Malware Analysis Report

2025-01-22 20:16

Sample ID 241020-cceznatfnr
Target http://roblox.com
Tags
discovery defense_evasion evasion persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file http://roblox.com was found to be: Known bad.

Malicious Activity Summary

discovery defense_evasion evasion persistence ransomware

Modifies visibility of file extensions in Explorer

Grants admin privileges

Boot or Logon Autostart Execution: Active Setup

System Binary Proxy Execution: Rundll32

Drops startup file

Enumerates connected drives

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in Program Files directory

Drops file in Windows directory

Browser Information Discovery

System Location Discovery: System Language Discovery

Permission Groups Discovery: Local Groups

Modifies Internet Explorer Protected Mode

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Checks processor information in registry

Runs net.exe

Modifies Internet Explorer start page

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 01:55

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 01:55

Reported

2024-10-20 01:59

Platform

win10v2004-20241007-en

Max time kernel

131s

Max time network

128s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://roblox.com

Signatures

Grants admin privileges

Browser Information Discovery

discovery

Permission Groups Discovery: Local Groups

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "218" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A

Runs net.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1036 wrote to memory of 3800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 3800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1036 wrote to memory of 2744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://roblox.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffcf8f346f8,0x7ffcf8f34708,0x7ffcf8f34718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\net.exe

net user add /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user add /add

C:\Windows\system32\net.exe

net localgroup administrators add /add

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators add /add

C:\Windows\system32\logoff.exe

logoff

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa393b055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 roblox.com udp
GB 128.116.119.3:80 roblox.com tcp
GB 128.116.119.3:80 roblox.com tcp
GB 128.116.119.3:443 roblox.com tcp
US 8.8.8.8:53 www.roblox.com udp
FR 128.116.122.4:443 www.roblox.com tcp
US 8.8.8.8:53 css.rbxcdn.com udp
US 8.8.8.8:53 static.rbxcdn.com udp
US 8.8.8.8:53 js.rbxcdn.com udp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.18.190.80:443 css.rbxcdn.com tcp
GB 2.19.117.6:443 js.rbxcdn.com tcp
GB 2.19.117.6:443 js.rbxcdn.com tcp
GB 2.19.117.6:443 js.rbxcdn.com tcp
GB 2.19.117.6:443 js.rbxcdn.com tcp
GB 2.19.117.6:443 js.rbxcdn.com tcp
GB 2.19.117.6:443 js.rbxcdn.com tcp
GB 2.18.190.78:443 static.rbxcdn.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 3.119.116.128.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 4.122.116.128.in-addr.arpa udp
US 8.8.8.8:53 metrics.roblox.com udp
US 8.8.8.8:53 apis.roblox.com udp
FR 128.116.122.4:443 apis.roblox.com tcp
US 8.8.8.8:53 80.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 6.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 78.190.18.2.in-addr.arpa udp
FR 128.116.122.4:443 apis.roblox.com tcp
US 8.8.8.8:53 locale.roblox.com udp
GB 2.18.190.80:443 css.rbxcdn.com tcp
US 8.8.8.8:53 apis.rbxcdn.com udp
GB 2.19.117.27:443 apis.rbxcdn.com tcp
US 8.8.8.8:53 auth.roblox.com udp
US 8.8.8.8:53 images.rbxcdn.com udp
GB 2.18.190.75:443 images.rbxcdn.com tcp
GB 2.18.190.75:443 images.rbxcdn.com tcp
GB 2.18.190.75:443 images.rbxcdn.com tcp
GB 2.18.190.75:443 images.rbxcdn.com tcp
GB 2.18.190.75:443 images.rbxcdn.com tcp
GB 2.18.190.75:443 images.rbxcdn.com tcp
US 8.8.8.8:53 27.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 75.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 ecsv2.roblox.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e443ee4336fcf13c698b8ab5f3c173d0
SHA1 9bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA256 79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512 cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

\??\pipe\LOCAL\crashpad_1036_WDUKTXQWTFSPKMTC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56a4f78e21616a6e19da57228569489b
SHA1 21bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256 d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512 c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e618d0d8d91d507f18785ddda05c6967
SHA1 cc6c6a6be87332da571ef856d52dda2e7c7f3e03
SHA256 7cca3eea08d8e7135b30f6819074b85a972ae9d5d924b3ebec40915808c22e24
SHA512 381fe1d7e330b5d52b9173bd0fcabd76fe9caf0126eed211ba1babab46c51ceaef57dba683227f1b8f1aacb23bc66d19dde5506e1669d628cacf38211cab31dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8100686a5339dc017bbd25ca46a1c708
SHA1 143c68971265e628857d3cfc2eb45c91a6f011a1
SHA256 16f8291c488eca398bf925d57863620f6695849d7bcaf78aaab881d4e651bab4
SHA512 3e637547fb7a2b37230706ca8f3ee7df4142ab8d6108037601d93702f847657cf8aae5aa2a0a592611c1614df532343d5390751eb52294643401c2671708d74b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8bebc03570eafc57e52bbc2385fceb66
SHA1 922ba5d698ac9bead27a4e85732a312c7ed11fcc
SHA256 0028416c30e4ce2493245eae65f99e19ebc3a740227e0f6b0cfd4e5cebe3e788
SHA512 b9e6f617ad2fc1621a1f8a17426363ab244ae9cb69672e19d5958258557cf8598a9d1f2bb72fd5b13cf09dc76ae7dbee46e740b5cde8d11106bd05860f1a46c0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f52d.TMP

MD5 9dee17bae2f1fd292f30f52b8b9b6449
SHA1 f5236676ac107bd880b90ba08a139cd9c0ef0030
SHA256 2dfa21d490f150bb4407846ba4895029ad4937e241c298362ea157f7cb69675f
SHA512 3a3efdb11679f3ba2bf042e080217f3390f4342c558e4206fe6bdd4e17f197575ac11f36a9461a03b508170af8b0bc778e54a98fc755f7504938dc36a3b21794

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7a0977b7abb63e9eb715035f0ebac56b
SHA1 c8e48696c447783831d00c9318280cd128a9cd9e
SHA256 44617072274d7b198cd1490782def7a83d89493c68a5ec49fc16fab77652f5c0
SHA512 e73d94dbb01f6e5419b40f287f91fc34ae9d90a4b9bd395585cf245fb196cf37d34ee70b03dfaae8b51d711f462ca72e1c925301ca01b50a4176144c81c66585

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 5ae8ba32702ba9278c7c2cdbdfdf29b7
SHA1 c8fbe9fdd6bad8f2d4a29f369d143487ade2fa17
SHA256 0c7e6b587bbfe082fdaa36a2c921260549e0da1b537d9874a1363e89906b091e
SHA512 19d9d5c7fcdda3019c3630cce68594de4277b1d2856c9c31cce0f5dea61aefe9229c3f5fb6baa1e179530ec5e8f8ec7b6d012894d4fea9969ca7a3d8b977b16c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f596c6ad8f32e31a99958710207c0e10
SHA1 afa0334d42da1627949ca0648f403268fb5101cb
SHA256 ca9ccf29d22c87d3e1d1611064645c547b14d88815855e09433675df2e0d8539
SHA512 7e9fad74064ced816187773501888a3ad94fbe529e03fa1da5ff961a841da0770bb3f31d13bcce01b587b8a2f529a64a679fbe4553f57f8e18fab6fec1704003

