SHA1 | 828e80b533e172694a8a6a53c4bf4ea0edd0b1a4 |
| SHA256 | 84dd05237b7e2969c2d17967c915548a8e52d8845553db732208e24269edaf0f |
| SHA512 | cfc8c236d3845d51e71f3883b07bf5cd86d84cc016aaadbedd45359aa41735cfe56bef6eb972311e1673fcccf57bb68da7c76b64cc10cd3fab3f31ea377c982e |
C:\Program Files\Google\Chrome\Application\SetupMetrics\3fc83643-ed31-4a72-9931-c0e9faddc34b.tmp
| MD5 | 6d971ce11af4a6a93a4311841da1a178 |
| SHA1 | cbfdbc9b184f340cbad764abc4d8a31b9c250176 |
| SHA256 | 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783 |
| SHA512 | c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
| MD5 | df676f824e04bcb8a9c2018348421b7e |
| SHA1 | a7c30cd2e2ffc83db3380e0ec1a15995f7aebbac |
| SHA256 | 8c0dd38dfb440eb9b9574e2fba8730555b448a36317e1e2009d1baec9b402ed8 |
| SHA512 | b01fc1785ef04eea68a160da74232ca8fc36b50c5c247e75adda6969020b605513821384e91da5d77aff2918d66cdd6368bd58354f7deeaaa1c39c504065afc4 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini
| MD5 | 44b4076a3a5c5aff04af9700023b4f9b |
| SHA1 | ac9834f3467586fd221ff56b9c2f6d265ade4446 |
| SHA256 | edcbf380dd69d3da4fb353f892aac892bd9e1b0f9b31f73bec13d99ec4751720 |
| SHA512 | 8415546192b733bccb57d4db2aa6186008aca8e6af566bba6f43b8ff8177438e431f7a1152bcc24312e43951e470bff1875c3097465229524a9f03b06d6ed2d6 |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
| MD5 | cdc7913e0136040eba8a7c699f0def75 |
| SHA1 | a70d6038a8e4752fcc131615a5beb297ec84202f |
| SHA256 | 69fab77531bd464c292aa5701cf0a56ed6a7951d36e35b88749ea4d656c87741 |
| SHA512 | f60d5086d38e879a774fb9c79c04f8fe4f02963cd310f40cf4aae1bdb939907bfa529af4f5fc43b29cbd910907e1972545ae1c0bf086969c75438668d235ce9c |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
| MD5 | f905d54dbb3f9be52ec48963750452f6 |
| SHA1 | 16c98d1292323a44d1719374ec165511dcb5d980 |
| SHA256 | 62d266a207c9f75ddc78b62e22218df9bdf5c8362f33bae69fd4cc02ea1256ec |
| SHA512 | cbc9abf8b31597c2e786c7da58896aae17fa53a3b3a2e5eb7612350387081b3d36e3e08f39cf6bcedd266bcbae0b0d4a5aba767b3274950c1fb2da7248693200 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini
| MD5 | e0fd7e6b4853592ac9ac73df9d83783f |
| SHA1 | 2834e77dfa1269ddad948b87d88887e84179594a |
| SHA256 | feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122 |
| SHA512 | 289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55 |
memory/2324-1058-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2324-1071-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1680-1073-0x0000000003BF0000-0x0000000003C00000-memory.dmp
memory/2324-1093-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2300-1096-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2300-1097-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2300-1098-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2300-1099-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2324-1102-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2300-1103-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2300-1104-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2324-1101-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2324-1106-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2324-1105-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2300-1108-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2300-1107-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1728-1115-0x000000001C950000-0x000000001CF58000-memory.dmp
memory/1728-1116-0x000000001CF60000-0x000000001D0E4000-memory.dmp
memory/1728-1118-0x000000001B9E0000-0x000000001BA98000-memory.dmp
memory/1728-1117-0x000000001A760000-0x000000001A7FE000-memory.dmp
memory/2324-1119-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2324-1120-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2300-1121-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2300-1122-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2324-1123-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2324-1125-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1728-1126-0x000000001E040000-0x000000001E077000-memory.dmp
