Malware Analysis Report

2025-01-18 04:08

Sample ID 241104-ehks7stdpm
Target Client-built.exe
SHA256 48d4fde21b28f0614fdf124f83f5594bddc13292f21b775da58b017385a49b01
Tags
office04 quasar credential_access discovery spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48d4fde21b28f0614fdf124f83f5594bddc13292f21b775da58b017385a49b01

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar credential_access discovery spyware stealer trojan

Quasar RAT

Quasar payload

Quasar family

Checks computer location settings

Executes dropped EXE

Credentials from Password Stores: Windows Credential Manager

Enumerates connected drives

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Modifies Internet Explorer settings

Opens file in notepad (likely ransom note)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 03:56

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 03:56

Reported

2024-11-04 04:07

Platform

win10ltsc2021-20241023-en

Max time kernel

468s

Max time network

638s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\unregmp2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2651957002" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2675908456" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C7F15CD1-9A61-11EF-B5C6-F2F0875071CF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2625949707" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2625949707" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141486" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31141486" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141486" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.4355\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141486" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4812 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4812 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4812 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2796 wrote to memory of 64 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2796 wrote to memory of 64 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2796 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2796 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2872 wrote to memory of 4312 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2872 wrote to memory of 4312 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2872 wrote to memory of 4312 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2796 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2796 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2796 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\mspaint.exe
PID 2796 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\mspaint.exe
PID 2872 wrote to memory of 1648 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2872 wrote to memory of 1648 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2872 wrote to memory of 1648 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2796 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 2796 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 2796 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 2796 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2796 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 3540 wrote to memory of 1948 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 3540 wrote to memory of 1948 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 3540 wrote to memory of 1948 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 1948 wrote to memory of 1088 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 1948 wrote to memory of 1088 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 2796 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
PID 2796 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
PID 2796 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
PID 2796 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 2796 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 2796 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 2796 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2796 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2796 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2796 wrote to memory of 3268 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 2796 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2796 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2796 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
PID 2796 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
PID 2796 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
PID 2796 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2796 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2796 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\NOTEPAD.EXE
PID 2796 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\NOTEPAD.EXE
PID 2872 wrote to memory of 3992 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2872 wrote to memory of 3992 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2872 wrote to memory of 3992 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2796 wrote to memory of 384 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\NOTEPAD.EXE
PID 2796 wrote to memory of 384 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\NOTEPAD.EXE
PID 2796 wrote to memory of 5436 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
PID 2796 wrote to memory of 5436 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
PID 2796 wrote to memory of 5436 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
PID 2796 wrote to memory of 6112 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 2796 wrote to memory of 6112 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 2796 wrote to memory of 6112 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 2796 wrote to memory of 5756 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 2796 wrote to memory of 5756 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 2796 wrote to memory of 5756 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
PID 2872 wrote to memory of 5916 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2872 wrote to memory of 5916 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2872 wrote to memory of 5916 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:17410 /prefetch:2

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\BlockComplete.mid"

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\BlockImport.wmf"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:17412 /prefetch:2

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\EditSkip.csv"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\FindExpand.docm" /o ""

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\AppData\Roaming\JoinSave.potx"

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\LimitRepair.xlsb"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\MergeConvert.ram"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\AppData\Roaming\MergeResume.dotx"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\NewRedo.DVR-MS"

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Roaming\NewSwitch.ppsx" /ou ""

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\OutWatch.rmi"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\ReadStop.txt

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:17416 /prefetch:2

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\ResolveUninstall.css

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Roaming\RestoreAssert.pptx" /ou ""

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\UnregisterInitialize.xlsx"

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\WatchComplete.xlsm"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:17420 /prefetch:2

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\BlockComplete.mid"

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\BlockImport.wmf"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\EditSkip.csv"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\FindExpand.docm" /o ""

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\AppData\Roaming\JoinSave.potx"