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 ec66d59ee399767f14f3c64e32914941
SHA1 b00035f355a331ac8539ffca115505e225a0957a
SHA256 79126967f23873cf24ed7c8135b7ece6d40af41a75baae78157f4a6e45d22ce5
SHA512 8fdfa3ae7b4c1f89a5b9859997ce756386a5962bdfdbc1ac4b985ad9c845bab2dc8c443ccc4888dc7f4ce22ebb318def95c737a4f4a2d39c3abb6d762cca0f81

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f0be1265a2572156834f4d90d3411de9
SHA1 07f56cc73201af84594899e89dbc68eead857705
SHA256 f53449f89974c926b3c56b787a891185ede4592e9f417baf45134f9e1bb8660a
SHA512 ea5b264f18dee6a4129ef992ab92c0cb673edba44923bdb3641e472938fd487e6fe96f03e867dedd9c937909c1aa19fa163dcc8c623075ed17d964c087bcb012

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 86e371cf6a8348ab68300b8aaf7452f7
SHA1 51d560f073d8e4b841a6fe148831b8ffea9148b9
SHA256 0016e2022dccc91079288dd69d5bcc73597c4a724fdc068c753d48f0ab7e9aa7
SHA512 f4e61d24f4972b2433a35af02f11a7a18fc2c13d87fb74308b79d343daa071341ad7cc26b75772afe1d1272530948a36fb7f3d8afb23b8c88695876a55056589

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\396fd16f-3ba8-4ef2-a4b3-21f6d77237cb.tmp

MD5 c688cf8cdf72028d78551e6165f4f99c
SHA1 7c7eb560a41bab1e236a9992811a52c6991b9151
SHA256 667454090e6b658f98123e1a62774a6d602bcda71082dd66c6baf182c762bee0
SHA512 5e8d5d393e1f8915664cfc0ed963792ae1858fc6893fde0c0b006acf0bd0b5ca158c7af0c6236781780372d817fcf11a56f4cfeb3dc42369de13ad1ac2f92978

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 235daef238f23634da1531d3f253ac56
SHA1 4731f3a6b9873db4bc076109ea63a61a287f0877
SHA256 ffa8403793acdf76315c65734e9e26a180b7bee26e5565010cf0ce24fd05f322
SHA512 47cc9bc4573591529b32e4587aa7aa4cbdb92dfc0049f69f41142217a652a60c4456e9761401d472b4861c5dc2a995b6167739e1bec23cc9efac7b5294753df2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0c5d1c5b158ecf14f39abe9c9d1f5a71
SHA1 684171eb3af8bd0f1d960d112072e7314541fab9
SHA256 cdb0d23e31aec55c7ead7c8c008aaeb81a84fbd7017f195d5d82eed25954c4b4
SHA512 d515a67e24ebac914fe82af5badfeccdd0bc99f5c6f2e4a8514be5e12b5ac5fc8581ff736cdd38a7e631ce1eeabb029fc3328484e3589bd3ccfe238f57fd582b

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 01:55

Reported

2024-10-20 02:00

Platform

win7-20240903-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" http://roblox.com

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Explorer.EXE N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Version = "6,1,7601,17514" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Locale = "*" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username = "Windows 87" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "EN" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "6,1,7601,17514" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "EN" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "1,1,1,9" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,7601,17514" C:\Windows\Explorer.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "en" C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components C:\Windows\Explorer.EXE N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Windows\System32\regsvr32.exe N/A

System Binary Proxy Execution: Rundll32

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Windows 87\Saved Games\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Contacts\desktop.ini C:\Program Files (x86)\Windows Mail\WinMail.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Links\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Saved Games\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1001\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Searches\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Links\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Favorites\Links for United States\desktop.ini C:\Windows\System32\mctadmin.exe N/A
File opened for modification C:\Users\Windows 87\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Contacts\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Downloads\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Favorites\Links\desktop.ini C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Users\Windows 87\Desktop\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Favorites\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File created C:\Users\Windows 87\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Program Files\Windows Mail\WinMail.exe N/A
File opened for modification C:\Users\Windows 87\Searches\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\unregmp2.exe N/A
File opened for modification C:\Users\Windows 87\Desktop\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\unregmp2.exe N/A
File opened for modification C:\Users\Windows 87\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe N/A
File opened for modification C:\Users\Windows 87\Favorites\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Contacts\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Downloads\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\Explorer.EXE N/A
File opened for modification C:\Users\Windows 87\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Windows\Explorer.EXE N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1001\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Users\Windows 87\Documents\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\Music\desktop.ini C:\Windows\System32\regsvr32.exe N/A
File opened for modification C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Windows\System32\regsvr32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\unregmp2.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\Windows 87\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" C:\Windows\System32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\Windows 87\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" C:\Windows\System32\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\mshtml.Install\mshtml.Install.INI C:\Windows\System32\rundll32.exe N/A
File created C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\mshtml.Install\mshtml.Install.DAT C:\Windows\System32\rundll32.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.DAT C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.INI C:\Windows\System32\ie4uinit.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\System32\rundll32.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe C:\Windows\Explorer.EXE N/A
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\System32\ie4uinit.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\runonce.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Mail\WinMail.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Explorer.EXE N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\runonce.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Explorer.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController C:\Windows\system32\csrss.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data C:\Windows\system32\csrss.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data C:\Windows\system32\csrss.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data C:\Windows\system32\csrss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\csrss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier C:\Windows\system32\csrss.exe N/A