memory/2300-1127-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2300-1128-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2300-1135-0x0000000000C60000-0x0000000000C61000-memory.dmp
C:\Users\a\Contacts\desktop.ini
| MD5 | eefa7f76ff11a5ec21bb777b798ac46c |
| SHA1 | 2e7a65ea8427d13a92ea159a5b8859ff99d2a836 |
| SHA256 | 840b46ed74821b5b61ca9ddc51a91cfe9151d11a494c89f183fadc02a78ac8ae |
| SHA512 | 111301e33c0b33c154ffff274db5eb167de0ddb4e769cab9a2d9fcd2882e6192053149abbcb00d17ae5f7661bafecc1111aff2025c89d07b247633bbccb0e3ef |
C:\Users\a\AppData\Local\Microsoft\Windows Mail\edb.log
| MD5 | 00a56766f684e4576a1c172eddfcac14 |
| SHA1 | dc7544b6a988e14e47803d005335626c2ca05976 |
| SHA256 | e2fc8aed0503ed7a78e28f4a786d47b0bcc079a652b6816e2ed2d7123f0f6880 |
| SHA512 | 0b73e300069865aec4903c14ec2c4f1fde9b40257ee4822c1e1e9ba3ff21fb6fc670a95d2a1184df1aa0d7530cbb14d39624b03bc590ab159e1f0bbb070281cb |
C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\01_Music_auto_rated_at_5_stars.wpl
| MD5 | 3094088e14afdc15d7427b093b8b7b17 |
| SHA1 | ed10bf7cf3df61ba95f45dca39042473efe07197 |
| SHA256 | b2b5080d83a1853fbec424e6b179b784c57716600e1b58dd8b2c5fee0e098fe5 |
| SHA512 | 50cc06540177f4d9c5ae4d458f16ad725410388fbb36109e09a47b08c5dd6fca1a764858c5259c5cb781f8962cfc81226d79c5877f5cddfc47b84dbdd5966f45 |
C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\06_Pictures_rated_4_or_5_stars.wpl
| MD5 | 0a8a40ca87323dc16893194b00c7fe77 |
| SHA1 | b88a42a85053e0a7483e331b66ba5a40a6290e10 |
| SHA256 | 9aa433bed2e090cc6904f1c24d5a7b5a1ed6d8f71a997e661b886c69383fd53e |
| SHA512 | 5932f09106d622054e6d624221d754ff471e3f37d9f585ed23db7f7327fe1e2f624b22a8f7f2827b607fdb9a30683b8f20c48a39cd35a57ad5cb78467af2c20e |
C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\05_Pictures_taken_in_the_last_month.wpl
| MD5 | 821d2be672f05514127c117cef460c6e |
| SHA1 | 1c75f314e7658a3dcdcad315e301f2bae6d47b31 |
| SHA256 | 3abdb6cbd88ad1557054ece3f10dd1a8494ed32f423b3cf8321b18decc489474 |
| SHA512 | 146d6293173b80ffe3721ae6e61293cc1d838e8a72713be8b859ce33c69ef753408057be9ce15a78d573e253548ee674ca3fea77efa3d330ce8c8a50f8a8a988 |
C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\09_Music_played_the_most.wpl
| MD5 | 467e71aa2fd951eb0a1af3d6bb8378e8 |
| SHA1 | fb654c0b2663d4fa5fd0f1658097d936dd0429ed |
| SHA256 | a54bc2cad63ced4fd9ff2a3a094a26e264e8a5ce8139193896d13236f494e2ee |
| SHA512 | f9242a4925b910f4a114652967a6e2f49444a3f0d9f35402fef28cc8d39c58720930084112baf92eb6716af541fd76e3803ccc1e742cec07f1d4fb6abc13a42c |
C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\11_All_Pictures.wpl
| MD5 | 74294ef495559ed32731f19096d70312 |
| SHA1 | fdc6cc849270016d2a382d7d0daabf44a4556cd9 |
| SHA256 | db34d82f2cd23e6e55a64e12d2a0a9c27ac2ded156483238f22a336ca6825110 |
| SHA512 | b068d903b83945f146abd4cf384da99af608643c62b647ea65db33c3b0e0face4727a74be3210a9c6469bbc403d1f5c59d92cbd57722737e992b0e4f5e66662a |
C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\10_All_Music.wpl
| MD5 | 51aeed11707741118e0706c1259df22e |
| SHA1 | 6434e915b018c6d15898fe0a4d006bbe3e1edb60 |
| SHA256 | ec286113e5ad77ac34063589a137a6dc4b4cab8845cd9c5386519983fa3b48f0 |
| SHA512 | a674487f9cabe1fb2809cd98958dce696f7f066d3738bfb30317201ed804df3c72f2d24d6f9c0832cf446c8a965e21f3ea50aada1c69860a12340d6eca88e942 |
C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\12_All_Video.wpl
| MD5 | 372d0beebea5460409a6a1c53ac52a18 |
| SHA1 | 1b5a925e00f9a4cc3a18feb8f74a2e39ef11eeb6 |
| SHA256 | 5b8b62b35e5dd8a46ccccaf3fc3743be9e0965d24cbcd20da2681065eeb37ef3 |
