Analysis Overview
Threat Level: Known bad
The file http://roblox.com was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
Grants admin privileges
Boot or Logon Autostart Execution: Active Setup
System Binary Proxy Execution: Rundll32
Drops startup file
Enumerates connected drives
Drops desktop.ini file(s)
Sets desktop wallpaper using registry
Drops file in Program Files directory
Drops file in Windows directory
Browser Information Discovery
System Location Discovery: System Language Discovery
Permission Groups Discovery: Local Groups
Modifies Internet Explorer Protected Mode
Modifies Internet Explorer settings
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Checks processor information in registry
Runs net.exe
Modifies Internet Explorer start page
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-20 01:55
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-20 01:55
Reported
2024-10-20 01:59
Platform
win10v2004-20241007-en
Max time kernel
131s
Max time network
128s
Command Line
Signatures
Grants admin privileges
Browser Information Discovery
Permission Groups Discovery: Local Groups
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "218" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://roblox.com
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffcf8f346f8,0x7ffcf8f34708,0x7ffcf8f34718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\net.exe
net user add /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user add /add
C:\Windows\system32\net.exe
net localgroup administrators add /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators add /add
C:\Windows\system32\logoff.exe
logoff
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa393b055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roblox.com | udp |
| GB | 128.116.119.3:80 | roblox.com | tcp |
| GB | 128.116.119.3:80 | roblox.com | tcp |
| GB | 128.116.119.3:443 | roblox.com | tcp |
| US | 8.8.8.8:53 | www.roblox.com | udp |
| FR | 128.116.122.4:443 | www.roblox.com | tcp |
| US | 8.8.8.8:53 | css.rbxcdn.com | udp |
| US | 8.8.8.8:53 | static.rbxcdn.com | udp |
| US | 8.8.8.8:53 | js.rbxcdn.com | udp |
| GB | 2.18.190.80:443 | css.rbxcdn.com | tcp |
| GB | 2.18.190.80:443 | css.rbxcdn.com | tcp |
| GB | 2.18.190.80:443 | css.rbxcdn.com | tcp |
| GB | 2.18.190.80:443 | css.rbxcdn.com | tcp |
| GB | 2.18.190.80:443 | css.rbxcdn.com | tcp |
| GB | 2.18.190.80:443 | css.rbxcdn.com | tcp |
| GB | 2.19.117.6:443 | js.rbxcdn.com | tcp |
| GB | 2.19.117.6:443 | js.rbxcdn.com | tcp |
| GB | 2.19.117.6:443 | js.rbxcdn.com | tcp |
| GB | 2.19.117.6:443 | js.rbxcdn.com | tcp |
| GB | 2.19.117.6:443 | js.rbxcdn.com | tcp |
| GB | 2.19.117.6:443 | js.rbxcdn.com | tcp |
| GB | 2.18.190.78:443 | static.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.119.116.128.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.122.116.128.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metrics.roblox.com | udp |
| US | 8.8.8.8:53 | apis.roblox.com | udp |
| FR | 128.116.122.4:443 | apis.roblox.com | tcp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.190.18.2.in-addr.arpa | udp |
| FR | 128.116.122.4:443 | apis.roblox.com | tcp |
| US | 8.8.8.8:53 | locale.roblox.com | udp |
| GB | 2.18.190.80:443 | css.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | apis.rbxcdn.com | udp |
| GB | 2.19.117.27:443 | apis.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | auth.roblox.com | udp |
| US | 8.8.8.8:53 | images.rbxcdn.com | udp |
| GB | 2.18.190.75:443 | images.rbxcdn.com | tcp |
| GB | 2.18.190.75:443 | images.rbxcdn.com | tcp |
| GB | 2.18.190.75:443 | images.rbxcdn.com | tcp |
| GB | 2.18.190.75:443 | images.rbxcdn.com | tcp |
| GB | 2.18.190.75:443 | images.rbxcdn.com | tcp |
| GB | 2.18.190.75:443 | images.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | 27.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ecsv2.roblox.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e443ee4336fcf13c698b8ab5f3c173d0 |
| SHA1 | 9bf70b16f03820cbe3158e1f1396b07b8ac9d75a |
| SHA256 | 79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b |
| SHA512 | cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd |
\??\pipe\LOCAL\crashpad_1036_WDUKTXQWTFSPKMTC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 56a4f78e21616a6e19da57228569489b |
| SHA1 | 21bfabbfc294d5f2aa1da825c5590d760483bc76 |
| SHA256 | d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb |
| SHA512 | c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e618d0d8d91d507f18785ddda05c6967 |
| SHA1 | cc6c6a6be87332da571ef856d52dda2e7c7f3e03 |
| SHA256 | 7cca3eea08d8e7135b30f6819074b85a972ae9d5d924b3ebec40915808c22e24 |
| SHA512 | 381fe1d7e330b5d52b9173bd0fcabd76fe9caf0126eed211ba1babab46c51ceaef57dba683227f1b8f1aacb23bc66d19dde5506e1669d628cacf38211cab31dc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8100686a5339dc017bbd25ca46a1c708 |
| SHA1 | 143c68971265e628857d3cfc2eb45c91a6f011a1 |
| SHA256 | 16f8291c488eca398bf925d57863620f6695849d7bcaf78aaab881d4e651bab4 |
| SHA512 | 3e637547fb7a2b37230706ca8f3ee7df4142ab8d6108037601d93702f847657cf8aae5aa2a0a592611c1614df532343d5390751eb52294643401c2671708d74b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8bebc03570eafc57e52bbc2385fceb66 |
| SHA1 | 922ba5d698ac9bead27a4e85732a312c7ed11fcc |
| SHA256 | 0028416c30e4ce2493245eae65f99e19ebc3a740227e0f6b0cfd4e5cebe3e788 |
| SHA512 | b9e6f617ad2fc1621a1f8a17426363ab244ae9cb69672e19d5958258557cf8598a9d1f2bb72fd5b13cf09dc76ae7dbee46e740b5cde8d11106bd05860f1a46c0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f52d.TMP
| MD5 | 9dee17bae2f1fd292f30f52b8b9b6449 |
| SHA1 | f5236676ac107bd880b90ba08a139cd9c0ef0030 |
| SHA256 | 2dfa21d490f150bb4407846ba4895029ad4937e241c298362ea157f7cb69675f |
| SHA512 | 3a3efdb11679f3ba2bf042e080217f3390f4342c558e4206fe6bdd4e17f197575ac11f36a9461a03b508170af8b0bc778e54a98fc755f7504938dc36a3b21794 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 7a0977b7abb63e9eb715035f0ebac56b |
| SHA1 | c8e48696c447783831d00c9318280cd128a9cd9e |
| SHA256 | 44617072274d7b198cd1490782def7a83d89493c68a5ec49fc16fab77652f5c0 |
| SHA512 | e73d94dbb01f6e5419b40f287f91fc34ae9d90a4b9bd395585cf245fb196cf37d34ee70b03dfaae8b51d711f462ca72e1c925301ca01b50a4176144c81c66585 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 5ae8ba32702ba9278c7c2cdbdfdf29b7 |
| SHA1 | c8fbe9fdd6bad8f2d4a29f369d143487ade2fa17 |