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\LimitRepair.xlsb"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\MergeConvert.ram"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\AppData\Roaming\MergeResume.dotx"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\NewRedo.DVR-MS"

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Roaming\NewSwitch.ppsx" /ou ""

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\OutWatch.rmi"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\ReadStop.txt

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2872 CREDAT:82972 /prefetch:2

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\ResolveUninstall.css

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Roaming\RestoreAssert.pptx" /ou ""

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\UnregisterInitialize.xlsx"

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\WatchComplete.xlsm"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 Inversin-43597.portmap.host udp
DE 193.161.193.99:43597 Inversin-43597.portmap.host tcp
DE 193.161.193.99:43597 Inversin-43597.portmap.host tcp
DE 193.161.193.99:43597 Inversin-43597.portmap.host tcp
DE 193.161.193.99:43597 Inversin-43597.portmap.host tcp
DE 193.161.193.99:43597 Inversin-43597.portmap.host tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.63.31:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 8.8.8.8:53 31.63.18.2.in-addr.arpa udp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 136.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4812-0-0x00007FFF43560000-0x00007FFF436FF000-memory.dmp

memory/4812-1-0x0000000000EF0000-0x0000000001214000-memory.dmp

memory/4812-2-0x00007FFF43560000-0x00007FFF436FF000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 f5b93af3ee1b64dacd2bac9ba4af9b27
SHA1 1f2a038199a71a2b917dca4dff2f5fac5e840978
SHA256 48d4fde21b28f0614fdf124f83f5594bddc13292f21b775da58b017385a49b01
SHA512 83703b0f567723abe3d6b34bd419be5df3475e049ae8893993fec017da9a420cd875184c570bdffbfc0bccac662762991885dea8ebcc2af172b3aac2fb00a302

memory/4812-5-0x00007FFF43560000-0x00007FFF436FF000-memory.dmp

memory/2796-6-0x00007FFF43560000-0x00007FFF436FF000-memory.dmp

memory/2796-7-0x00007FFF43560000-0x00007FFF436FF000-memory.dmp

memory/2796-8-0x000000001D1B0000-0x000000001D200000-memory.dmp

memory/2796-9-0x000000001D2C0000-0x000000001D372000-memory.dmp

memory/2796-10-0x00007FFF43560000-0x00007FFF436FF000-memory.dmp

memory/2796-13-0x000000001D200000-0x000000001D212000-memory.dmp

memory/2796-14-0x000000001D260000-0x000000001D29C000-memory.dmp

memory/3000-17-0x00007FFF04810000-0x00007FFF04820000-memory.dmp

memory/3000-18-0x00007FFF04810000-0x00007FFF04820000-memory.dmp

memory/3000-19-0x00007FFF04810000-0x00007FFF04820000-memory.dmp

memory/3000-16-0x00007FFF04810000-0x00007FFF04820000-memory.dmp

memory/3000-15-0x00007FFF04810000-0x00007FFF04820000-memory.dmp

memory/3000-20-0x00007FFF02630000-0x00007FFF02640000-memory.dmp

memory/3000-21-0x00007FFF02630000-0x00007FFF02640000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8C518FB3-B6E3-495A-8BB4-1DE9E31F3E70

MD5 d93bd5b824727f2dbda4776926f5f17c
SHA1 f383d2f945d09300f07a0c77d42ec58f977e0b98
SHA256 ca1c19f20964b764c48a35cc6f6f3d466b3128002da77c57357102fe07f03a34
SHA512 12f1e773f5657b8854800b71b1f206e5606a4fba088da88b43ea600d698e00d243314a6d68014f30d4df477ab4bd595c6f05900e3ca85bc676910625d76af9e8

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 c84bd102ae301472324e06c5df404285
SHA1 5104a400664fc95984d38ebb964f6c7fb044990a
SHA256 3a13406909db2b2259c85538601d1749be11184892e7a2d6214d6ad2b7144d6e
SHA512 a6c118b0e07cd5f20610b18cd60c286788222b76b8a8162207e1434cdfd5ece46ff121ea140dc483df0d5a487f3c3398817fcea88e83bd623eaf77ee090e9a20