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" C:\Windows\System32\ie4uinit.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\31 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\13\IEFixedFontName = "Shruti" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\25 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\7\IEPropFontName = "Sylfaen" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\24\IEPropFontName = "MS PGothic" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\SOFTWARE\Microsoft\Internet Explorer\Main C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Security C:\Windows\System32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\20\IEFixedFontName = "DokChampa" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\28 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\9\IEPropFontName = "Times New Roman" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\28\IEFixedFontName = "Euphemia" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\31\IEFixedFontName = "Segoe UI Symbol" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\SQM C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Document Windows C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmz C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wax C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\4 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\11\IEFixedFontName = "Shonar Bangla" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\17\IEFixedFontName = "Tunga" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\Show_ToolBar = "yes" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Desktop C:\Windows\System32\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Document Windows\x = 00000080 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.midi C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\35\IEFixedFontName = "Estrangelo Edessa" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Settings\Anchor Color = "0,0,255" C:\Windows\System32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\Anchor Underline = "yes" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\Use_DlgBox_Colors = "yes" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\Search Page = "http://go.microsoft.com/fwlink/?LinkId=54896" C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Document Windows\height = 00000000 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Windows\System32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\14 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\27\IEPropFontName = "Nyala" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\SOFTWARE\Microsoft\Internet Explorer\New Windows C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\SOFTWARE\Microsoft\Internet Explorer\Settings C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Settings\Use Anchor Hover Color = "No" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\Play_Animations = "yes" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\21 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\35 C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\GPU C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\6 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\30\IEFixedFontName = "Microsoft Yi Baiti" C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Document Windows\width = 00000080 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\UseClearType = "no" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\Windows\\web\\wallpaper\\Windows\\img0.jpg" C:\Windows\System32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wm C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\39\IEFixedFontName = "Mongolian Baiti" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Settings\Text Color = "0,0,0" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Setup C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141" C:\Windows\System32\ie4uinit.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" C:\Windows\system32\winlogon.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 C:\Windows\system32\winlogon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" C:\Windows\system32\winlogon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" C:\Windows\system32\winlogon.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/basic\Extension = ".au" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wma\MP2.Last = "Custom" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wmz\ = "WMP11.AssocFile.WMZ" C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.3G2\PreferExecuteOnMismatch = "1" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.3gp C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AudioCD\shell\play\ = "&Play" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}\ = "Toggle DMR Authorization Handler" C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.mp2\OpenWithProgIds\WMP11.AssocFile.MP3 = "0" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-mpeg2a\Extension = ".mpeg" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.aifc C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/avi C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-wmv\Extension = ".wmv" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.adts C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.M4A\PreferExecuteOnMismatch = "1" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/quicktime C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cda\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-mid\Extension = ".mid" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.aiff C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.mpv2\OpenWithProgIds\WMP11.AssocFile.MPEG = "0" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.MTS\MP2.Last = "Custom" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867} C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-ms-wax\CLSID = "{cd3afa83-b84f-48f0-9393-7edc34128127}" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.aac C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/wav\CLSID = "{cd3afa7b-b84f-48f0-9393-7edc34128127}" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.dvr-ms C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\command C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.WVX\PreferExecuteOnMismatch = "1" C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.AAC\OpenWithProgIds\WMP11.AssocFile.ADTS = "0" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mp2v C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\WMPShopMusic\ = "{8A734961-C4AA-4741-AC1E-791ACEBF5B39}" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\ = "&Add to Windows Media Player list" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/3gpp2\Extension = ".3g2" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/3gpp\CLSID = "{cd3afa97-b84f-48f0-9393-7edc34128127}" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.3GP\PreferExecuteOnMismatch = "1" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.cda\MP2.Last = "Custom" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.m2t\OpenWithProgIds C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-wmv C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\ = "&Add to Windows Media Player list" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/mpeg\Extension = ".mpeg" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.AAC\MP2.Last = "Custom" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-mpeg C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mpg C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.wm\ = "WMP11.AssocFile.ASF" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\ = "&Play with Windows Media Player" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mid C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.M4A\PreferExecuteOnMismatch = "1" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.tts C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-wpl\CLSID = "{cd3afa95-b84f-48f0-9393-7edc34128127}" C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-ms-wmd\CLSID = "{ee4da6a4-8c52-4a63-bbb8-97c93d7e1b6c}" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/3gpp C:\Windows\System32\unregmp2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/mpeg\Extension = ".mpeg" C:\Windows\System32\unregmp2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\.3gp\OpenWithProgIds\WMP11.AssocFile.3GP = "0" C:\Windows\System32\unregmp2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-midi C:\Windows\System32\unregmp2.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\LogonUI.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\winlogon.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\winlogon.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\winlogon.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\winlogon.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\winlogon.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\winlogon.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\winlogon.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files\Windows Mail\WinMail.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\ie4uinit.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\rundll32.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files\Windows Mail\WinMail.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 2736 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2724 wrote to memory of 2736 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2724 wrote to memory of 2736 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2724 wrote to memory of 2736 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2388 wrote to memory of 2352 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 2388 wrote to memory of 2352 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 2604 wrote to memory of 2352 N/A C:\Windows\system32\winlogon.exe C:\Windows\system32\LogonUI.exe
PID 2604 wrote to memory of 2352 N/A C:\Windows\system32\winlogon.exe C:\Windows\system32\LogonUI.exe
PID 2604 wrote to memory of 2352 N/A C:\Windows\system32\winlogon.exe C:\Windows\system32\LogonUI.exe
PID 2388 wrote to memory of 2352 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 2388 wrote to memory of 2352 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 2388 wrote to memory of 2352 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 2388 wrote to memory of 2352 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 2388 wrote to memory of 2352 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 2388 wrote to memory of 2352 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 2388 wrote to memory of 2352 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 2388 wrote to memory of 2352 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\LogonUI.exe
PID 2388 wrote to memory of 1104 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\userinit.exe
PID 2388 wrote to memory of 1104 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\userinit.exe
PID 2604 wrote to memory of 1104 N/A C:\Windows\system32\winlogon.exe C:\Windows\system32\userinit.exe
PID 2604 wrote to memory of 1104 N/A C:\Windows\system32\winlogon.exe C:\Windows\system32\userinit.exe
PID 2604 wrote to memory of 1104 N/A C:\Windows\system32\winlogon.exe C:\Windows\system32\userinit.exe
PID 2388 wrote to memory of 2908 N/A C:\Windows\system32\csrss.exe C:\Windows\Explorer.EXE
PID 2388 wrote to memory of 2908 N/A C:\Windows\system32\csrss.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 2908 N/A C:\Windows\system32\userinit.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 2908 N/A C:\Windows\system32\userinit.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 2908 N/A C:\Windows\system32\userinit.exe C:\Windows\Explorer.EXE
PID 2388 wrote to memory of 2908 N/A C:\Windows\system32\csrss.exe C:\Windows\Explorer.EXE
PID 2388 wrote to memory of 2908 N/A C:\Windows\system32\csrss.exe C:\Windows\Explorer.EXE
PID 2388 wrote to memory of 2908 N/A C:\Windows\system32\csrss.exe C:\Windows\Explorer.EXE
PID 2388 wrote to memory of 2908 N/A C:\Windows\system32\csrss.exe C:\Windows\Explorer.EXE
PID 2388 wrote to memory of 2908 N/A C:\Windows\system32\csrss.exe C:\Windows\Explorer.EXE
PID 2388 wrote to memory of 2908 N/A C:\Windows\system32\csrss.exe C:\Windows\Explorer.EXE
PID 2388 wrote to memory of 2908 N/A C:\Windows\system32\csrss.exe C:\Windows\Explorer.EXE
PID 2388 wrote to memory of 2912 N/A C:\Windows\system32\csrss.exe C:\Windows\System32\regsvr32.exe
PID 2388 wrote to memory of 2912 N/A C:\Windows\system32\csrss.exe C:\Windows\System32\regsvr32.exe
PID 2908 wrote to memory of 2912 N/A C:\Windows\Explorer.EXE C:\Windows\System32\regsvr32.exe
PID 2908 wrote to memory of 2912 N/A C:\Windows\Explorer.EXE C:\Windows\System32\regsvr32.exe
PID 2908 wrote to memory of 2912 N/A C:\Windows\Explorer.EXE C:\Windows\System32\regsvr32.exe
PID 2908 wrote to memory of 2912 N/A C:\Windows\Explorer.EXE C:\Windows\System32\regsvr32.exe
PID 2908 wrote to memory of 2912 N/A C:\Windows\Explorer.EXE C:\Windows\System32\regsvr32.exe
PID 2388 wrote to memory of 2912 N/A C:\Windows\system32\csrss.exe C:\Windows\System32\regsvr32.exe
PID 2388 wrote to memory of 2912 N/A C:\Windows\system32\csrss.exe C:\Windows\System32\regsvr32.exe
PID 2388 wrote to memory of 2912 N/A C:\Windows\system32\csrss.exe C:\Windows\System32\regsvr32.exe
PID 2388 wrote to memory of 2912 N/A C:\Windows\system32\csrss.exe C:\Windows\System32\regsvr32.exe
PID 2388 wrote to memory of 884 N/A C:\Windows\system32\csrss.exe C:\Windows\system32\rundll32.exe
PID 2388 wrote to memory of 2912 N/A C:\Windows\system32\csrss.exe C:\Windows\System32\regsvr32.exe
PID 2388 wrote to memory of 2912 N/A C:\Windows\system32\csrss.exe C:\Windows\System32\regsvr32.exe
PID 2388 wrote to memory of 840 N/A C:\Windows\system32\csrss.exe C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 2388 wrote to memory of 840 N/A C:\Windows\system32\csrss.exe C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 2388 wrote to memory of 840 N/A C:\Windows\system32\csrss.exe C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 2388 wrote to memory of 840 N/A C:\Windows\system32\csrss.exe C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 2908 wrote to memory of 840 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 2908 wrote to memory of 840 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 2908 wrote to memory of 840 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 2908 wrote to memory of 840 N/A C:\Windows\Explorer.EXE C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 2388 wrote to memory of 840 N/A C:\Windows\system32\csrss.exe C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 2388 wrote to memory of 840 N/A C:\Windows\system32\csrss.exe C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 2388 wrote to memory of 840 N/A C:\Windows\system32\csrss.exe C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 2388 wrote to memory of 840 N/A C:\Windows\system32\csrss.exe C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 2388 wrote to memory of 840 N/A C:\Windows\system32\csrss.exe C:\Program Files (x86)\Windows Mail\WinMail.exe
PID 2388 wrote to memory of 1568 N/A C:\Windows\system32\csrss.exe C:\Program Files\Windows Mail\WinMail.exe
PID 2388 wrote to memory of 1568 N/A C:\Windows\system32\csrss.exe C:\Program Files\Windows Mail\WinMail.exe
PID 2388 wrote to memory of 1568 N/A C:\Windows\system32\csrss.exe C:\Program Files\Windows Mail\WinMail.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://roblox.com