| SHA256 | 0c7e6b587bbfe082fdaa36a2c921260549e0da1b537d9874a1363e89906b091e |
| SHA512 | 19d9d5c7fcdda3019c3630cce68594de4277b1d2856c9c31cce0f5dea61aefe9229c3f5fb6baa1e179530ec5e8f8ec7b6d012894d4fea9969ca7a3d8b977b16c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f596c6ad8f32e31a99958710207c0e10 |
| SHA1 | afa0334d42da1627949ca0648f403268fb5101cb |
| SHA256 | ca9ccf29d22c87d3e1d1611064645c547b14d88815855e09433675df2e0d8539 |
| SHA512 | 7e9fad74064ced816187773501888a3ad94fbe529e03fa1da5ff961a841da0770bb3f31d13bcce01b587b8a2f529a64a679fbe4553f57f8e18fab6fec1704003 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | ec66d59ee399767f14f3c64e32914941 |
| SHA1 | b00035f355a331ac8539ffca115505e225a0957a |
| SHA256 | 79126967f23873cf24ed7c8135b7ece6d40af41a75baae78157f4a6e45d22ce5 |
| SHA512 | 8fdfa3ae7b4c1f89a5b9859997ce756386a5962bdfdbc1ac4b985ad9c845bab2dc8c443ccc4888dc7f4ce22ebb318def95c737a4f4a2d39c3abb6d762cca0f81 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f0be1265a2572156834f4d90d3411de9 |
| SHA1 | 07f56cc73201af84594899e89dbc68eead857705 |
| SHA256 | f53449f89974c926b3c56b787a891185ede4592e9f417baf45134f9e1bb8660a |
| SHA512 | ea5b264f18dee6a4129ef992ab92c0cb673edba44923bdb3641e472938fd487e6fe96f03e867dedd9c937909c1aa19fa163dcc8c623075ed17d964c087bcb012 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 86e371cf6a8348ab68300b8aaf7452f7 |
| SHA1 | 51d560f073d8e4b841a6fe148831b8ffea9148b9 |
| SHA256 | 0016e2022dccc91079288dd69d5bcc73597c4a724fdc068c753d48f0ab7e9aa7 |
| SHA512 | f4e61d24f4972b2433a35af02f11a7a18fc2c13d87fb74308b79d343daa071341ad7cc26b75772afe1d1272530948a36fb7f3d8afb23b8c88695876a55056589 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\396fd16f-3ba8-4ef2-a4b3-21f6d77237cb.tmp
| MD5 | c688cf8cdf72028d78551e6165f4f99c |
| SHA1 | 7c7eb560a41bab1e236a9992811a52c6991b9151 |
| SHA256 | 667454090e6b658f98123e1a62774a6d602bcda71082dd66c6baf182c762bee0 |
| SHA512 | 5e8d5d393e1f8915664cfc0ed963792ae1858fc6893fde0c0b006acf0bd0b5ca158c7af0c6236781780372d817fcf11a56f4cfeb3dc42369de13ad1ac2f92978 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 235daef238f23634da1531d3f253ac56 |
| SHA1 | 4731f3a6b9873db4bc076109ea63a61a287f0877 |
| SHA256 | ffa8403793acdf76315c65734e9e26a180b7bee26e5565010cf0ce24fd05f322 |
| SHA512 | 47cc9bc4573591529b32e4587aa7aa4cbdb92dfc0049f69f41142217a652a60c4456e9761401d472b4861c5dc2a995b6167739e1bec23cc9efac7b5294753df2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 0c5d1c5b158ecf14f39abe9c9d1f5a71 |
| SHA1 | 684171eb3af8bd0f1d960d112072e7314541fab9 |
| SHA256 | cdb0d23e31aec55c7ead7c8c008aaeb81a84fbd7017f195d5d82eed25954c4b4 |
| SHA512 | d515a67e24ebac914fe82af5badfeccdd0bc99f5c6f2e4a8514be5e12b5ac5fc8581ff736cdd38a7e631ce1eeabb029fc3328484e3589bd3ccfe238f57fd582b |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-20 01:55
Reported
2024-10-20 02:00
Platform
win7-20240903-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Explorer.EXE | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Version = "6,1,7601,17514" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Locale = "*" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username = "Windows 87" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "EN" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "6,1,7601,17514" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "EN" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "1,1,1,9" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,7601,17514" | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "en" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Active Setup\Installed Components | C:\Windows\Explorer.EXE | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
System Binary Proxy Execution: Rundll32
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Windows 87\Saved Games\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Contacts\desktop.ini | C:\Program Files (x86)\Windows Mail\WinMail.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Links\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Saved Games\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Videos\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1001\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Searches\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Videos\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Pictures\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Pictures\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Links\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Favorites\Links for United States\desktop.ini | C:\Windows\System32\mctadmin.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Music\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Documents\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Contacts\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Downloads\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Favorites\Links\desktop.ini | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Desktop\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Favorites\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File created | C:\Users\Windows 87\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Searches\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\unregmp2.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Desktop\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\unregmp2.exe | N/A |
| File opened for modification | C:\Users\Windows 87\AppData\Local\Microsoft\Windows\History\desktop.ini | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Favorites\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Contacts\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Downloads\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Users\Windows 87\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1001\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Documents\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\Music\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