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 8519568188335f9cefeee4f89e351dbb
SHA1 996571ecb16e87466fd4407c35b1e88d181ba219
SHA256 90f8612ec5e76b9b0ac29675a71cf79b0f5e141cc84e13e02f05b55fb199358d
SHA512 15672747c1ad7621ad8cb73e68b1f9ed12ba4b6fafe306c9ce2a723ff6ffeeabfc640d11c4702e9cd39dee14fbb269a7f28cfa541f740a01d4b3a462d2c1b2b6

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 bfdf258f0abdc0a5d7737a3dca0c93e6
SHA1 1985710a153f8f62a1cf842744dfe616b5a7531d
SHA256 0e5094256f4b084ce88ed47faa35c977fab681a8bdabff2e7ca83fa7896ba01d
SHA512 f9c41e459ef9f5dd8500777cbbdb88157e567bbe32a1797d93d255c19a444c16719bf56beb5ec275db05da5deced2387bd0e34b9bddf1eb6a46d012e132a6515

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

MD5 8f2ba0bfda52b2b9db413889b67455d8
SHA1 fc5bd21d55d4b309058e2bc0790e49536eb22dc2
SHA256 de1721966355d46e6ac646ad45c13acf3932cf7b82402dfd2eb77ede0874a8ff
SHA512 958cb1095700634c21866476c2f6ed5c58527be762c3b7f08f5ecb1e4beb85f03c0bb350b5d8c8ae59424add187ba42e5e58f92537ff7f601d45fea0c1381203

memory/2796-74-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-75-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-76-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-77-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-79-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-78-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-80-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-85-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-84-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-83-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-82-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-81-0x000000001C940000-0x000000001C950000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 0e85aabf8ae11799795a6d4b8dae7f07
SHA1 2adb4b12bbe9697eef47129116b092f4e0619fee
SHA256 c77ba04ce09c357050f1ac6d0acef38b4d03b5d6b07db3aaff590b5cb2f6641c
SHA512 f74177fd8106a4ad2dcbf56510bce181e2a19e58b5cda8924fcc839ce5def52a17e4b3509402115da6c1be4132c8be2d1c1574659c43774a400cdee352a19813

memory/2796-90-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-91-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-92-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-89-0x000000001C940000-0x000000001C950000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 afa2c134968d8906d210fc4d21393da8
SHA1 09b3ee623b2986ec20709c88bb961a729f4d540e
SHA256 c3c979684a542973aa4d17371155c0eac5858cc9bd5f9089224311accac43321
SHA512 93f1f0285f557ad27368cc5b6d7e5a535f9c998e6169bdb228ce30e02041eb6f3a3eb12e40673e37d5476e5a212ada2ec6f989fe99cf322ea6c61d9cd68bf48a