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\userinit.exe

C:\Windows\system32\userinit.exe

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll

C:\Windows\system32\rundll32.exe

rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize

C:\Program Files (x86)\Windows Mail\WinMail.exe

"C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE

C:\Program Files\Windows Mail\WinMail.exe

"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE

C:\Windows\System32\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll,Install

C:\Windows\System32\ie4uinit.exe

"C:\Windows\System32\ie4uinit.exe" -UserConfig

C:\Windows\System32\ie4uinit.exe

C:\Windows\System32\ie4uinit.exe -ClearIconCache

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll

C:\Windows\system32\rundll32.exe

rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize

C:\Program Files\Windows Mail\WinMail.exe

"C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE

C:\Windows\System32\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

C:\Windows\System32\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll,Install

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x1401c7688,0x1401c7698,0x1401c76a8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x1401c7688,0x1401c7698,0x1401c76a8

C:\Windows\System32\dzuhbf.exe

"C:\Windows\System32\dzuhbf.exe"

C:\Program Files\Windows Sidebar\sidebar.exe

"C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun

C:\Windows\SysWOW64\runonce.exe

C:\Windows\SysWOW64\runonce.exe /Run6432

C:\Windows\System32\mctadmin.exe

"C:\Windows\System32\mctadmin.exe"

C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe" Adobe Reader;65916

Network

Country Destination Domain Proto
US 8.8.8.8:53 roblox.com udp
GB 128.116.119.3:80 roblox.com tcp
GB 128.116.119.3:80 roblox.com tcp
GB 128.116.119.3:443 roblox.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.22:80 crl.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabFA68.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarFAA9.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ec0fa160afe0b0ce82ee20e56b7fa48
SHA1 d1b3c7d107b3ffc53eb36210fc96341980a71a34
SHA256 cc24717071ae735e9d269c3386753876dca6e469da85616fc4a4007cf477f80a
SHA512 41a54449e0c648b90135503aafae5180dcb7f0d5aa58b3c8ab58a584fe980d569cc255d94ff20209d7f4a8fe12edb010baf3ff1bad44b00d40f1b469ba2226ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b189bb55362d91edac053b7b1bfb2546
SHA1 76739d98644beaaae2e895e97ba9c3eba9acfba2
SHA256 bf2bbda1f1c232f362d5f81a5daaeab60027927e9d1bbf7b55569540e334e663
SHA512 ba2e74b99ff0ddc565fbb0430fd2cd3b3ebb87025e24a981571292243f329df63a6cdf88a0b114674e078bd7b0262f0ef6ffc90f1c982016365afb188a44c14f

memory/2716-481-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/2352-482-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1001\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

C:\Users\Windows 87\Contacts\Windows 87.contact

MD5 1e74ccaa1012dcf71981a8e90a2940dc
SHA1 1e023fd50354be4e4e9cad10c590576bdc9efd96
SHA256 d53a5cf535cfe0a52f96ffa5634bfa8b7ae2b5a129f174877850387c0a6c8c18
SHA512 3757f63977173416a5059c3de250ccae51d28f8a7628bb550af0e6c0551e1b8146c3bcf57b295114ef99309cb996d6d886951869f260624ee99aa7965f2e37f9

memory/1568-507-0x0000000001E80000-0x0000000001E90000-memory.dmp

memory/1568-513-0x00000000026D0000-0x00000000026E0000-memory.dmp

C:\Users\Windows 87\AppData\Local\Microsoft\Windows Mail\edb.log

MD5 e11dfa94f8788a3162a281f949ccbd11
SHA1 9f9b21850f3dbb396d663e6aa01a56dd564b8340
SHA256 b8283ca6ca36b0dd97c211dbc984a6e0a721e3f9a12d8b531d02098251a18c77
SHA512 24571bb0d81be6609a96f693adc5c0a5a2558500ec2ceee38bc32b54f4c9fc5e4914b044782b8a29fbd1199e86a657bf45574368b007ed809e56c3355076b4a3

memory/1568-526-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/1568-528-0x0000000002400000-0x0000000002402000-memory.dmp

memory/1568-531-0x0000000002400000-0x0000000002402000-memory.dmp

memory/1568-539-0x0000000002CF0000-0x0000000002CF2000-memory.dmp

memory/1568-541-0x0000000002CE0000-0x0000000002CE2000-memory.dmp

memory/1568-549-0x0000000002CE0000-0x0000000002CE2000-memory.dmp

memory/1568-604-0x0000000003580000-0x0000000003582000-memory.dmp

memory/1568-605-0x0000000003570000-0x0000000003571000-memory.dmp

memory/1568-608-0x0000000002410000-0x0000000002411000-memory.dmp

memory/1568-612-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1568-614-0x00000000021B0000-0x00000000021B1000-memory.dmp

C:\Users\Windows 87\Contacts\desktop.ini

MD5 eefa7f76ff11a5ec21bb777b798ac46c
SHA1 2e7a65ea8427d13a92ea159a5b8859ff99d2a836
SHA256 840b46ed74821b5b61ca9ddc51a91cfe9151d11a494c89f183fadc02a78ac8ae
SHA512 111301e33c0b33c154ffff274db5eb167de0ddb4e769cab9a2d9fcd2882e6192053149abbcb00d17ae5f7661bafecc1111aff2025c89d07b247633bbccb0e3ef

C:\Users\Windows 87\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Windows 87\Pictures\desktop.ini

MD5 29eae335b77f438e05594d86a6ca22ff
SHA1 d62ccc830c249de6b6532381b4c16a5f17f95d89
SHA256 88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4
SHA512 5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