| File opened for modification | C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini | C:\Windows\System32\regsvr32.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\unregmp2.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\unregmp2.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\Windows 87\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\Windows 87\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg" | C:\Windows\System32\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Uninstall Information\mshtml.Install\mshtml.Install.INI | C:\Windows\System32\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\mshtml.Install\mshtml.Install.DAT | C:\Windows\System32\rundll32.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.DAT | C:\Windows\System32\ie4uinit.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.INI | C:\Windows\System32\ie4uinit.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Windows\System32\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe | C:\Windows\Explorer.EXE | N/A |
| File opened for modification | C:\Windows\INF\setupapi.app.log | C:\Windows\System32\ie4uinit.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\runonce.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Windows Mail\WinMail.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Explorer.EXE | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\runonce.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\runonce.exe | N/A |
| Key opened | \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Explorer.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data | C:\Windows\system32\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 | C:\Windows\system32\csrss.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier | C:\Windows\system32\csrss.exe | N/A |
Modifies Internet Explorer Protected Mode
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\System32\ie4uinit.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\31 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\13\IEFixedFontName = "Shruti" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\25 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\7\IEPropFontName = "Sylfaen" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\24\IEPropFontName = "MS PGothic" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\SOFTWARE\Microsoft\Internet Explorer\Main | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Security | C:\Windows\System32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\20\IEFixedFontName = "DokChampa" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\28 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\9\IEPropFontName = "Times New Roman" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\28\IEFixedFontName = "Euphemia" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\31\IEFixedFontName = "Segoe UI Symbol" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\SQM | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Document Windows | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmz | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wax | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\4 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\11\IEFixedFontName = "Shonar Bangla" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\17\IEFixedFontName = "Tunga" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\Show_ToolBar = "yes" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Desktop | C:\Windows\System32\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Document Windows\x = 00000080 | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.midi | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\35\IEFixedFontName = "Estrangelo Edessa" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Settings\Anchor Color = "0,0,255" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\Anchor Underline = "yes" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\Use_DlgBox_Colors = "yes" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\Search Page = "http://go.microsoft.com/fwlink/?LinkId=54896" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Document Windows\height = 00000000 | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\14 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\27\IEPropFontName = "Nyala" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\SOFTWARE\Microsoft\Internet Explorer\New Windows | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\SOFTWARE\Microsoft\Internet Explorer\Settings | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Settings\Use Anchor Hover Color = "No" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\Play_Animations = "yes" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\21 | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\35 | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\GPU | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\6 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\30\IEFixedFontName = "Microsoft Yi Baiti" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Document Windows\width = 00000080 | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\UseClearType = "no" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\Windows\\web\\wallpaper\\Windows\\img0.jpg" | C:\Windows\System32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wm | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International\Scripts\39\IEFixedFontName = "Mongolian Baiti" | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Settings\Text Color = "0,0,0" | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\International | C:\Windows\System32\ie4uinit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Setup | C:\Windows\System32\ie4uinit.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1001\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141" | C:\Windows\System32\ie4uinit.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 | C:\Windows\system32\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" | C:\Windows\system32\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" | C:\Windows\system32\winlogon.