| SHA512 | efb412e3a17f4eab84fb9f99b9e420d18e23610a9a66bcd7298c3ba68fd24abe0c1f2e58faa411e059788d34f4cede45f9e25c6578d13faefb8ee79acd50f2e0 |
C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\08_Video_rated_at_4_or_5_stars.wpl
| MD5 | a3787a42b81fce0e448976ad158edd93 |
| SHA1 | 45ff275c0c32eab1f0b56e8b61e8ead18cfd1675 |
| SHA256 | 94bc17ac59bde92fbca00fcc69aed68fcbfe2c1754dd45f4810765f5fdf774ff |
| SHA512 | b36ca10f580ec9d455fb57149bce1897fe48fda6023b2fb55b6b4b80a91f1754311b91edd72c13103e0da9ed90b696c28d6904ea91984ade69ed50791f4065ae |
C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\07_TV_recorded_in_the_last_week.wpl
| MD5 | b9987b1f9df6d0afc01558b907e62a16 |
| SHA1 | ef202d5d6f90b37c71cb757f3babb0857ce54d86 |
| SHA256 | 0892efdb8459d81d4c5e1085239734d9910b9c6a1debd7189cf385141f0b19d1 |
| SHA512 | 6bc86075632c3e56ffe1d371f4178299e93e014f5c5c83dfdca2dc9efd1155633409c79ec87cfe2afd4374b83771ae56a3eb7fac00f83921b433cb49216037f9 |
C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\04_Music_played_in_the_last_month.wpl
| MD5 | f8d3a4cacf055f5ec5c62218ea50d290 |
| SHA1 | 974474ce3fe345d8015863bd6ea7242ba118532b |
| SHA256 | 201f2170812cf8041964c4d3c5ef539d96adeba6a68b69ecaed0affe3ae8e25f |
| SHA512 | ac32cbeb05fae672047705679043aecf9b56314baa09c2d3abb7eac655710d7cb2c967ea1772767e366bb502e8ad6de375302f51ca62a76d962ee539b45bfc21 |
C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\03_Music_rated_at_4_or_5_stars.wpl
| MD5 | 6d791b697af46d6777182af7f18c2955 |
| SHA1 | d73e8b5f4ee646c1c4ab6d23f3cb3394cb833ca8 |
| SHA256 | 4825eb90140f6b2f4f7ed0df66b24e10ff5d0da70af53ea495fd30b3aa791870 |
| SHA512 | 268cf327a9f471d547ad1dae47833cf6d722c08f9cbf5e7867a422282ce52dc320340ded93473a598903bfee9bf6a1a3393779468dbeb27d3390dbd59e6d20ba |
C:\Users\a\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0F857668\02_Music_added_in_the_last_month.wpl
| MD5 | 907bfc98ce854ae312127c952d8be0f2 |
| SHA1 | 02defe8c5f9cc85742e45ba55e4fcfe326fd960c |
| SHA256 | c475dc7423c2ad60f25adaac754cd8b68b57ff04f26ecef78f3e5961b986a324 |
| SHA512 | db4045f992bad6ad660769a22345c5e0d965ae521d6828d612b15f0163622c629992c313a41bc9e381f9b0f098117eef840d33100af4c6a3634eb0013a7fe1c7 |
C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms
| MD5 | 696bffbc8cd1ad6400f10220607837c6 |
| SHA1 | 4f7aa526dcfe9b2931d58e3730d68aec56ba8c15 |
| SHA256 | 5ccaea1aa0a029d4c535f919ff30467be23ffc8f4c20c213a29e1b7da74407a7 |
| SHA512 | 7552a73d36c23f85df32dca367d9719dc699ce6823d55f03fa11e27ed1becc80b5e8842ca9e102cda1fcddc508149349f5ed939e7596ff04820a1139f0799363 |
C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms
| MD5 | 328eb61b3b6dc7e61ac91ece9750060d |
| SHA1 | 19d1b7f65a2831aaa9c4ec8fd00d49618ee4b2e2 |
| SHA256 | 5172eab55cbbbc37e7a744a5d575cae6f6d99f1ec2e6c79f8511020506ad103d |
| SHA512 | f766b2ad48c9487b4af00670e062c5e7c5ca5ebbf42518175c68092e8ec84472329e0199d3623dfd71c7c2c187cd342003d17c1d3f96aff3cfeaad6c5dd7bfec |
C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms
| MD5 | aa4238553d2ed26c73021359686b1cb2 |
| SHA1 | e14f8be45c0fa3a445420d9865132c3fc5281fa1 |
| SHA256 | 9f795de97f11345ba27e33a1d576a1f526f7d129e658257c11629bd7a5e23886 |
| SHA512 | c4bff8763338af4cae951a22a468ce0ab0c3a808d3717719a90f338997de839dde038b5c86af810a16dd94c71ab29b055564ab43b49d5a5b6c87a2aee8aeed78 |
C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms
| MD5 | 3fc669f0e1f30f354f677dd13a210821 |
| SHA1 | 763f14287caa2785c1d257fc1056c5b48457d63b |
| SHA256 | 487d8830b8e13a1bd4ee6a8f1c6e0b43418157773c7359a0578dee2f62171ec0 |
| SHA512 | b3779f4af5d00e854f1bdf0900f51d4836a4e2f2fdde61b300b4a9f064510c4324fddbeb1a6d6aeba9f20d5ddf56dd8bcd14a8b5f7dbee76a8938cdc6f530594 |
C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms
| MD5 | 4f92139cd322a396d7e0d25e5d151301 |
| SHA1 | 67f94e2990106d9481e78ae08356d7a4ec1737d1 |