C:\Users\Windows 87\Videos\desktop.ini

MD5 50a956778107a4272aae83c86ece77cb
SHA1 10bce7ea45077c0baab055e0602eef787dba735e
SHA256 b287b639f6edd612f414caf000c12ba0555adb3a2643230cbdd5af4053284978
SHA512 d1df6bdc871cacbc776ac8152a76e331d2f1d905a50d9d358c7bf9ed7c5cbb510c9d52d6958b071e5bcba7c5117fc8f9729fe51724e82cc45f6b7b5afe5ed51a

C:\Users\Windows 87\Favorites\desktop.ini

MD5 881dfac93652edb0a8228029ba92d0f5
SHA1 5b317253a63fecb167bf07befa05c5ed09c4ccea
SHA256 a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464
SHA512 592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

C:\Users\Windows 87\Contacts\desktop.ini

MD5 449f2e76e519890a212814d96ce67d64
SHA1 a316a38e1a8325bef6f68f18bc967b9aaa8b6ebd
SHA256 48a6703a09f1197ee85208d5821032b77d20b3368c6b4de890c44fb482149cf7
SHA512 c66521ed261dcbcc9062a81d4f19070216c6335d365bac96b64d3f6be73cd44cbfbd6f3441be606616d13017a8ab3c0e7a25d0caa211596e97a9f7f16681b738

C:\Users\Windows 87\Desktop\desktop.ini

MD5 9e36cc3537ee9ee1e3b10fa4e761045b
SHA1 7726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA256 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA512 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

C:\Users\Windows 87\Music\desktop.ini

MD5 06e8f7e6ddd666dbd323f7d9210f91ae
SHA1 883ae527ee83ed9346cd82c33dfc0eb97298dc14
SHA256 8301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68
SHA512 f7646f8dcd37019623d5540ad8e41cb285bcc04666391258dbf4c42873c4de46977a4939b091404d8d86f367cc31e36338757a776a632c7b5bf1c6f28e59ad98

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

MD5 a2d31a04bc38eeac22fca3e30508ba47
SHA1 9b7c7a42c831fcd77e77ade6d3d6f033f76893d2
SHA256 8e00a24ae458effe00a55344f7f34189b4594613284745ff7d406856a196c531
SHA512 ed8233d515d44f79431bb61a4df7d09f44d33ac09279d4a0028d11319d1f82fc923ebbc6c2d76ca6f48c0a90b6080aa2ea91ff043690cc1e3a15576cf62a39a6

C:\Users\Windows 87\Documents\desktop.ini

MD5 ecf88f261853fe08d58e2e903220da14
SHA1 f72807a9e081906654ae196605e681d5938a2e6c
SHA256 cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844
SHA512 82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini

MD5 17d5d0735deaa1fb4b41a7c406763c0a
SHA1 584e4be752bb0f1f01e1088000fdb80f88c6cae0
SHA256 768b6fde6149d9ebbed1e339a72e8cc8c535e5c61d7c82752f7dff50923b7aed
SHA512 a521e578903f33f9f4c3ebb51b6baa52c69435cb1f9cb2ce9db315a23d53345de4a75668096b14af83a867abc79e0afa1b12f719294ebba94da6ad1effc8b0a3

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

MD5 c135c2a69f8abf8eac46ba9fc8ba4ae7
SHA1 c31bd5e5ddcc64257471f4fcbc552750b2e09362
SHA256 c7ac64318738e1acc96e15aa5b2b617f63a3218a1d54f3f8c207af5508bf178b
SHA512 2ef6e619c56c9bf6ba9e24383c727a96674d6aaf550f87db982e31defee84414f56c7a825a0af8b6c99831198550187503a083aaa9f187dbadc81b9ec1f5f085

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini

MD5 f107d0270e21a2fe91099fdc15918d44
SHA1 dabc2f24f4a4e90053743166e5c4175dcf2b2d2d
SHA256 eb315c9d165b4916e3b00e4d148b53a6c03a2f0694a6a8821d98e76f935ca6a8
SHA512 b5d51c0d6abe99121d4f4f1d236def4260b7d5c26c501d7735eba4f58e2597db0e89b2b1df16545e49fc39649806e5305efb912328541bdd31c01ff3d2bda49c

C:\Users\Windows 87\Searches\desktop.ini

MD5 8e11566270550c575d6d2c695c5a4b1f
SHA1 ae9645fad2107b5899f354c9144a4dfc33b66f9e
SHA256 1dc14736f6b0e9b68059324321acc14e156cd3a2890466a23bf7abf365d6c704
SHA512 a9fc4b17d75f85ae64315ba94570cb5317b5510c655d3d5c8fb44091ea37f31e431e99ed5308252897bdd93c34e771bf80f456c4873ef0aa58ca9bbb2e5ff7e0

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

MD5 1d1ee02ab709a9f5ff51df53de338a4d
SHA1 0d947e30bd9a13be842107bf8805a8bf69a0c871
SHA256 ae6b44bf265cebd6ecabf4b3357326ce631e98c54db8c75164e6edf4ebf8e331
SHA512 49df197b8b87fa67c9d5a2edf99d571b7fb190423ba3181ac8aa2f6ceb75bfe00c66b343a51a342d584ed540a953879f1d34937e45f753b5b6aa454726500856

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

MD5 0ff56a4620c3221ff64ec61a3a0d3033
SHA1 3a45320be12b585dcdc5ab2af5ea1455b2c919a1
SHA256 0b0a65accca705494739d03b6c2ea769c78cd0eee996bc95b0c6ebc0941f4b1a
SHA512 962a340efeb6d18c85e5872997eebb83374e114be088689690ba438f0db8e2e4df6c24713a35cfaec518f58d5322cf9617638ea55ff279a9d161c4fdf9af74f6

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

MD5 7f1698bab066b764a314a589d338daae
SHA1 524abe4db03afef220a2cc96bf0428fd1b704342
SHA256 cdb11958506a5ba5478e22ed472fa3ae422fe9916d674f290207e1fc29ae5a76
SHA512 4f94ad0fe3df00838b288a0ef4c12d37e175c37cbf306bdb1336ff44d0e4d126cd545c636642c0e88d8c6b8258dc138a495f4d025b662f40a9977d409d6b5719

C:\Users\Windows 87\Links\desktop.ini

MD5 98470d9bd7fba55a0c303065f9c4f9be
SHA1 5303b190e29ba48332f7c90a832ef08af5a1953d
SHA256 3830022d5d7ef2ae2ca0a2b6ad73f0d4716b49bf7eeeaa87b618988d531b7c72
SHA512 134e072c3600bbb3c724c2700da399a14ba5b907153969362b3dbff32c480d39e7f5ecceebc9122a5a27265410557a16eb6bf82c9b635b90ef1fa0ae9efb849c

C:\Users\Windows 87\Searches\desktop.ini

MD5 089d48a11bff0df720f1079f5dc58a83
SHA1 88f1c647378b5b22ebadb465dc80fcfd9e7b97c9
SHA256 a9e8ad0792b546a4a8ce49eda82b327ad9581141312efec3ac6f2d3ad5a05f17
SHA512 f0284a3cc46e9c23af22fec44ac7bbde0b72f5338260c402564242c3dd244f8f8ca71dd6ceabf6a2b539cacc85a204d9495f43c74f6876317ee8e808d4a60ed8

memory/2352-920-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

C:\Users\Windows 87\Saved Games\desktop.ini

MD5 b441cf59b5a64f74ac3bed45be9fadfc
SHA1 3da72a52e451a26ca9a35611fa8716044a7c0bbc
SHA256 e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311
SHA512 fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