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/basic\Extension = ".au" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wma\MP2.Last = "Custom" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wmz\ = "WMP11.AssocFile.WMZ" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.3G2\PreferExecuteOnMismatch = "1" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.3gp | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AudioCD\shell\play\ = "&Play" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}\ = "Toggle DMR Authorization Handler" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mp2\OpenWithProgIds\WMP11.AssocFile.MP3 = "0" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-mpeg2a\Extension = ".mpeg" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.aifc | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/avi | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-wmv\Extension = ".wmv" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.adts | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.M4A\PreferExecuteOnMismatch = "1" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/quicktime | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.cda\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-mid\Extension = ".mid" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.aiff | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mpv2\OpenWithProgIds\WMP11.AssocFile.MPEG = "0" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.MTS\MP2.Last = "Custom" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867} | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-ms-wax\CLSID = "{cd3afa83-b84f-48f0-9393-7edc34128127}" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.aac | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/wav\CLSID = "{cd3afa7b-b84f-48f0-9393-7edc34128127}" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.dvr-ms | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shell\Play\command | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.WVX\PreferExecuteOnMismatch = "1" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.AAC\OpenWithProgIds\WMP11.AssocFile.ADTS = "0" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mp2v | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\WMPShopMusic\ = "{8A734961-C4AA-4741-AC1E-791ACEBF5B39}" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\ = "&Add to Windows Media Player list" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/3gpp2\Extension = ".3g2" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/3gpp\CLSID = "{cd3afa97-b84f-48f0-9393-7edc34128127}" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.3GP\PreferExecuteOnMismatch = "1" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.cda\MP2.Last = "Custom" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.m2t\OpenWithProgIds | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-wmv | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\ = "&Add to Windows Media Player list" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/mpeg\Extension = ".mpeg" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.AAC\MP2.Last = "Custom" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-mpeg | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mpg | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.wm\ = "WMP11.AssocFile.ASF" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\ = "&Play with Windows Media Player" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mid | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.M4A\PreferExecuteOnMismatch = "1" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.tts | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-wpl\CLSID = "{cd3afa95-b84f-48f0-9393-7edc34128127}" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-ms-wmd\CLSID = "{ee4da6a4-8c52-4a63-bbb8-97c93d7e1b6c}" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/3gpp | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/mpeg\Extension = ".mpeg" | C:\Windows\System32\unregmp2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\.3gp\OpenWithProgIds\WMP11.AssocFile.3GP = "0" | C:\Windows\System32\unregmp2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-midi | C:\Windows\System32\unregmp2.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\LogonUI.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\winlogon.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\winlogon.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\winlogon.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\winlogon.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\winlogon.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\winlogon.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\winlogon.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\ie4uinit.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\ie4uinit.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\ie4uinit.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\ie4uinit.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\ie4uinit.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\ie4uinit.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\ie4uinit.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\rundll32.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Mail\WinMail.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://roblox.com
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\userinit.exe
C:\Windows\system32\userinit.exe
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
C:\Program Files (x86)\Windows Mail\WinMail.exe
"C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE
C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
C:\Windows\System32\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll,Install
C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -UserConfig
C:\Windows\System32\ie4uinit.exe
C:\Windows\System32\ie4uinit.exe -ClearIconCache
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
C:\Program Files\Windows Mail\WinMail.exe
"C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE
C:\Windows\System32\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll,Install
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x1401c7688,0x1401c7698,0x1401c76a8
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x1401c7688,0x1401c7698,0x1401c76a8
C:\Windows\System32\dzuhbf.exe
"C:\Windows\System32\dzuhbf.exe"
C:\Program Files\Windows Sidebar\sidebar.exe
"C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
C:\Windows\SysWOW64\runonce.exe
C:\Windows\SysWOW64\runonce.exe /Run6432
C:\Windows\System32\mctadmin.exe
"C:\Windows\System32\mctadmin.exe"
C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
"C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe" Adobe Reader;65916
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roblox.com | udp |
| GB | 128.116.119.3:80 | roblox.com | tcp |
| GB | 128.116.119.3:80 | roblox.com | tcp |