| SHA256 | f47afaacc544f681170b9d6ec201dd92d2a166966da9ea1274675b1a9d6c4b96 |
| SHA512 | cf135d6a55e5744b905d2ab65d7d021133c353161a431a1026055632f0988e5760c7f0b334d17f3dd3ef1d98320efd207c36db1948adc00d2fa6035a172498dd |
C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms
| MD5 | e05237c9f82a4d653a2ebe00c6209598 |
| SHA1 | 1775c48921edfcc3c5b16e6c3fc995b76d592a8d |
| SHA256 | 7068e350bf2de30330f5aece55e2afa09f715c6039e485d7465b543eb916ba98 |
| SHA512 | dc6694a0caa5d48512792539abb2cd1fe2d72c0560ac9c7eb9657a38f97996e5460652b35c20c130d58a3e9bde8b43f760a68852e29fc54cb3a0b192af427cb2 |
C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms
| MD5 | 7e40f5e4b5efd5dda70bf756a98ac8d4 |
| SHA1 | 838770370b9a7c2a44520e1496a52b03ce260629 |
| SHA256 | 3a20029b5abed0cb1a6de9d1addbb2cb3ad5648fddcb5b4cb9e4a66dc3a90263 |
| SHA512 | 240a1b362d6bf82d0e8cc5e4c9614e04e3526ce44a15e8215a48c5147152694090b132bce1aba728305afcc0284b8369caf12c908178e0399bd44ddced7396f2 |
C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms
| MD5 | 9deb94fd6bdbf6c96f855e746f9201d6 |
| SHA1 | 99d050c590bdc0f8c6ab614fd1603e224144783f |
| SHA256 | fa2436544ff7499f1deda8ff7ca58b6edfbd25317d640e1d90487dc23203d333 |
| SHA512 | a4eb6786692859b6f8e088a21c0175e07e70a6f9ed0d6a679e96b39586838861399dc972d288b132348559e9748cc4b9403b596da20577a7e642346fd44c9373 |
C:\Users\a\Links\desktop.ini
| MD5 | f458374ae40c626735132badbc5b0370 |
| SHA1 | 3d65ce3308dd1e4bdc2edb5f082aa6d15984d08f |
| SHA256 | c053541e6dfaebf133f0e0c6712d42e9905de896814d4c10b8e728f0345700c7 |
| SHA512 | e076d1f2a20fae037dd2dd7197d20b41687c9652d2e42e3c567806a0775a2a5427b3c481dc502315c5bfdf58cde908ee89e073e0124393972211ff5375f454e0 |
C:\Users\a\Links\desktop.ini
| MD5 | 92adc8410cd8cb1d0481e2adbb62c7dd |
| SHA1 | bac1444ebe0bac748966f3bee84ee11e151a4810 |
| SHA256 | 4a3d7ccddac5c1b437fb687e90589015b9b9ae7708ea35eed9917d1190f65694 |
| SHA512 | d7c3a5df50b28e336ff24f828cdf225554d199d3c2a857e2a7baa1f2bc1fee21944733edee52bd665ebaee999f5668d03497e9bfe88d58d380b74e6046ec5d62 |
C:\Users\a\Favorites\Links\desktop.ini
| MD5 | 3c106f431417240da12fd827323b7724 |
| SHA1 | 2345cc77576f666b812b55ea7420b8d2c4d2a0b5 |
| SHA256 | e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57 |
| SHA512 | c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb |
C:\Users\a\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms
| MD5 | 2b2994c64755e836b0c3e6b746c0c3f7 |
| SHA1 | c23ebfcfbbc0653519ee8f696e0ef0e6e67e922e |
| SHA256 | 41e259349b059b6e4a86cb0d22ce6cd3049f9e57333a0d2ee4d0ca5fc598af05 |
| SHA512 | 6306a00536133d18b5e8766b949fba9cfe7d64246dbb688245fa17ef58d3cc4617cc79a25f4bf2d559dd7e997a37e8db429d6d3d40b791191d73adced571edb5 |
C:\Users\a\AppData\Local\Microsoft\Windows Mail\edb.log
| MD5 | e60000f14095f2834871c99e186779ca |
| SHA1 | e302effdb5156d36fd508e7d25043ad0c3a55181 |
| SHA256 | 368123ab6244d6f2ca8ee44cacb14d48c8f59e76d4ee10d35d719f1882dd61a0 |
| SHA512 | 01ab5871ca480efba1a224259ae7e5395b88ae929802e2ae301df1bb97400d6f9a06add39dde05038555b7f4e18a448a93c196b7f3a5cefa0bc029578a0c8b12 |
C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms
| MD5 | 4bf7ee430909cc0b6e4e7a2ed41141e0 |
| SHA1 | d51e1c3394a8751cf5f1c1bcb04082a6ef7a0f58 |
| SHA256 | 791e27eb0b16a97a26d6290c2a8f8aba449ca938e3cd631efe5702b2188bb02b |
| SHA512 | 0e26090e9bc7e1d5d4a76922efce091f2fe0dac89386c5c27bad84a9430baf51850810c79723ab2c7331820158c6bbcbceeb8e73b5e0ef8be3102a46c6b989c0 |
C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms
| MD5 | 5becd01e6a16dac437399d7ffd2cdcb5 |
| SHA1 | ca8129c8692bcb4c6d73898bfb4d2fcd815e2994 |
| SHA256 | f3b4bbae539d7a7a4fec7579aa12ba57cae5784bcfb9f327673a8c3130723568 |
| SHA512 | 20960af6abe59dff0c1bc09d2b2ae72345fd92bb8535349e203d8c0d6506e2fd70febe9dcb297b8e49c0e083e9d828ea8a86160c069d8f47b0ca4adb6cee7c36 |
C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms
| MD5 | c145df9d736dcb660bb30fe020062487 |
| SHA1 | fa3bdf46fcfecaa6f0b74d0aede96be362713a27 |
| SHA256 | c50b793b306ae27de1535c6dd94bc20ec61c134ca2147b17b87bcb3ec83829db |
| SHA512 | 02f5bba735c0b262f1037e7049ffbd4f937ce02e898a7ddb9b79bda970525d3785411a9c33583a63afb8698bb382fc0dcc253197e9b9b2ef83e116af40c7a988 |
C:\Users\a\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms
| MD5 | 2d6517a607b00b244fb26c46ae7687a8 |
| SHA1 | f6066a70cc0f5ae832dec2150c6285b10d23e0a7 |
| SHA256 | 57d5a53874a31417ff1a34f16bdd956e2fa35129a041a37c9440f2c4cc2d9e46 |
| SHA512 | dc7b220523dfa03c9293e854b423eec1bc8cc45256221ef8e4c1811b549395dc459a94f1d5299476148e282f48f8ed201c9ed395629a5b0fcda4def2d48919d3 |
C:\Users\a\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5afe4de1b92fc382.customDestinations-ms
| MD5 | 706ce9871e07e561a9dca8cfd4e20e37 |
| SHA1 | 927b4b444f80a2e11f5b02b794f5aedfad3eab34 |
| SHA256 | ae624b734dee593e191690da75f4e3b929c5d0d0f1a99c01ef439f5c94bb71a2 |
| SHA512 | 67c5da8ec9e6bd0e6172a253feafa5997929987e2572cfd7a8b84f7b7aa2716aa880e24a7c7ab624314ea9ea2573124feec49a21ab04a0435dc731ef13c5ace7 |
C:\Users\a\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
| MD5 | 7e02f61f0d0074633ea6f14465d8a254 |
| SHA1 | 43e005bf8403134c87b9c88bbbd959c120160213 |
| SHA256 | 1c9436f575489f2e9a3a89792f98ba435baceffeea04889e0f406e28cab72d64 |
| SHA512 | 86f24576884c869dd77cd22466617dd62678b208abd3f8bc63d36415089adc478764f220b58889ad21e1c9c2c023595ce870c82976205b1b91799a19ea41fb49 |
C:\Users\a\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
| MD5 | 1c61dc21f9b83172d65be1e94b79026f |
| SHA1 | 7324473ddda64b87c299bf6e3b9e9aff53f7fd74 |
| SHA256 | 8e920d7893b682a049f6a5097f880d915dc2d7bf8bc87ae558cd7f14466d5d1b |
| SHA512 | 9660cde4d7606826c2fb6623460a2a286339970256e677c8abf8189fd1d58e0284c024bbf5c0bf539189dafa3e8d5269c1e0f7e3717891f2ae4771634731bbd8 |
C:\Users\a\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
| MD5 | 9a1b13fd914dd7054b83bc1760c99ab8 |
| SHA1 | 340c37602b11cd3cb9ae681d09bfc4c81f733742 |
| SHA256 | 7f0a9cc0be951d60d6c8e60d1a612bfa65fa390020d7c0c80f212ba2a47a4aa3 |
| SHA512 | 50d48a348c71fb9e89ab01e59fe599b692a1701f19d2c9de6ae09678e0a44ba95020b1989f9c776edcacacc5f2b2b348b0f31aa28c04850e69e47cda6dcaf88e |
C:\Users\a\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
| MD5 | 47b2e1c4ddd5fa161f4e7314222d7a29 |
| SHA1 | f8e0a57ad324aa0ce6eafcbee54361cfc3fac7a4 |
| SHA256 | 20b9ba1869ed5d109962522c7c9a09e2675c457edd780f3723d33f9b40475772 |
| SHA512 | 07c8e9fcc6441c45540ced17802aea9fc84197733cc13af77516813c3beb346ae2748445ae99318309cbdc2da8e69e622dd91e658b7e9ba27d424eae6f5acf1b |
C:\Users\a\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
| MD5 | e5a8eb64419f6d85a1b7aed2152616c2 |
| SHA1 | f5d94f8953bb235e35fccec0ea4f14ba69443081 |
| SHA256 | 5266b08d0c1bf229ec5eafdb6dae2a4849b6b394694d34033453cf8a379725a7 |
| SHA512 | 7c304bc842c81d3b5cff745d34b038a2a867063c65e502f4155439ba0642e8b0643f9b7254f74e85d5b150c134836b9e398a0dcb192550d97dfd431c3d93f1f6 |
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url
| MD5 | 2578ef0db08f1e1e7578068186a1be0f |
| SHA1 | 87dca2f554fa51a98726f0a7a9ac0120be0c4572 |
| SHA256 | bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3 |
| SHA512 | b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee |
C:\Windows\Temp\www4FF5.tmp
| MD5 | 2ce792bc1394673282b741a25d6148a2 |
| SHA1 | 5835c389ea0f0c1423fa26f98b84a875a11d19b1 |
| SHA256 | 992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48 |
| SHA512 | cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749 |
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url
| MD5 | 11cede0563d1d61930e433cd638d6419 |
| SHA1 | 366b26547292482b871404b33930cefca8810dbd |
| SHA256 | e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9 |