MD5 a02b521dcc95b48e458eb02ac77651a2
SHA1 3dbd253d2f9a12db8c76e99dc426e42ed35a9f0d
SHA256 daca98fc728725fbb4b3dfa17b6c71c837e3a34e001217d71d4bfe6cb298bc7e
SHA512 e2afcc8cfcee4f0dff6762870df3ce7ffd78ec73e1729ae294f5c98866fc2828779f408cc73e66e7b4a91cc89c215746b8b0a92c8b3da38460f8c3cc4fac59b6

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

MD5 a75f4e6f234c3e9adb0de2b630e526e9
SHA1 48f4b8e64def91ec54a43333636e774d600b695e
SHA256 bcf7c6887d119d4a5f891206fc74425b4cb18c1677e0a1b9317b8cdefb8a297e
SHA512 afc89ce43a01c1e29cccd104714b4d3b6a576c91831278eda6322325c038477eba735fa4c51e5a72a9e1cb52f400a4792662cdac54f184445b5db79fd7d91464

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

MD5 453249f95d75eb5e450eb91fa755e1c8
SHA1 3e200e187e8cd21d3d1976ea0f7356626254de18
SHA256 01bef150c18e377a57843965d55f18f0b5cb3fa867c5ab30f1e67eacd6ece48a
SHA512 6125ffc1ab457bc1ba957c78c2a89ca54060c1969c4a981acf71025a1d79760159816d5fc36e351429de3bb5820e755b9bc22386f3d6892bfdf3da67d86f157c

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini

MD5 548b310fbc7a26d0b9da3a9f2d604a0c
SHA1 1e20c38b721dff06faa8aa69a69e616c228736c1
SHA256 be49aff1e82fddfc2ab9dfffcb7e7be100800e3653fd1d12b6f8fa6a0957fcac
SHA512 fa5bb7ba547a370160828fe720e6021e7e3a6f3a0ce783d81071292739cef6cac418c4bc57b377b987e69d5f633c2bd97a71b7957338472c67756a02434d89f1

C:\Users\Windows 87\Links\desktop.ini

MD5 92adc8410cd8cb1d0481e2adbb62c7dd
SHA1 bac1444ebe0bac748966f3bee84ee11e151a4810
SHA256 4a3d7ccddac5c1b437fb687e90589015b9b9ae7708ea35eed9917d1190f65694
SHA512 d7c3a5df50b28e336ff24f828cdf225554d199d3c2a857e2a7baa1f2bc1fee21944733edee52bd665ebaee999f5668d03497e9bfe88d58d380b74e6046ec5d62

C:\Users\Windows 87\Links\desktop.ini

MD5 de8858093993987d123060097a2bad66
SHA1 0a89e87ba46538cb73aff1a47e4dc0bcfb4760d5
SHA256 4c0d757717dec80eca8c6cbbfdda4706eb38fbbb7624933d5429dafc7bb9f0ec
SHA512 fa348ac4025b599f460cb831338ce010dde8fba87587a6d078d6d594a30fee87ed112e412078c10604553f326cc7bd7627ae93b0e3d8a60cfeda0720cad29f4c

C:\Users\WINDOW~1\AppData\Local\Temp\RGI2694.tmp

MD5 3006752a2bcfeda0f75d551ea656b2ef
SHA1 b7198fc772be6d6261ed4e76aca3998e8f7a7bdb
SHA256 dfd64231860c732dced3dc78627a7844a08d5d3e4cd253fd81186bae33cc368a
SHA512 3fcfa7c8f46220852dc7efef5b29caba86825d0461a35559f26dbb2540c487b92059713f42fe1082a00a711d83216db012835673e1c54120ffa079e154950854

C:\Users\WINDOW~1\AppData\Local\Temp\RGI26D7.tmp

MD5 a828b8c496779bdb61fce06ba0d57c39
SHA1 2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda
SHA256 c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d
SHA512 effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea

C:\Users\Windows 87\Favorites\Links\Web Slice Gallery.url

MD5 873c8643cbbfb8ff63731bc25ac9b18c
SHA1 043cbc1b31b9988d8041c3d01f71ce3393911f69
SHA256 c4ad21379c11da7943c605eadb22f6fc6f54b49783466f8c1f3ad371eb167466
SHA512 356b13b22b7b1717ded0ae1272b07f1839184e839132f3ab891b5d84421e375d4fc45158c291b46a933254f463c52d92574ce6b15c1402dfb00ee5d0a74c9943

C:\Users\WINDOW~1\AppData\Local\Temp\www2948.tmp

MD5 c2858b664c882dcce6042c40041f6108
SHA1 52eeaa0c7b9d17a8f56217f2ac912ba8fdc5041a
SHA256 b4a6fb97b5e3f87bcd9fae49a9174e3f5b230a37767d7a70bf33d151702eff91
SHA512 51522e67f426ba96495be5e7f8346e6bb32233a59810df2a3712ecd754a2b5d54d0049c8ea374bd4d20629500c3f68f40e4845f6bb236d6cca7d00da589b2260

C:\Users\WINDOW~1\AppData\Local\Temp\www2959.tmp

MD5 ad93eaac4ac4a095f8828f14790c1f8c
SHA1 f84f24c4ca9d04485a0005770e3ef1ca30eede55
SHA256 729111c923821a7ad0bb23d1a1dea03edbf503cd8b732e2d7eb36cf88eaa0cac
SHA512 f561b98836233849c016227a3366fcf8449db662f21aecd4bd45eb988f6316212685ce7ce6e0461fb2604f664ed03a7847a237800d3cdca8ba23a41a49f68769

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

MD5 da288dceaafd7c97f1b09c594eac7868
SHA1 b433a6157cc21fc3258495928cd0ef4b487f99d3
SHA256 6ea9f8468c76aa511a5b3cfc36fb212b86e7abd377f147042d2f25572bf206a2
SHA512 9af8cb65ed6a46d4b3d673cea40809719772a7aaf4a165598dc850cd65afb6b156af1948aab80487404bb502a34bc2cce15c502c6526df2427756e2338626062

memory/2924-1088-0x0000000002AA0000-0x0000000002AA2000-memory.dmp

C:\Users\Windows 87\AppData\Local\Microsoft\Windows Mail\edb.log

MD5 0b74c5d2d33fb117533ca2f9c47d2127
SHA1 98efcdfd19bff666ce421bc8e471424e0b87d845
SHA256 002d28caebeab46a42bb147ac67e54c594f6da81fcb6b277e7ae07ebb5f9d83c
SHA512 6ed31897a3a868783bc5958d5ae494ad36c96c83a9ada1204dc121e04420c5132c9511289dabc6ae8ed721f5b5b34abb55488523bf42c81f268ddeac0c60480c

memory/2924-1100-0x0000000002250000-0x0000000002251000-memory.dmp

memory/2924-1098-0x0000000002650000-0x0000000002652000-memory.dmp

memory/2924-1091-0x0000000002E70000-0x0000000002E71000-memory.dmp

C:\Users\Windows 87\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 7057aeaa2156ab2d556660065cd0f028
SHA1 1ed29318357a5c98329329211ca4e1770898b23b
SHA256 746ded812d5fee4880d0487a56181c33b5c5e516c17490d68fc24ab437133532
SHA512 09c4a99cec59d57482ce27ec1dff245c5603b0a3bed34308ddcc141d08ac5250d9f843869b730cff71c6644631cd2f0e0d55fcff814620f4cd407667be500308