| GB | 128.116.119.3:443 | roblox.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.22:80 | crl.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabFA68.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarFAA9.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9ec0fa160afe0b0ce82ee20e56b7fa48 |
| SHA1 | d1b3c7d107b3ffc53eb36210fc96341980a71a34 |
| SHA256 | cc24717071ae735e9d269c3386753876dca6e469da85616fc4a4007cf477f80a |
| SHA512 | 41a54449e0c648b90135503aafae5180dcb7f0d5aa58b3c8ab58a584fe980d569cc255d94ff20209d7f4a8fe12edb010baf3ff1bad44b00d40f1b469ba2226ba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b189bb55362d91edac053b7b1bfb2546 |
| SHA1 | 76739d98644beaaae2e895e97ba9c3eba9acfba2 |
| SHA256 | bf2bbda1f1c232f362d5f81a5daaeab60027927e9d1bbf7b55569540e334e663 |
| SHA512 | ba2e74b99ff0ddc565fbb0430fd2cd3b3ebb87025e24a981571292243f329df63a6cdf88a0b114674e078bd7b0262f0ef6ffc90f1c982016365afb188a44c14f |
memory/2716-481-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/2352-482-0x0000000002AB0000-0x0000000002AB1000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1001\desktop.ini
| MD5 | a526b9e7c716b3489d8cc062fbce4005 |
| SHA1 | 2df502a944ff721241be20a9e449d2acd07e0312 |
| SHA256 | e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066 |
| SHA512 | d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88 |
C:\Users\Windows 87\Contacts\Windows 87.contact
| MD5 | 1e74ccaa1012dcf71981a8e90a2940dc |
| SHA1 | 1e023fd50354be4e4e9cad10c590576bdc9efd96 |
| SHA256 | d53a5cf535cfe0a52f96ffa5634bfa8b7ae2b5a129f174877850387c0a6c8c18 |
| SHA512 | 3757f63977173416a5059c3de250ccae51d28f8a7628bb550af0e6c0551e1b8146c3bcf57b295114ef99309cb996d6d886951869f260624ee99aa7965f2e37f9 |
memory/1568-507-0x0000000001E80000-0x0000000001E90000-memory.dmp
memory/1568-513-0x00000000026D0000-0x00000000026E0000-memory.dmp
C:\Users\Windows 87\AppData\Local\Microsoft\Windows Mail\edb.log
| MD5 | e11dfa94f8788a3162a281f949ccbd11 |
| SHA1 | 9f9b21850f3dbb396d663e6aa01a56dd564b8340 |
| SHA256 | b8283ca6ca36b0dd97c211dbc984a6e0a721e3f9a12d8b531d02098251a18c77 |
| SHA512 | 24571bb0d81be6609a96f693adc5c0a5a2558500ec2ceee38bc32b54f4c9fc5e4914b044782b8a29fbd1199e86a657bf45574368b007ed809e56c3355076b4a3 |
memory/1568-526-0x00000000024B0000-0x00000000024B1000-memory.dmp
memory/1568-528-0x0000000002400000-0x0000000002402000-memory.dmp
memory/1568-531-0x0000000002400000-0x0000000002402000-memory.dmp
memory/1568-539-0x0000000002CF0000-0x0000000002CF2000-memory.dmp
memory/1568-541-0x0000000002CE0000-0x0000000002CE2000-memory.dmp
memory/1568-549-0x0000000002CE0000-0x0000000002CE2000-memory.dmp
memory/1568-604-0x0000000003580000-0x0000000003582000-memory.dmp
memory/1568-605-0x0000000003570000-0x0000000003571000-memory.dmp
memory/1568-608-0x0000000002410000-0x0000000002411000-memory.dmp
memory/1568-612-0x00000000021D0000-0x00000000021D2000-memory.dmp
memory/1568-614-0x00000000021B0000-0x00000000021B1000-memory.dmp
C:\Users\Windows 87\Contacts\desktop.ini
| MD5 | eefa7f76ff11a5ec21bb777b798ac46c |
| SHA1 | 2e7a65ea8427d13a92ea159a5b8859ff99d2a836 |
| SHA256 | 840b46ed74821b5b61ca9ddc51a91cfe9151d11a494c89f183fadc02a78ac8ae |
| SHA512 | 111301e33c0b33c154ffff274db5eb167de0ddb4e769cab9a2d9fcd2882e6192053149abbcb00d17ae5f7661bafecc1111aff2025c89d07b247633bbccb0e3ef |
C:\Users\Windows 87\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Windows 87\Pictures\desktop.ini
| MD5 | 29eae335b77f438e05594d86a6ca22ff |
| SHA1 | d62ccc830c249de6b6532381b4c16a5f17f95d89 |
| SHA256 | 88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4 |
| SHA512 | 5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17 |
C:\Users\Windows 87\Videos\desktop.ini
| MD5 | 50a956778107a4272aae83c86ece77cb |
| SHA1 | 10bce7ea45077c0baab055e0602eef787dba735e |
| SHA256 | b287b639f6edd612f414caf000c12ba0555adb3a2643230cbdd5af4053284978 |
| SHA512 | d1df6bdc871cacbc776ac8152a76e331d2f1d905a50d9d358c7bf9ed7c5cbb510c9d52d6958b071e5bcba7c5117fc8f9729fe51724e82cc45f6b7b5afe5ed51a |
C:\Users\Windows 87\Favorites\desktop.ini
| MD5 | 881dfac93652edb0a8228029ba92d0f5 |
| SHA1 | 5b317253a63fecb167bf07befa05c5ed09c4ccea |
| SHA256 | a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464 |
| SHA512 | 592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810 |
C:\Users\Windows 87\Contacts\desktop.ini
| MD5 | 449f2e76e519890a212814d96ce67d64 |
| SHA1 | a316a38e1a8325bef6f68f18bc967b9aaa8b6ebd |
| SHA256 | 48a6703a09f1197ee85208d5821032b77d20b3368c6b4de890c44fb482149cf7 |
| SHA512 | c66521ed261dcbcc9062a81d4f19070216c6335d365bac96b64d3f6be73cd44cbfbd6f3441be606616d13017a8ab3c0e7a25d0caa211596e97a9f7f16681b738 |
C:\Users\Windows 87\Desktop\desktop.ini
| MD5 | 9e36cc3537ee9ee1e3b10fa4e761045b |
| SHA1 | 7726f55012e1e26cc762c9982e7c6c54ca7bb303 |
| SHA256 | 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026 |
| SHA512 | 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790 |
C:\Users\Windows 87\Music\desktop.ini
| MD5 | 06e8f7e6ddd666dbd323f7d9210f91ae |
| SHA1 | 883ae527ee83ed9346cd82c33dfc0eb97298dc14 |
| SHA256 | 8301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68 |
| SHA512 | f7646f8dcd37019623d5540ad8e41cb285bcc04666391258dbf4c42873c4de46977a4939b091404d8d86f367cc31e36338757a776a632c7b5bf1c6f28e59ad98 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
| MD5 | a2d31a04bc38eeac22fca3e30508ba47 |
| SHA1 | 9b7c7a42c831fcd77e77ade6d3d6f033f76893d2 |
| SHA256 | 8e00a24ae458effe00a55344f7f34189b4594613284745ff7d406856a196c531 |
| SHA512 | ed8233d515d44f79431bb61a4df7d09f44d33ac09279d4a0028d11319d1f82fc923ebbc6c2d76ca6f48c0a90b6080aa2ea91ff043690cc1e3a15576cf62a39a6 |
C:\Users\Windows 87\Documents\desktop.ini
| MD5 | ecf88f261853fe08d58e2e903220da14 |
| SHA1 | f72807a9e081906654ae196605e681d5938a2e6c |
| SHA256 | cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844 |
| SHA512 | 82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
| MD5 | 17d5d0735deaa1fb4b41a7c406763c0a |
| SHA1 | 584e4be752bb0f1f01e1088000fdb80f88c6cae0 |
| SHA256 | 768b6fde6149d9ebbed1e339a72e8cc8c535e5c61d7c82752f7dff50923b7aed |
| SHA512 | a521e578903f33f9f4c3ebb51b6baa52c69435cb1f9cb2ce9db315a23d53345de4a75668096b14af83a867abc79e0afa1b12f719294ebba94da6ad1effc8b0a3 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms
| MD5 | c135c2a69f8abf8eac46ba9fc8ba4ae7 |
| SHA1 | c31bd5e5ddcc64257471f4fcbc552750b2e09362 |
| SHA256 | c7ac64318738e1acc96e15aa5b2b617f63a3218a1d54f3f8c207af5508bf178b |