| SHA512 | d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752 |
C:\Windows\Temp\www4FF4.tmp
| MD5 | a1fd5255ed62e10721ac426cd139aa83 |
| SHA1 | 98a11bdd942bb66e9c829ae0685239212e966b9e |
| SHA256 | d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4 |
| SHA512 | 51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370 |
C:\Windows\Temp\Cab6177.tmp
| MD5 | d59a6b36c5a94916241a3ead50222b6f |
| SHA1 | e274e9486d318c383bc4b9812844ba56f0cff3c6 |
| SHA256 | a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53 |
| SHA512 | 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489 |
C:\Windows\Temp\Tar63CA.tmp
| MD5 | b13f51572f55a2d31ed9f266d581e9ea |
| SHA1 | 7eef3111b878e159e520f34410ad87adecf0ca92 |
| SHA256 | 725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15 |
| SHA512 | f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
| MD5 | da597791be3b6e732f0bc8b20e38ee62 |
| SHA1 | 1125c45d285c360542027d7554a5c442288974de |
| SHA256 | 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07 |
| SHA512 | d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Windows\Temp\Tar65F3.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a625f00a81ef7f22e6e2fda767d1f23f |
| SHA1 | 82a5a176d18ae60729d4df4fc7b3d72106102fcf |
| SHA256 | ffb9554f4c3756d9f2dbfa6a6b5f8f90202791d9f33b9c3d5df6aa9af57bb3ee |
| SHA512 | 62f4f541650963a80d249e31ade6879a192e49fb5eb67b9ee7a10efcf4a3d38e0035a181b5bce9a768936ecb3328cb97ec4447769e167a70494a65a6df577b2a |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 17fd88a50649176f195c2122d912a5e6 |
| SHA1 | 591a028a05af350b997c007fe844a0eea20b71d5 |
| SHA256 | 63ec71e3b74a4096059c3bf4169a58cecdef04e0f05f007b405e24c99b3d2828 |
| SHA512 | 7e0024b7a0c155c91904a14b0572fdacfbea39e8744d769354bc00ec3b39f7617328e0e6445cbf1294e489772fbab0b7788143874daa7f827a70f53106f742fb |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 1a6201b3c9033ac177ea25bdb5cb82e6 |
| SHA1 | 685e1084221b55d2a9ff7ac776fd02c448604fdd |
| SHA256 | 6bfb2a5b8624dcbc38379697961b48cd27c809c6b374e808527cb369388db230 |
| SHA512 | 9834924ba35926b317181c3692a518b415d62670ce7d269e4ea0a76670109c596f522e9aa58064670ca0356ee1f0c042f97359e55b02d209f65de32f1231cf0b |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e3a9c9d147c226ce90e62a8a2831463d |
| SHA1 | 5d91a215108843196b58d34ef4dd283501fadc5b |
| SHA256 | c5e9fee401caa430854fe85d6b042c7a01233c88c1cae1c7f596f0e4edfe5997 |
| SHA512 | d4398afdbfc783725b30cde25166558832e99fd77a6af9537cf0176376bcde7499668b9f4f6271698e76ab899efb08cd1fcc90d9f71804255b020e24e5407f35 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | f2802e0c0b70dd5ef831e29dba2fb1dc |
| SHA1 | 0dc5e607a2f237c672b5731587b1f33385a2628c |
| SHA256 | f438f6e3c76cb0b441695b7c5c5a8bc393fe3c2b2e868f993cb6e30bdd0d5f2c |
| SHA512 | fbf693de43b0e5a856800dc2a9020354683846a8039312472f5b00e5ef430aa469f5fa476e93fec640911a62863effbf54aaa44cb8e464777cdfbe7916b181bc |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 013c60c02047d81bec06d552eb5a3697 |
| SHA1 | 7cb5fffda182b48c5e76b68aa7a27f93ce8a5619 |
| SHA256 | 3160bec785b0e43b0a12730810d571b5821ecee28917a185b905f73ec408af85 |
| SHA512 | 560dc6f8042d5bf2517a6004a329f9eae1c9dea525a8094ae5c82abb3a4f5c816e9556e1c623ef67e710f04e60990726df04e6c5996dc7246deb8505d1f50d75 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2b8e50ae5e0cdd1c65b4367fcd5b0f9e |
| SHA1 | 55c6966a8dd677524319547b3b46b110bbe8d129 |
| SHA256 | a282b07beb1ab06eebbb3c8230c0a7dd5adede080160b41759207295717447a9 |
| SHA512 | 7dd60e199c97a764ae429b67463dab58131471d5e67352a3f933a23fde083b389920eeb11baf47c88632defe8b3a92dca5a634771998d13fea4e114c12cc0cea |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 75b20037416ad8771f5dbb4ff01ea30e |
| SHA1 | 01e4b9e338ba791bfb713ff9d89f4a8cdbf67e02 |
| SHA256 | 112e22670f31189038c2a8cfed7fa8071c1978962a463895ceeea4c08bc90316 |