C:\Users\Windows 87\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb

MD5 3932679c5a6800dcd033625d22706e33
SHA1 6dd374f6d577c89b706465852edb4459caa1dbfe
SHA256 aa9104391700d61ddd14bcf245d268493a096d4c0cc801acfcb0e52641817931
SHA512 ae5ad0e2887ad1891b2ec81771ed6990350776f8787ce395933faecfe3b77ca94de05cd03ff6b18d4bedb526ffa1929081b8683e95e82b7e9bb4680a2c31bb86

C:\Users\WINDOW~1\AppData\Local\Temp\wmsetup.log

MD5 1174ebe09175562dd063a847ecaec6f4
SHA1 851a194b04556dfbeafc2b555d075a13656513fb
SHA256 716179a7d69b933826b4decbe13db6b0ccdc2398e5a3d911fddae75cd883c6c9
SHA512 1c9bc45a3e28c07b4afc4d99a305807ba937c1c6778b0e4a0c0a032288a0df9abe59fcf4f56b30478cd31b268b12b64e387be824147c259d67800744597783a4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini

MD5 46a4eca2a791d84afecfd9f129a567df
SHA1 004f2926d9377cc23c5b68ce26907435b8539643
SHA256 06b6d34db7e9ebecc07e0b53fedb2a9bc2d4563b1d2037b7630fbc002942baf7
SHA512 dbeecf882210add0dd4ac57f75ccdf6a9604c3308e92f70747313f89a7f9c590f4e1cdd507e53ee37e0a1b7e437320dc6ec1299d406ef34ddd67dfd900fddd98

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk

MD5 2cc35f24339bde300006b33f51881925
SHA1 f8866e4074643cab177985d7944147ad175a4b2b
SHA256 e8f18a9250d0e7f97e0555494f1720d3ea17fb0adb2b17627cf9886817635038
SHA512 670eac3a90cb6a7fb0ea0c93f8d260fef87fec36698df3c7344c9e420e84fa9382986777fa755064a7a5ca1f79aee146693a72bea9896f38f13aaee05818cf65

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk

MD5 6ebf7e74b0e452f75d422e82e460eac1
SHA1 23ca01eccfbee7aa5b1cf7b611fd6b5a8c4e64c2
SHA256 a83e414905e745998e8257fcce0575c9f7ddcc25d7798d640d97856aec736bb2
SHA512 370ee022c382051dcdc56814c3596f829f3009e2abb26809ee07f002371502749ca3643b79dbeae2d7349a63f25838a3912a0fb6b0d983a7c6387380fce12fd7

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini

MD5 e4e50dfa455b2cbe356dffdf7aa1fcaf
SHA1 c58be9d954b5e2dd0e5efa23a0a3d95ab8119205
SHA256 9284bd835c20f5da3f76bc1d8c591f970a74e62a7925422858e5b9fbec08b927
SHA512 bef1fad5d4b97a65fec8c350fe663a443bc3f7406c12184c79068f9a635f13f9127f89c893e7a807f1258b45c84c1a4fc98f6bd6902f7b72b02b6ffbc7e37169

C:\Users\Windows 87\AppData\Local\Microsoft\Windows Mail\edb.chk

MD5 7b732de80871981a8521b646dd40d1f3
SHA1 6145ab69cec5f4f9ce60f715a928f9f4587c7311
SHA256 4dd21d1e4ba3fe44107279e625b6b2818b0e421bf6462685ef20ebb08855f917
SHA512 9a24c4d6e4f92bde8d0e069cf3341743133645c56a2a645c37a8ce5344998ceeb8114d3771b5d0d054fddfd1280ab673ec988864d2c15c5fe0e0654832dc1545

C:\Users\Windows 87\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore

MD5 f12a88d883c786b07da87135afdd90e6
SHA1 7be158171902f737194837e3067e7c952eef3417
SHA256 f57b772a87c9d73450a102d3f053a64fd1f708bb2150398c5177ec625c01c829
SHA512 86baa355c95bb98e497094285ab40d73648d7ebae8a3a31d6be5c94d716b1221aab25137abcd547e73e47609d42736ef1ccd8452d924730842b7a1cb8831da85

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

MD5 518297d1dbbcd7730362bd4e6279b614
SHA1 306c7aa11a78cb583350595e5b8d5331341d9982
SHA256 68f45b3d002fa5ed2d4afb22a78ae63c4041ab2ba7a5dd9f246d0f8a23ebf463
SHA512 3b7e08bed0a7d12ca2b560fa4b316b76aef8b43b1dd50b5b64f4f632db635d2ee7a679feb5e6847bc69a785c2af9c1fb3e05c594fd34616f7890fd58ed812496

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

MD5 e44712b9019e0fb757fe6d714a9cc68b
SHA1 2fd3d36a0ed53314376d3b9959beea50d3e072cf
SHA256 89245b2d412f0b789ca537372b3fb8384268ace41674aa7fb9668a505b36a2d1
SHA512 7d44371ccc2304c3daf4fa38d3d0a2f39cfcba97479f980a7c7b786b3bc1364eede5fb4a54f592591d3b7931686a8dcb40848c41a6cc3bfaf593eaf64904ec6c

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

MD5 fb3973bff11fab049a5afacabc339123
SHA1 842ad211690f13e21998071223443e2a96d9f814
SHA256 f91d6a35247e0743f6ceac3a99c9192493e0f1fc57a60755a5aa557af314ee9b
SHA512 a4c13a9b2f636e97f53e5b4d751804ee2de166f10981ddf087b56b5e40df88740c30ba4c9fd8d496c99fe338942d7f8ca5f2dee5a811d69b8081c15ebeceb240

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Windows 87\Downloads\desktop.ini

MD5 3a37312509712d4e12d27240137ff377
SHA1 30ced927e23b584725cf16351394175a6d2a9577
SHA256 b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
SHA512 dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

C:\Users\Windows 87\Searches\Everywhere.search-ms

MD5 0fa26b6c98419b5e7c00efffb5835612
SHA1 d904d6683a548b03950d94da33cdfccbb55a9bc7
SHA256 4094d158e3b0581ba433a46d0dce62f99d8c0fd1b50bb4d0517ddc0a4a1fde24
SHA512 b80a6f2382f99ca75f3545375e30353ed4ccd93f1185f6a15dbe03d47056dad3feea652e09440774872f5cba5ef0db9c023c45e44a839827a4b40e60df9fd042

C:\Users\Windows 87\Links\Downloads.lnk

MD5 bf0fcee9183a6b6ca679c81c2b424488
SHA1 106030592ccbfb1478716b7d216de4097a04a1d6
SHA256 ec350d50a40c005cc6a0488c6b3b83c3562218681403c266928c51f37a6ef6dd
SHA512 85abb2933630ae8d2edc46392bce8b281bd3ac57f2a13ce6e5d179b334d7b4f1791849c2a88ad57bb286518df19a6de69fa97930c3254c2ce3317945642a8941

C:\Users\Windows 87\Links\Desktop.lnk

MD5 9b91d97f399999995a4aaefe4b6637ae
SHA1 d0ac8c4ec8f0fcd13accb01509b7ae18886a2f5a
SHA256 f1b0a6bc0c1f594010af00c4a5e40bc46cbeb9615078860b68c7c14d7b8996e3
SHA512 a243549ea1e133d576b5c38a6ab69d6ef6845be013d820807ab2822e7c67ff04e07e0362cf8fb961989036c598d1b605ea1055db218f7477cb3ba20714ca964e