| SHA512 | 2ef6e619c56c9bf6ba9e24383c727a96674d6aaf550f87db982e31defee84414f56c7a825a0af8b6c99831198550187503a083aaa9f187dbadc81b9ec1f5f085 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini
| MD5 | f107d0270e21a2fe91099fdc15918d44 |
| SHA1 | dabc2f24f4a4e90053743166e5c4175dcf2b2d2d |
| SHA256 | eb315c9d165b4916e3b00e4d148b53a6c03a2f0694a6a8821d98e76f935ca6a8 |
| SHA512 | b5d51c0d6abe99121d4f4f1d236def4260b7d5c26c501d7735eba4f58e2597db0e89b2b1df16545e49fc39649806e5305efb912328541bdd31c01ff3d2bda49c |
C:\Users\Windows 87\Searches\desktop.ini
| MD5 | 8e11566270550c575d6d2c695c5a4b1f |
| SHA1 | ae9645fad2107b5899f354c9144a4dfc33b66f9e |
| SHA256 | 1dc14736f6b0e9b68059324321acc14e156cd3a2890466a23bf7abf365d6c704 |
| SHA512 | a9fc4b17d75f85ae64315ba94570cb5317b5510c655d3d5c8fb44091ea37f31e431e99ed5308252897bdd93c34e771bf80f456c4873ef0aa58ca9bbb2e5ff7e0 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms
| MD5 | 1d1ee02ab709a9f5ff51df53de338a4d |
| SHA1 | 0d947e30bd9a13be842107bf8805a8bf69a0c871 |
| SHA256 | ae6b44bf265cebd6ecabf4b3357326ce631e98c54db8c75164e6edf4ebf8e331 |
| SHA512 | 49df197b8b87fa67c9d5a2edf99d571b7fb190423ba3181ac8aa2f6ceb75bfe00c66b343a51a342d584ed540a953879f1d34937e45f753b5b6aa454726500856 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
| MD5 | 0ff56a4620c3221ff64ec61a3a0d3033 |
| SHA1 | 3a45320be12b585dcdc5ab2af5ea1455b2c919a1 |
| SHA256 | 0b0a65accca705494739d03b6c2ea769c78cd0eee996bc95b0c6ebc0941f4b1a |
| SHA512 | 962a340efeb6d18c85e5872997eebb83374e114be088689690ba438f0db8e2e4df6c24713a35cfaec518f58d5322cf9617638ea55ff279a9d161c4fdf9af74f6 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
| MD5 | 7f1698bab066b764a314a589d338daae |
| SHA1 | 524abe4db03afef220a2cc96bf0428fd1b704342 |
| SHA256 | cdb11958506a5ba5478e22ed472fa3ae422fe9916d674f290207e1fc29ae5a76 |
| SHA512 | 4f94ad0fe3df00838b288a0ef4c12d37e175c37cbf306bdb1336ff44d0e4d126cd545c636642c0e88d8c6b8258dc138a495f4d025b662f40a9977d409d6b5719 |
C:\Users\Windows 87\Links\desktop.ini
| MD5 | 98470d9bd7fba55a0c303065f9c4f9be |
| SHA1 | 5303b190e29ba48332f7c90a832ef08af5a1953d |
| SHA256 | 3830022d5d7ef2ae2ca0a2b6ad73f0d4716b49bf7eeeaa87b618988d531b7c72 |
| SHA512 | 134e072c3600bbb3c724c2700da399a14ba5b907153969362b3dbff32c480d39e7f5ecceebc9122a5a27265410557a16eb6bf82c9b635b90ef1fa0ae9efb849c |
C:\Users\Windows 87\Searches\desktop.ini
| MD5 | 089d48a11bff0df720f1079f5dc58a83 |
| SHA1 | 88f1c647378b5b22ebadb465dc80fcfd9e7b97c9 |
| SHA256 | a9e8ad0792b546a4a8ce49eda82b327ad9581141312efec3ac6f2d3ad5a05f17 |
| SHA512 | f0284a3cc46e9c23af22fec44ac7bbde0b72f5338260c402564242c3dd244f8f8ca71dd6ceabf6a2b539cacc85a204d9495f43c74f6876317ee8e808d4a60ed8 |
memory/2352-920-0x0000000002AB0000-0x0000000002AB1000-memory.dmp
C:\Users\Windows 87\Saved Games\desktop.ini
| MD5 | b441cf59b5a64f74ac3bed45be9fadfc |
| SHA1 | 3da72a52e451a26ca9a35611fa8716044a7c0bbc |
| SHA256 | e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311 |
| SHA512 | fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms
| MD5 | a02b521dcc95b48e458eb02ac77651a2 |
| SHA1 | 3dbd253d2f9a12db8c76e99dc426e42ed35a9f0d |
| SHA256 | daca98fc728725fbb4b3dfa17b6c71c837e3a34e001217d71d4bfe6cb298bc7e |
| SHA512 | e2afcc8cfcee4f0dff6762870df3ce7ffd78ec73e1729ae294f5c98866fc2828779f408cc73e66e7b4a91cc89c215746b8b0a92c8b3da38460f8c3cc4fac59b6 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms
| MD5 | a75f4e6f234c3e9adb0de2b630e526e9 |
| SHA1 | 48f4b8e64def91ec54a43333636e774d600b695e |
| SHA256 | bcf7c6887d119d4a5f891206fc74425b4cb18c1677e0a1b9317b8cdefb8a297e |
| SHA512 | afc89ce43a01c1e29cccd104714b4d3b6a576c91831278eda6322325c038477eba735fa4c51e5a72a9e1cb52f400a4792662cdac54f184445b5db79fd7d91464 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini
| MD5 | 453249f95d75eb5e450eb91fa755e1c8 |
| SHA1 | 3e200e187e8cd21d3d1976ea0f7356626254de18 |
| SHA256 | 01bef150c18e377a57843965d55f18f0b5cb3fa867c5ab30f1e67eacd6ece48a |
| SHA512 | 6125ffc1ab457bc1ba957c78c2a89ca54060c1969c4a981acf71025a1d79760159816d5fc36e351429de3bb5820e755b9bc22386f3d6892bfdf3da67d86f157c |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini
| MD5 | 548b310fbc7a26d0b9da3a9f2d604a0c |
| SHA1 | 1e20c38b721dff06faa8aa69a69e616c228736c1 |
| SHA256 | be49aff1e82fddfc2ab9dfffcb7e7be100800e3653fd1d12b6f8fa6a0957fcac |
| SHA512 | fa5bb7ba547a370160828fe720e6021e7e3a6f3a0ce783d81071292739cef6cac418c4bc57b377b987e69d5f633c2bd97a71b7957338472c67756a02434d89f1 |
C:\Users\Windows 87\Links\desktop.ini
| MD5 | 92adc8410cd8cb1d0481e2adbb62c7dd |
| SHA1 | bac1444ebe0bac748966f3bee84ee11e151a4810 |
| SHA256 | 4a3d7ccddac5c1b437fb687e90589015b9b9ae7708ea35eed9917d1190f65694 |
| SHA512 | d7c3a5df50b28e336ff24f828cdf225554d199d3c2a857e2a7baa1f2bc1fee21944733edee52bd665ebaee999f5668d03497e9bfe88d58d380b74e6046ec5d62 |
C:\Users\Windows 87\Links\desktop.ini
| MD5 | de8858093993987d123060097a2bad66 |
| SHA1 | 0a89e87ba46538cb73aff1a47e4dc0bcfb4760d5 |
| SHA256 | 4c0d757717dec80eca8c6cbbfdda4706eb38fbbb7624933d5429dafc7bb9f0ec |
| SHA512 | fa348ac4025b599f460cb831338ce010dde8fba87587a6d078d6d594a30fee87ed112e412078c10604553f326cc7bd7627ae93b0e3d8a60cfeda0720cad29f4c |
C:\Users\WINDOW~1\AppData\Local\Temp\RGI2694.tmp
| MD5 | 3006752a2bcfeda0f75d551ea656b2ef |
| SHA1 | b7198fc772be6d6261ed4e76aca3998e8f7a7bdb |
| SHA256 | dfd64231860c732dced3dc78627a7844a08d5d3e4cd253fd81186bae33cc368a |
| SHA512 | 3fcfa7c8f46220852dc7efef5b29caba86825d0461a35559f26dbb2540c487b92059713f42fe1082a00a711d83216db012835673e1c54120ffa079e154950854 |
C:\Users\WINDOW~1\AppData\Local\Temp\RGI26D7.tmp
| MD5 | a828b8c496779bdb61fce06ba0d57c39 |
| SHA1 | 2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda |
| SHA256 | c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d |
| SHA512 | effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea |
C:\Users\Windows 87\Favorites\Links\Web Slice Gallery.url
| MD5 | 873c8643cbbfb8ff63731bc25ac9b18c |
| SHA1 | 043cbc1b31b9988d8041c3d01f71ce3393911f69 |
| SHA256 | c4ad21379c11da7943c605eadb22f6fc6f54b49783466f8c1f3ad371eb167466 |
| SHA512 | 356b13b22b7b1717ded0ae1272b07f1839184e839132f3ab891b5d84421e375d4fc45158c291b46a933254f463c52d92574ce6b15c1402dfb00ee5d0a74c9943 |
C:\Users\WINDOW~1\AppData\Local\Temp\www2948.tmp
| MD5 | c2858b664c882dcce6042c40041f6108 |
| SHA1 | 52eeaa0c7b9d17a8f56217f2ac912ba8fdc5041a |
| SHA256 | b4a6fb97b5e3f87bcd9fae49a9174e3f5b230a37767d7a70bf33d151702eff91 |