memory/3540-101-0x0000000008180000-0x0000000008190000-memory.dmp

memory/3540-102-0x0000000008180000-0x0000000008190000-memory.dmp

memory/1512-104-0x00007FFF3AAC0000-0x00007FFF3AAF4000-memory.dmp

memory/1512-103-0x00007FF7A15B0000-0x00007FF7A16A8000-memory.dmp

memory/1512-112-0x00007FFF35540000-0x00007FFF35551000-memory.dmp

memory/1512-111-0x00007FFF35560000-0x00007FFF3557D000-memory.dmp

memory/1512-110-0x00007FFF35C40000-0x00007FFF35C51000-memory.dmp

memory/1512-118-0x00007FFF344A0000-0x00007FFF344B1000-memory.dmp

memory/1512-117-0x00007FFF344C0000-0x00007FFF344D1000-memory.dmp

memory/1512-116-0x00007FFF351F0000-0x00007FFF35208000-memory.dmp

memory/1512-115-0x00007FFF344E0000-0x00007FFF34501000-memory.dmp

memory/1512-114-0x00007FFF345A0000-0x00007FFF345E1000-memory.dmp

memory/1512-113-0x00007FFF1FE90000-0x00007FFF2009B000-memory.dmp

memory/1512-121-0x00007FFF19EF0000-0x00007FFF19F07000-memory.dmp

memory/1512-120-0x00007FFF34480000-0x00007FFF34491000-memory.dmp

memory/1512-109-0x00007FFF3AAA0000-0x00007FFF3AAB7000-memory.dmp

memory/1512-119-0x00007FFF1A590000-0x00007FFF1B640000-memory.dmp

memory/1512-108-0x00007FFF3CDE0000-0x00007FFF3CDF1000-memory.dmp

memory/1512-107-0x00007FFF3CF20000-0x00007FFF3CF37000-memory.dmp

memory/1512-105-0x00007FFF21560000-0x00007FFF21816000-memory.dmp

memory/1512-106-0x00007FFF3ED00000-0x00007FFF3ED18000-memory.dmp

memory/2796-122-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-123-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-124-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-126-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-127-0x000000001C940000-0x000000001C950000-memory.dmp

memory/3540-128-0x0000000007660000-0x0000000007670000-memory.dmp

memory/3540-129-0x0000000007660000-0x0000000007670000-memory.dmp

memory/2796-125-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-130-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-134-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-133-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-132-0x000000001C940000-0x000000001C950000-memory.dmp

memory/2796-131-0x000000001C940000-0x000000001C950000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 ce4b21181624f753408963dfd77f8626
SHA1 da1bb18c55017d99a238a350fe9ad86bb712bfd5
SHA256 35b469b39496d27b18ddde3e3d168e5b62d92a3cbcb20c53b83d681e57e75403
SHA512 d6e35f7e1be088932931a662d90bdd7ec14e775358c4b7df539664ab5333274ad6ab94dfc9adc74dbff1c5ea48c925cb30d295a791ea12e04408fe71a1253999

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

MD5 60cbb80298e678805862b6ec9446c1a1
SHA1 db130033724327ffd8fcceac1f62223157720713
SHA256 ceebffb4339f9b0a4ec6d59a395bb48ffec10e52133a387c97f3707907f484f7
SHA512 49d73320ac8ef703eb910a86292854ad19d203395e98cbc9b7124b3c424f34cab24e5a72302cd95f95f5d6afa5cd13ac3bc81ec8f5d49cc795b13f17c20d66e1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

MD5 1341870725e5735e5956ca633f9595a4
SHA1 7d85b8d65436f44def733697b835b742fe8760ef
SHA256 a86720e83f63a995b07408f5fba45630838be11b38f27689370b1a360b44e5d7
SHA512 bdeb0281ddfbb6fb04c3956f342ce49976aece09162b277fd76e213e032a612b2708702fe75d02e27501c6b5fc2149eaa9043a3cd274c415ae0e64bcbbaa2161

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\EditSkip.csv.LNK

MD5 2fe7f1190247b0ef652c640c34957480
SHA1 0df1fc2d8eaa37529dd77038d58f8d3e9b8305f4
SHA256 4e9a95f2e2c55085bb82519951684a70353ede12047925ad764611ed702f8252
SHA512 834f104cd78fb2ac7fd89a0a944c70afbb948b28125cf83fba28a039e1b24aa54f13a85637d2308cc2f69f6cd8d2089ab9e0d06e874e957f89831c74b4eaf2eb