C:\Users\Windows 87\Links\RecentPlaces.lnk

MD5 0025c3a7d7c4e90e58332958b00d83c4
SHA1 01dd4fdb260f66923004acb5a874111a9d14da38
SHA256 36db348143da1b5c16b9074940e85761950ee30b533b7ca75924f2f4ef6b253b
SHA512 b5631c94bad794541d16f2fa3a02018f4b34b680b63a9f3b6a3da4329216567a7ba9ceb8d4bd18165b0e55142f42e039f160ec675c0946237c276de1a6e642c4

C:\Users\Windows 87\Searches\Indexed Locations.search-ms

MD5 b6acbeb59959aa5412a7565423ea7bab
SHA1 4905f02dbef69c830b807a32e9a4b6206bd01dc6
SHA256 99653a38c445ae1d4c373ee672339fd47fd098e0d0ada5f0be70e3b2bf711d38
SHA512 0058aa67ae9060cb708e34cb2e12cea851505694e328fd0aa6deba99f205afaffdf86af8119c65ada5a3c9b1f8b94923baa6454c2d5ab46a21257d145f9a8162

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

MD5 1ab315bb411f43b47cb4e35342aad79a
SHA1 53a7ffa1235ab89163f701d9e85aa9a96d9c559f
SHA256 df763fa8b19ff124348c1054ff9808d83ccdbd4c65c56258678e56c6dbd6f005
SHA512 ace04c3e5615f7fd8e321d6a1b58775e2697f52d218348eb9a2d97435ea8a091b29264d68677f10e2a7c73dac5da8644510a1e80c2f8e2bc4c06b83a95401b04

C:\Windows\TEMP\Crashpad\settings.dat

MD5 31acea3efb143b49d506b757cae846a7
SHA1 e7d42a766af99611eb138d402b4d82d44b1f9904
SHA256 f2313dee0685fe4fe3e237fcb61aea6be8588dc78fc51445def71320876b7667
SHA512 2e26d7d42a1f88ea0b80b23303c8f6021168b110155488531a52f7a47eeed849d60ccd5035315cb970a47af8ee3c935203a460c753bd036e35af96bdc4844fef

C:\Users\WINDOW~1\AppData\Local\Temp\chrome_installer.log

MD5 427cc742e20366b20ef3f1efea7d1966
SHA1 72317ab15468da878e0c1ad7e634d94e754bd104
SHA256 34b856fd7cde12256f173239589cb50a3ed357d497b1219594c362b359724299
SHA512 b6e43e26dd0374dad37ba1e6672d730817f697cfb396fc7f79d5dcdabf8929e4f83a4956bc3aa3dacbac2d1a6b46154f69e9289a6f9acf3b214586dfe30bfc32

C:\Program Files\Google\Chrome\Application\SetupMetrics\acc5120d-45c5-4833-a33a-90fb3f975a67.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk

MD5 5c3050419f28b41869ba66db61817748
SHA1 5aee2ad2dc2da38359fd13349bf1a48b9e1c55bc
SHA256 c23812e04ef2c7678c8b1d2dcb8c7d8c8bb5e35d4c8c7e8d0a606391c367b38c
SHA512 01e58e7bd7737887b61b58b2a4b7fd25f75493443c967484ab3b762b0e3ec19d347824a8946edd7bfffcf48282a51130f448dc9cb1b25c26d5ad26e7104dc639

C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini

MD5 3a33faac6513738fd86f43dff8989882
SHA1 afd4390e6b63c40e55ca08d27661a23d657b01a2
SHA256 21a4315cbae2b0e8db633e86c344171da86f115bcbbb745680ff6f577668c910
SHA512 8d7a47cba6b4d0da36151221c373625b67e44354b7cde41b5c3657e73a843b22a0a5b0bf92a4cbc32eac70b8292d674821085acf92bb58b94ea4542458c94b57

C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk

MD5 79fcee66d8b1f20a14c99007956fc44a
SHA1 ea5c098d628358ff38124c8887fe9e954b053f78
SHA256 43538a53f0b9b3c867f25d6e05b2f8d3d64784a5e006a7346a4652d6f6f943ea
SHA512 1aa6e284e58f7126927a476c249bf89f2a9057c43a4574f4bb4e749d2725ae97d85f53048be7ae73cb310e1ab2bca4bae152ae47dd6e168fbb78db8031e7742a

C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

MD5 1c61dc21f9b83172d65be1e94b79026f
SHA1 7324473ddda64b87c299bf6e3b9e9aff53f7fd74
SHA256 8e920d7893b682a049f6a5097f880d915dc2d7bf8bc87ae558cd7f14466d5d1b
SHA512 9660cde4d7606826c2fb6623460a2a286339970256e677c8abf8189fd1d58e0284c024bbf5c0bf539189dafa3e8d5269c1e0f7e3717891f2ae4771634731bbd8

C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk

MD5 47b2e1c4ddd5fa161f4e7314222d7a29
SHA1 f8e0a57ad324aa0ce6eafcbee54361cfc3fac7a4
SHA256 20b9ba1869ed5d109962522c7c9a09e2675c457edd780f3723d33f9b40475772
SHA512 07c8e9fcc6441c45540ced17802aea9fc84197733cc13af77516813c3beb346ae2748445ae99318309cbdc2da8e69e622dd91e658b7e9ba27d424eae6f5acf1b

C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

MD5 9a1b13fd914dd7054b83bc1760c99ab8
SHA1 340c37602b11cd3cb9ae681d09bfc4c81f733742
SHA256 7f0a9cc0be951d60d6c8e60d1a612bfa65fa390020d7c0c80f212ba2a47a4aa3
SHA512 50d48a348c71fb9e89ab01e59fe599b692a1701f19d2c9de6ae09678e0a44ba95020b1989f9c776edcacacc5f2b2b348b0f31aa28c04850e69e47cda6dcaf88e

C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

MD5 e5a8eb64419f6d85a1b7aed2152616c2
SHA1 f5d94f8953bb235e35fccec0ea4f14ba69443081
SHA256 5266b08d0c1bf229ec5eafdb6dae2a4849b6b394694d34033453cf8a379725a7
SHA512 7c304bc842c81d3b5cff745d34b038a2a867063c65e502f4155439ba0642e8b0643f9b7254f74e85d5b150c134836b9e398a0dcb192550d97dfd431c3d93f1f6

C:\Users\Windows 87\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini

MD5 e0fd7e6b4853592ac9ac73df9d83783f
SHA1 2834e77dfa1269ddad948b87d88887e84179594a
SHA256 feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122
SHA512 289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

C:\Users\Windows 87\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms

MD5 edd74e4bf544f4858d7deede007c7b26
SHA1 164b3e981decf807d0454459025c70ee6e6f2f36
SHA256 1c32e351c8122087cc2c906c30779b9608c7477be869f015d8b5b2e3ab813619
SHA512 7e34cd47eaefad5fcc71de6f6bd2656c8a9ae8ce5a31c4eaf55445806fbc46168d7db97303b7748452876471ed2487f6a78d1d639e0f34a4fa4b06f5c958ef8f

memory/2908-1572-0x0000000004610000-0x0000000004620000-memory.dmp