| SHA512 | 51522e67f426ba96495be5e7f8346e6bb32233a59810df2a3712ecd754a2b5d54d0049c8ea374bd4d20629500c3f68f40e4845f6bb236d6cca7d00da589b2260 |
C:\Users\WINDOW~1\AppData\Local\Temp\www2959.tmp
| MD5 | ad93eaac4ac4a095f8828f14790c1f8c |
| SHA1 | f84f24c4ca9d04485a0005770e3ef1ca30eede55 |
| SHA256 | 729111c923821a7ad0bb23d1a1dea03edbf503cd8b732e2d7eb36cf88eaa0cac |
| SHA512 | f561b98836233849c016227a3366fcf8449db662f21aecd4bd45eb988f6316212685ce7ce6e0461fb2604f664ed03a7847a237800d3cdca8ba23a41a49f68769 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
| MD5 | da288dceaafd7c97f1b09c594eac7868 |
| SHA1 | b433a6157cc21fc3258495928cd0ef4b487f99d3 |
| SHA256 | 6ea9f8468c76aa511a5b3cfc36fb212b86e7abd377f147042d2f25572bf206a2 |
| SHA512 | 9af8cb65ed6a46d4b3d673cea40809719772a7aaf4a165598dc850cd65afb6b156af1948aab80487404bb502a34bc2cce15c502c6526df2427756e2338626062 |
memory/2924-1088-0x0000000002AA0000-0x0000000002AA2000-memory.dmp
C:\Users\Windows 87\AppData\Local\Microsoft\Windows Mail\edb.log
| MD5 | 0b74c5d2d33fb117533ca2f9c47d2127 |
| SHA1 | 98efcdfd19bff666ce421bc8e471424e0b87d845 |
| SHA256 | 002d28caebeab46a42bb147ac67e54c594f6da81fcb6b277e7ae07ebb5f9d83c |
| SHA512 | 6ed31897a3a868783bc5958d5ae494ad36c96c83a9ada1204dc121e04420c5132c9511289dabc6ae8ed721f5b5b34abb55488523bf42c81f268ddeac0c60480c |
memory/2924-1100-0x0000000002250000-0x0000000002251000-memory.dmp
memory/2924-1098-0x0000000002650000-0x0000000002652000-memory.dmp
memory/2924-1091-0x0000000002E70000-0x0000000002E71000-memory.dmp
C:\Users\Windows 87\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
| MD5 | 7057aeaa2156ab2d556660065cd0f028 |
| SHA1 | 1ed29318357a5c98329329211ca4e1770898b23b |
| SHA256 | 746ded812d5fee4880d0487a56181c33b5c5e516c17490d68fc24ab437133532 |
| SHA512 | 09c4a99cec59d57482ce27ec1dff245c5603b0a3bed34308ddcc141d08ac5250d9f843869b730cff71c6644631cd2f0e0d55fcff814620f4cd407667be500308 |
C:\Users\Windows 87\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb
| MD5 | 3932679c5a6800dcd033625d22706e33 |
| SHA1 | 6dd374f6d577c89b706465852edb4459caa1dbfe |
| SHA256 | aa9104391700d61ddd14bcf245d268493a096d4c0cc801acfcb0e52641817931 |
| SHA512 | ae5ad0e2887ad1891b2ec81771ed6990350776f8787ce395933faecfe3b77ca94de05cd03ff6b18d4bedb526ffa1929081b8683e95e82b7e9bb4680a2c31bb86 |
C:\Users\WINDOW~1\AppData\Local\Temp\wmsetup.log
| MD5 | 1174ebe09175562dd063a847ecaec6f4 |
| SHA1 | 851a194b04556dfbeafc2b555d075a13656513fb |
| SHA256 | 716179a7d69b933826b4decbe13db6b0ccdc2398e5a3d911fddae75cd883c6c9 |
| SHA512 | 1c9bc45a3e28c07b4afc4d99a305807ba937c1c6778b0e4a0c0a032288a0df9abe59fcf4f56b30478cd31b268b12b64e387be824147c259d67800744597783a4 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini
| MD5 | 46a4eca2a791d84afecfd9f129a567df |
| SHA1 | 004f2926d9377cc23c5b68ce26907435b8539643 |
| SHA256 | 06b6d34db7e9ebecc07e0b53fedb2a9bc2d4563b1d2037b7630fbc002942baf7 |
| SHA512 | dbeecf882210add0dd4ac57f75ccdf6a9604c3308e92f70747313f89a7f9c590f4e1cdd507e53ee37e0a1b7e437320dc6ec1299d406ef34ddd67dfd900fddd98 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk
| MD5 | 2cc35f24339bde300006b33f51881925 |
| SHA1 | f8866e4074643cab177985d7944147ad175a4b2b |
| SHA256 | e8f18a9250d0e7f97e0555494f1720d3ea17fb0adb2b17627cf9886817635038 |
| SHA512 | 670eac3a90cb6a7fb0ea0c93f8d260fef87fec36698df3c7344c9e420e84fa9382986777fa755064a7a5ca1f79aee146693a72bea9896f38f13aaee05818cf65 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
| MD5 | 6ebf7e74b0e452f75d422e82e460eac1 |
| SHA1 | 23ca01eccfbee7aa5b1cf7b611fd6b5a8c4e64c2 |
| SHA256 | a83e414905e745998e8257fcce0575c9f7ddcc25d7798d640d97856aec736bb2 |
| SHA512 | 370ee022c382051dcdc56814c3596f829f3009e2abb26809ee07f002371502749ca3643b79dbeae2d7349a63f25838a3912a0fb6b0d983a7c6387380fce12fd7 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
| MD5 | e4e50dfa455b2cbe356dffdf7aa1fcaf |
| SHA1 | c58be9d954b5e2dd0e5efa23a0a3d95ab8119205 |
| SHA256 | 9284bd835c20f5da3f76bc1d8c591f970a74e62a7925422858e5b9fbec08b927 |
| SHA512 | bef1fad5d4b97a65fec8c350fe663a443bc3f7406c12184c79068f9a635f13f9127f89c893e7a807f1258b45c84c1a4fc98f6bd6902f7b72b02b6ffbc7e37169 |
C:\Users\Windows 87\AppData\Local\Microsoft\Windows Mail\edb.chk
| MD5 | 7b732de80871981a8521b646dd40d1f3 |
| SHA1 | 6145ab69cec5f4f9ce60f715a928f9f4587c7311 |
| SHA256 | 4dd21d1e4ba3fe44107279e625b6b2818b0e421bf6462685ef20ebb08855f917 |
| SHA512 | 9a24c4d6e4f92bde8d0e069cf3341743133645c56a2a645c37a8ce5344998ceeb8114d3771b5d0d054fddfd1280ab673ec988864d2c15c5fe0e0654832dc1545 |
C:\Users\Windows 87\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
| MD5 | f12a88d883c786b07da87135afdd90e6 |
| SHA1 | 7be158171902f737194837e3067e7c952eef3417 |
| SHA256 | f57b772a87c9d73450a102d3f053a64fd1f708bb2150398c5177ec625c01c829 |
| SHA512 | 86baa355c95bb98e497094285ab40d73648d7ebae8a3a31d6be5c94d716b1221aab25137abcd547e73e47609d42736ef1ccd8452d924730842b7a1cb8831da85 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms
| MD5 | 518297d1dbbcd7730362bd4e6279b614 |
| SHA1 | 306c7aa11a78cb583350595e5b8d5331341d9982 |
| SHA256 | 68f45b3d002fa5ed2d4afb22a78ae63c4041ab2ba7a5dd9f246d0f8a23ebf463 |
| SHA512 | 3b7e08bed0a7d12ca2b560fa4b316b76aef8b43b1dd50b5b64f4f632db635d2ee7a679feb5e6847bc69a785c2af9c1fb3e05c594fd34616f7890fd58ed812496 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms
| MD5 | e44712b9019e0fb757fe6d714a9cc68b |
| SHA1 | 2fd3d36a0ed53314376d3b9959beea50d3e072cf |
| SHA256 | 89245b2d412f0b789ca537372b3fb8384268ace41674aa7fb9668a505b36a2d1 |
| SHA512 | 7d44371ccc2304c3daf4fa38d3d0a2f39cfcba97479f980a7c7b786b3bc1364eede5fb4a54f592591d3b7931686a8dcb40848c41a6cc3bfaf593eaf64904ec6c |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms
| MD5 | fb3973bff11fab049a5afacabc339123 |
| SHA1 | 842ad211690f13e21998071223443e2a96d9f814 |
| SHA256 | f91d6a35247e0743f6ceac3a99c9192493e0f1fc57a60755a5aa557af314ee9b |
| SHA512 | a4c13a9b2f636e97f53e5b4d751804ee2de166f10981ddf087b56b5e40df88740c30ba4c9fd8d496c99fe338942d7f8ca5f2dee5a811d69b8081c15ebeceb240 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Windows 87\Downloads\desktop.ini
| MD5 | 3a37312509712d4e12d27240137ff377 |
| SHA1 | 30ced927e23b584725cf16351394175a6d2a9577 |
| SHA256 | b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3 |
| SHA512 | dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05 |
C:\Users\Windows 87\Searches\Everywhere.search-ms
| MD5 | 0fa26b6c98419b5e7c00efffb5835612 |
| SHA1 | d904d6683a548b03950d94da33cdfccbb55a9bc7 |