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 eace4f5e245dc41c6f13835f6a183561
SHA1 78d76a4a813746149dc4d8a99c0553672a84c019
SHA256 85b3e058b094306ac738e404cd15266c65eb63b78b569175c83069c23be9c34d
SHA512 ba33e4045777534e3ba509a036f10ce768037163a725cc08c451d71364fda28812d8be15d608fab9812a1a53987ef1c1dd7485550ff83756dc0d13ce0a1c28ab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 5cac0c6d33dd5d5ad0ebfc199d906b21
SHA1 cd0129f224261608b6cdfdd2a1a76e619bd29587
SHA256 0a896776e830174aa0676bb1f00522813a360736d4136a6517aeaef76e7952ea
SHA512 f0a776c1da2e12d251053435d82a26e441b19c0990a4f7b2a274c12a559179199172898fcd105d3a3de118b0f965a794c885fd79756c42b736e4c789dc95af28

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 4fcb2a3ee025e4a10d21e1b154873fe2
SHA1 57658e2fa594b7d0b99d02e041d0f3418e58856b
SHA256 90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA512 4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 b4c368f8851eec362f9bab6aa80623da
SHA1 1960934afb425ff73c3b6546f307e74e64f343ff
SHA256 9009daecfdb4168f9c167f4742b4f99e650ab1f967f98424d1a3e688f18389c1
SHA512 2388b164753293d451f7acb162234f15071718f97f5cb340ef3616b81f418a77e3edf8031222861a84aacd3d4e528308c8c5e150fbdbb48b1421edab2d95e723

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 b3595f444d1ae23a7ca222e60df7b22e
SHA1 176305cabe15b752a4521a354edde98423f50cd3
SHA256 6fccc33c7adc9989d6dfa3ed351150c8bb33c651b0e16a23f9523ba669ca449e
SHA512 7886383033572bf54ef3d1060cd5db171af6830eb564991caf788658ea0489a09e2952c8bceec9717ba1533d4f6d81a81eaa678ad65c17735189d8c0f78bd1ba

C:\Users\Admin\AppData\Local\Temp\7EC55EE.tmp

MD5 72845578b2f68c50663264b6b9a22f2d
SHA1 8440eb2838784ab94335987d2cb60f588746e5c7
SHA256 cef090f44e0dc15d39687edeb47a28073d38c52a48b52cb6a246c092181864bb
SHA512 30980d4529124979ef685f7a23d55e0d0e8f36e611b9bf66ca66369c8a5d819c8fbed831586ec08061263b6b517ecde2beccd3e111998a841d16a30156f83b89

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

MD5 53b4b29db00571f01c4564a11259ff7f
SHA1 82cb32ebe1bc8cc59b663f98b092afe1baa517ec
SHA256 d4e61e01630a772cfbf9d1a23df5b7dc03de0e8560ee4874af3eb98beccf5e45
SHA512 f68680915e05030317d0a1c48913c1cdde7376df5adc27f3dae9f79cf8db50a667ffc4324099cd72e074f417e49c774c1942026c48fe384923281ffce9e81f28

C:\Users\Admin\AppData\Roaming\~$ndExpand.docm

MD5 8804cc08084eed30ef03a33ec5c53802
SHA1 efaa3510cd1ce8d9ec86335adbc25e50b5555194
SHA256 d4985831d49a67c2684587ad3b5233716cb99c483f45cfecd73533c4e5342538
SHA512 b925f989a4b728037b6ea053dc8cde866944a2947ef20b36ebce590a3f8239ae27b88ae93670cc059e442a614cde4f299bc2989bb5b20b0fdff6cdc2b9adc684

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 7704fa30a9e7b3a13ede6e96156168f6
SHA1 e2955a4ce8804a566524d39108d8af6ef802b5da
SHA256 6be20af03f374e838561a8926af1ff08411f4b57a13c2890bb7d9bc8eee1059c
SHA512 f13f8bafafa4bafa89a4a6b532f54d3d5eddaea423fd54ad740927d60612fb37aa0bf791c321959fc47f8d4e1f1bf451713832d0e46c1218cf5cea3837de8e05