| SHA512 | 3483353c0761274650826a8805eafcff8115c0b38e351a46cb456eabc25d5c47f3796cd8498157ddf82385d03d6a5b5279f3b6dbe81bccaaa8ed1e40343f1fb7 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | babaa757228a482bcb94e0c697dd005d |
| SHA1 | fd0367c941070306d6cc35f0e1e10f0db3ef5bde |
| SHA256 | 458ecaf2c37dc6a1bb71f9cf70d04f1d7d39ca983fc15464e89ba0008655cbb7 |
| SHA512 | e6755107f9985b62780223c9a2ba8e06486898eeae00f506d654e603058fa12692bff8e836510463563f7419a98417a17fa12c1dde765183a123dde8fe82a1db |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d068b7c1d5e1c77cfc2ae726112cf928 |
| SHA1 | 5984a5458bb7a862773cf55cf7bc7ad02c14de90 |
| SHA256 | b2ba74c93d014bb663f30027b5cbcee263a479af06754fd19e5e751d814a4cec |
| SHA512 | 6f9c1fcaf295d16a46560f0c8cf36d7c5773b6b101e59d223b3befae333f10b855a7b321053790974b2cf0e33f3d6d884271d2f6d794ed6a19381633d217d4e5 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0ad4dd4e899970ae347e256e95beac89 |
| SHA1 | cea57bb43f4ae695032bbdce265ea4cdd0683356 |
| SHA256 | ecb3733000b69af27765a8b89ac5259bc72a3fdda925e168d99e1e1a4f6eef28 |
| SHA512 | d84c025b15608e900816337634ec1e07662e5e7e1e379bf9ef4c8b1a7a1c1a8ad1beb21f56ac500eb30c4a13b5092d07c6b4cd93f498fb5ed2e5c0ac5a71528d |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2c3f6b4c843e4d39ade71a294d8097a8 |
| SHA1 | e513134617c36a55a990d027357790f316add38a |
| SHA256 | c5e5804be6b8beff86d2440d1a51e964230745072b739e150c0f691ae4ebb985 |
| SHA512 | eb58e3d00d2c13cc788d67bc254eb5217258931ba6581c0e3558000dac33fa64192be78ede235773d18143a0bda9fc7c9c1e56982998460b0e20e5089f4b0998 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 12d5130ae9b7dcdba375b11954f0e08f |
| SHA1 | 77c6de12630c0c808602004b515d52381db3f662 |
| SHA256 | 830eccbd1b55e3c0720723f10418af5c5e4a4d5d7478eb3b18b3c8eb2f850a32 |
| SHA512 | 6a4ad406e12adbb664d66fb1e95852447155b71199934b9ba353df13e5eb4c280b44edd621ef641b823a49d1ad052f1f1c46a5a887ef73126cdb3820510ed781 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3853ca05d048d88706c7af740f170d8d |
| SHA1 | c38325d07b91ed3bbdf397814f0b6205d3533464 |
| SHA256 | 5f0ef3475e11f0db8960414f4d6457a2d1143164e99ceaf0504df492c0327ff5 |
| SHA512 | f3eb022b9f1a9c6e708a6189bc511ab1b4617c684c5ed2fad3b924756d3af1fd63716a587b8a8d000754ee4cdfe1f2a5a26bf29e8b6d32edd6d5d106c28a5c52 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a1d9ae37c20c4380ca2d31e9eb8e771c |
| SHA1 | 2ff117445c5ee107b2ee3aeb4dc0f5fc0041016f |
| SHA256 | fd9b574004799870bce80fcf2294e54a4a23dd817febbaca29d239e25e6f4e64 |
| SHA512 | deb2c94b4316ec17704fc7a6f195ed51957514fe72f49234ab4b319df8b56e9d83c14ae60669a56ff160f21b5fffabfd9b7e90b8bcf743dc82d073fdb0a2e201 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 809df1e5e55f44eb9cc4e951236b43dc |
| SHA1 | 771fd8c00da9cc0f48495cbb17a62f521feacd94 |
| SHA256 | bd87bfa27c01d5bf406702065fa2f028d189d073be140c0e5b36940b58e02ea7 |
| SHA512 | 6c24c59d6b2ba5ff3e7c4db1dce73e1100468ce5da818200c62bf78bc6f8a6d2c6baac97ed118cd27f007b729d1eadf7fe16831f491d8ef9ae3e195ad7d5fee7 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 82cf22207f5da71cfa81d6a94eaf9349 |
| SHA1 | 21cfbdbf4855a504b818c79d9efed7ad1c4b0f3d |
| SHA256 | 97700b0dfc8199e180aac6c173e55662e3e0df9c46801e1ae6746eac3298acf3 |
| SHA512 | 8bfd21f1aac91c4673f2bf989df82514aac6328a366af293e86520eaf8b51dd980d9cfe047c4343cf53e27b9051034966906deac2ae283868c8e9ccd64b91ff3 |
C:\Windows\Temp\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Windows\Temp\Google\Chrome\User Data\Default\Extension Scripts\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Windows\Temp\Google\Chrome\User Data\Default\Site Characteristics Database\000002.dbtmp
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 85c77e9e763d2484c9579a67b117d967 |
| SHA1 | 7f36425e401fdd9ecf7abc47e68b9705652ce597 |