| SHA256 | 4094d158e3b0581ba433a46d0dce62f99d8c0fd1b50bb4d0517ddc0a4a1fde24 |
| SHA512 | b80a6f2382f99ca75f3545375e30353ed4ccd93f1185f6a15dbe03d47056dad3feea652e09440774872f5cba5ef0db9c023c45e44a839827a4b40e60df9fd042 |
C:\Users\Windows 87\Links\Downloads.lnk
| MD5 | bf0fcee9183a6b6ca679c81c2b424488 |
| SHA1 | 106030592ccbfb1478716b7d216de4097a04a1d6 |
| SHA256 | ec350d50a40c005cc6a0488c6b3b83c3562218681403c266928c51f37a6ef6dd |
| SHA512 | 85abb2933630ae8d2edc46392bce8b281bd3ac57f2a13ce6e5d179b334d7b4f1791849c2a88ad57bb286518df19a6de69fa97930c3254c2ce3317945642a8941 |
C:\Users\Windows 87\Links\Desktop.lnk
| MD5 | 9b91d97f399999995a4aaefe4b6637ae |
| SHA1 | d0ac8c4ec8f0fcd13accb01509b7ae18886a2f5a |
| SHA256 | f1b0a6bc0c1f594010af00c4a5e40bc46cbeb9615078860b68c7c14d7b8996e3 |
| SHA512 | a243549ea1e133d576b5c38a6ab69d6ef6845be013d820807ab2822e7c67ff04e07e0362cf8fb961989036c598d1b605ea1055db218f7477cb3ba20714ca964e |
C:\Users\Windows 87\Links\RecentPlaces.lnk
| MD5 | 0025c3a7d7c4e90e58332958b00d83c4 |
| SHA1 | 01dd4fdb260f66923004acb5a874111a9d14da38 |
| SHA256 | 36db348143da1b5c16b9074940e85761950ee30b533b7ca75924f2f4ef6b253b |
| SHA512 | b5631c94bad794541d16f2fa3a02018f4b34b680b63a9f3b6a3da4329216567a7ba9ceb8d4bd18165b0e55142f42e039f160ec675c0946237c276de1a6e642c4 |
C:\Users\Windows 87\Searches\Indexed Locations.search-ms
| MD5 | b6acbeb59959aa5412a7565423ea7bab |
| SHA1 | 4905f02dbef69c830b807a32e9a4b6206bd01dc6 |
| SHA256 | 99653a38c445ae1d4c373ee672339fd47fd098e0d0ada5f0be70e3b2bf711d38 |
| SHA512 | 0058aa67ae9060cb708e34cb2e12cea851505694e328fd0aa6deba99f205afaffdf86af8119c65ada5a3c9b1f8b94923baa6454c2d5ab46a21257d145f9a8162 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms
| MD5 | 1ab315bb411f43b47cb4e35342aad79a |
| SHA1 | 53a7ffa1235ab89163f701d9e85aa9a96d9c559f |
| SHA256 | df763fa8b19ff124348c1054ff9808d83ccdbd4c65c56258678e56c6dbd6f005 |
| SHA512 | ace04c3e5615f7fd8e321d6a1b58775e2697f52d218348eb9a2d97435ea8a091b29264d68677f10e2a7c73dac5da8644510a1e80c2f8e2bc4c06b83a95401b04 |
C:\Windows\TEMP\Crashpad\settings.dat
| MD5 | 31acea3efb143b49d506b757cae846a7 |
| SHA1 | e7d42a766af99611eb138d402b4d82d44b1f9904 |
| SHA256 | f2313dee0685fe4fe3e237fcb61aea6be8588dc78fc51445def71320876b7667 |
| SHA512 | 2e26d7d42a1f88ea0b80b23303c8f6021168b110155488531a52f7a47eeed849d60ccd5035315cb970a47af8ee3c935203a460c753bd036e35af96bdc4844fef |
C:\Users\WINDOW~1\AppData\Local\Temp\chrome_installer.log
| MD5 | 427cc742e20366b20ef3f1efea7d1966 |
| SHA1 | 72317ab15468da878e0c1ad7e634d94e754bd104 |
| SHA256 | 34b856fd7cde12256f173239589cb50a3ed357d497b1219594c362b359724299 |
| SHA512 | b6e43e26dd0374dad37ba1e6672d730817f697cfb396fc7f79d5dcdabf8929e4f83a4956bc3aa3dacbac2d1a6b46154f69e9289a6f9acf3b214586dfe30bfc32 |
C:\Program Files\Google\Chrome\Application\SetupMetrics\acc5120d-45c5-4833-a33a-90fb3f975a67.tmp
| MD5 | 6d971ce11af4a6a93a4311841da1a178 |
| SHA1 | cbfdbc9b184f340cbad764abc4d8a31b9c250176 |
| SHA256 | 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783 |
| SHA512 | c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk
| MD5 | 5c3050419f28b41869ba66db61817748 |
| SHA1 | 5aee2ad2dc2da38359fd13349bf1a48b9e1c55bc |
| SHA256 | c23812e04ef2c7678c8b1d2dcb8c7d8c8bb5e35d4c8c7e8d0a606391c367b38c |
| SHA512 | 01e58e7bd7737887b61b58b2a4b7fd25f75493443c967484ab3b762b0e3ec19d347824a8946edd7bfffcf48282a51130f448dc9cb1b25c26d5ad26e7104dc639 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini
| MD5 | 3a33faac6513738fd86f43dff8989882 |
| SHA1 | afd4390e6b63c40e55ca08d27661a23d657b01a2 |
| SHA256 | 21a4315cbae2b0e8db633e86c344171da86f115bcbbb745680ff6f577668c910 |
| SHA512 | 8d7a47cba6b4d0da36151221c373625b67e44354b7cde41b5c3657e73a843b22a0a5b0bf92a4cbc32eac70b8292d674821085acf92bb58b94ea4542458c94b57 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
| MD5 | 79fcee66d8b1f20a14c99007956fc44a |
| SHA1 | ea5c098d628358ff38124c8887fe9e954b053f78 |
| SHA256 | 43538a53f0b9b3c867f25d6e05b2f8d3d64784a5e006a7346a4652d6f6f943ea |
| SHA512 | 1aa6e284e58f7126927a476c249bf89f2a9057c43a4574f4bb4e749d2725ae97d85f53048be7ae73cb310e1ab2bca4bae152ae47dd6e168fbb78db8031e7742a |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
| MD5 | 1c61dc21f9b83172d65be1e94b79026f |
| SHA1 | 7324473ddda64b87c299bf6e3b9e9aff53f7fd74 |
| SHA256 | 8e920d7893b682a049f6a5097f880d915dc2d7bf8bc87ae558cd7f14466d5d1b |
| SHA512 | 9660cde4d7606826c2fb6623460a2a286339970256e677c8abf8189fd1d58e0284c024bbf5c0bf539189dafa3e8d5269c1e0f7e3717891f2ae4771634731bbd8 |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
| MD5 | 47b2e1c4ddd5fa161f4e7314222d7a29 |
| SHA1 | f8e0a57ad324aa0ce6eafcbee54361cfc3fac7a4 |
| SHA256 | 20b9ba1869ed5d109962522c7c9a09e2675c457edd780f3723d33f9b40475772 |
| SHA512 | 07c8e9fcc6441c45540ced17802aea9fc84197733cc13af77516813c3beb346ae2748445ae99318309cbdc2da8e69e622dd91e658b7e9ba27d424eae6f5acf1b |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
| MD5 | 9a1b13fd914dd7054b83bc1760c99ab8 |
| SHA1 | 340c37602b11cd3cb9ae681d09bfc4c81f733742 |
| SHA256 | 7f0a9cc0be951d60d6c8e60d1a612bfa65fa390020d7c0c80f212ba2a47a4aa3 |
| SHA512 | 50d48a348c71fb9e89ab01e59fe599b692a1701f19d2c9de6ae09678e0a44ba95020b1989f9c776edcacacc5f2b2b348b0f31aa28c04850e69e47cda6dcaf88e |
C:\Users\Windows 87\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
| MD5 | e5a8eb64419f6d85a1b7aed2152616c2 |
| SHA1 | f5d94f8953bb235e35fccec0ea4f14ba69443081 |
| SHA256 | 5266b08d0c1bf229ec5eafdb6dae2a4849b6b394694d34033453cf8a379725a7 |
| SHA512 | 7c304bc842c81d3b5cff745d34b038a2a867063c65e502f4155439ba0642e8b0643f9b7254f74e85d5b150c134836b9e398a0dcb192550d97dfd431c3d93f1f6 |
C:\Users\Windows 87\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini
| MD5 | e0fd7e6b4853592ac9ac73df9d83783f |
| SHA1 | 2834e77dfa1269ddad948b87d88887e84179594a |
| SHA256 | feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122 |
| SHA512 | 289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55 |
C:\Users\Windows 87\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms
| MD5 | edd74e4bf544f4858d7deede007c7b26 |
| SHA1 | 164b3e981decf807d0454459025c70ee6e6f2f36 |
| SHA256 | 1c32e351c8122087cc2c906c30779b9608c7477be869f015d8b5b2e3ab813619 |
| SHA512 | 7e34cd47eaefad5fcc71de6f6bd2656c8a9ae8ce5a31c4eaf55445806fbc46168d7db97303b7748452876471ed2487f6a78d1d639e0f34a4fa4b06f5c958ef8f |
memory/2908-1572-0x0000000004610000-0x0000000004620000-memory.dmp