| SHA256 | 98eb90f27fec410588395334d8a9ca543c79dc0eb5eb32e8e0f1d581efd01cd7 |
| SHA512 | 4731d3d6d8cd4845354dec37d525f538655e07bc82982481603b74c5bb0082bd623b432e9cee50c7f32a62ca8b339a460a4f1edd112d28f46f3fd278c737618e |
C:\Windows\Temp\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | ae15450d42303c9d12c39b4b8f0e01ce |
| SHA1 | 1810f6bed6b321c5062a0d05c88007a14e3e5118 |
| SHA256 | a3b21087e1e2e4f31aa44b1197312ad18e6ac3c61d5104ea63f7050e9c77a119 |
| SHA512 | 6bb148aa28fbd68d5fa64b2127737a4e5a3302bd3e616e5b894b5b289eebecfb78168642e13f0cb0ef62f4da355cdbdaa23361b7efe073a9a4621e629efe1fcf |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a543494899902d37e5e3c5d64d6e3c63 |
| SHA1 | d1fe14780269f1f15dfe1bb4fcfb74a99ea9db05 |
| SHA256 | 06a9595af4dd5a181510410102e99b0c4f434ad92d5bf66e70edc9ce1e8365a1 |
| SHA512 | 7b2e5b0c546d53bd929b6dc438d8de8598f3dc1bdd602a589192c06dde5a31435142411717bb5949d29a8eb7e3f31f298440848e9a0cdcf5640934c61478b9c2 |
C:\Windows\Temp\Google\Chrome\User Data\Crashpad\metadata
| MD5 | 6fd87ff8617aa1d2bdcaedcfffa69da5 |
| SHA1 | f68dccffc76dbcb8ab1d5e2265a5b75de7d888e9 |
| SHA256 | 23f28ff11e6ef0e595dc16bb5e565388e23badb7eefda05868ae484fea1ab1e5 |
| SHA512 | f356c6c77670c122f4d2a0c3714718b7390a2b956de42d007c26c4486ba8e77218d6e7fe06e4a6406cd26e7513c0b6b663791c1ad2710e826c1eef3e251e87cd |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a42a72cbfdfa53e63dea519422cce036 |
| SHA1 | 945f126b83d678ace95d3a1e098837f23a5f039e |
| SHA256 | 3b51a2d2440ad7505bd54bcf62132d96a9388fcc5de9d8144b87cf58643d685d |
| SHA512 | bb04c9788762c22874d88ad9e55d73fb1eb3216be290e1a1d0b8b49c3e114bb4cffe6ca78cc597d1a0c037365cab16c3bf62c558fab81fbcfac47547691d487f |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a7f1095a4c348131f2a30e11fa067ab9 |
| SHA1 | ac68bbb8042ab92322fc73144f715713e8b4ff40 |
| SHA256 | 423fff071655da3ea34a944c609c00d46fee312ccfc6564f3d39bb32354743d7 |
| SHA512 | 886d9bde421278a097d9788c4e59aed60afe1d015522a534ddb4d8163af7054b76faf1e082581c29e4144b733bee1a078d0575442eb23aa5788af4ea80697758 |
C:\Windows\Temp\Google\Chrome\User Data\bd930e86-bb72-40e5-a7a3-34ca9b731f18.tmp
| MD5 | 2073621a7201ebd7a501e48221dbf199 |
| SHA1 | d6582267489d0bb3b599f3fcb37f03006dee71f6 |
| SHA256 | b4f5976ccb16f37973a7ef56060449d3a53a806f8c656a017e16bae3b9e71a61 |
| SHA512 | fa723037191b0f78783a7561c6ca18186ca8a9009a4da8749d7abe7ae0d803fc3c63a6458c9fa4d4852d2b5e52365b10a497565a0fd41a479a47eb79a8098de7 |
C:\Windows\Temp\Google\Chrome\User Data\ShaderCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
C:\Windows\Temp\Google\Chrome\User Data\ShaderCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Windows\Temp\Google\Chrome\User Data\ShaderCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Windows\Temp\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1
| MD5 | d0d388f3865d0523e451d6ba0be34cc4 |
| SHA1 | 8571c6a52aacc2747c048e3419e5657b74612995 |
| SHA256 | 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b |
| SHA512 | 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17 |
C:\Windows\Temp\Google\Chrome\User Data\76a11e55-b001-4154-b29c-9cd900986c9f.tmp
| MD5 | fb34ec3affab6fd27e24d2a77e9ec96f |
| SHA1 | 437f7c8edf5a0f02c4e6b377cd796ff668e2cee6 |
| SHA256 | b87058e6a3f5af72ed8d3be6166921ccaf905e44d94683eae84a5a9040a0e1c1 |
| SHA512 | 4f5601d8c7cbf949d72f693dc8729bc46455d1f8eee5a630fff0190189b13e8b5ee6b74e442ff811b7b585c18111c64bba6a58e8a59c2d78b58e419992b8d89c |
C:\Windows\Temp\Google\Chrome\User Data\9815d094-1ce6-451e-bae4-9df402a95fac.tmp
| MD5 | 780050e80e73a00807c61c1cbfef1c05 |
| SHA1 | bd50f08752472ad7a76afa5dd902a2b4262cbdc8 |
| SHA256 | 9de5cb6a221714372f42fc4b56d10b4b0f3c1203ed0978b6408400b7614be791 |
| SHA512 | 4c707fa945a4e6532f35cbfbe7c7538a30d1bea19320a33ed1e4758ddc5009878803371ee2e501b9c0da677accd27a2d8fd92bb38cfddde14129c1ae0104138f |