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 f98cda900dfcd51c2b14c6646889e9ec
SHA1 a83c261a80f42bcceee2f2603ec0bdf2cc0b252b
SHA256 2ef3664098274c6f54a8329a083a49af171d160a632e4c1bce817ac68142eeb5
SHA512 20b657421e52f3a6e87c3dc1521831c09215caa58d616d6c6c749871baf424d4f04049e69a4228b226c95d6abb819906f388a03d1ba495a6586f03bb10c38039

C:\Users\Admin\AppData\Local\Temp\53C74FF.tmp

MD5 ba21d86b674b24d5593d9911989f2266
SHA1 bec034fb2d6389fcc421a1715b61b63863b6eb6a
SHA256 d610373c98cf51c0d458ba05af93c07c559f5dedb5035514787dd43b00e7075f
SHA512 46c8c1f49653dd1c1553f6252bbfe0f5f5c772212f1f9ccd6df3247476a502476cf7e30b3ab0bcc82ab68e42cafc3290595785f1801708716c6c6fd841d6703b

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml

MD5 d356e2cd5f911b7f0eae0e36b1ca5169
SHA1 5da8e4450b716defce43e473b3c9d8f7d45c0ace
SHA256 bbc44b490dffb69bb837f401b06413104ee084bceef80483dbe414a9b59be275
SHA512 31b8e195fed86e2e1cb2000ca54500e6d7304d88bbf3f05a928ae8e1234c911723257a637d1ec087951d6fb2753eb57ec91f3bb1a912ff43455521c890e52220

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 77b5b3f08573baacdc4dc5f3caf0b57f
SHA1 c4c89a5698c44369ad364b1472217a1e8c62cd7a
SHA256 8b1069379b37c468d57d013382fcd33b29e78bb4b5e42e6aeda7bb3fe301df44
SHA512 1c0afabc048c10996ff047c02d14840082cd2c32ba2c4eb97b86b84b8ece564f39c96aefc13776e09f6dfbbbbfd5f7c31377fa43a89ce5779862e4cfbdeddd45

C:\Windows\Debug\WIA\wiatrace.log

MD5 c5429d52674ef43d310f16b2da592d70
SHA1 1fe0dc48e6a05072ba48213dca300b3f2170731c
SHA256 16f25a4842bb7ae3b57063c61ef18f7f9ae568fbcdd75d74e9520a862fa77e09
SHA512 1841e4dbc18c8a39a9b028d91560ad206fcd9b8ff9c4f37da72d402d3b72f400ae285fb70fef1a69a6bc91e9e3f16ecb32645b364f2fc77f4fa19fc82cdbf13e

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 20e25674c94a5b318b8a3b6cf28ee4f2
SHA1 8f964265a10c70fa917f14a4526555bdcc7b021d
SHA256 170df7420469b661d9366c9e7f993fc5bb232f95269a6b99ae6e24308cfe0810
SHA512 dd3fb35b0b1c79981d12102ce52222199cf0ebc9a8048e4ee8e315836c5ccfb5e210e8a30d05f84542b277c7caf4788104f8fb9e7dfd2b361838fd7de4be820b

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 55a7b1fbaffa8a3e2506bd1e674fe0be
SHA1 d6e13b04d82fb79f1c90a41b30e7192f9adc040a
SHA256 b1a8fb69171e0a0d7449f33e338f9cf558cfc881f5cfec4fed2d90714f2404f3
SHA512 2102e58bd0dbdb2b1377996ea35a5dc7d416d977057df0db090d2dd383811c75fbe34c71060feb9c7fdd9466e3d832c17da8c82f45b511adc8489a2e6a98270f

C:\Users\Admin\AppData\Local\Temp\6649D76.tmp

MD5 caf02cdb281a65d3e850a4537e78299e
SHA1 38bfe30009014af33ddd93afdb7c3a787da34968
SHA256 0527cf810fd133455bf2eed5cbc8a4e44fd877a6cceff9133127305a4eb780ec
SHA512 b8afcdc25da330eab2ee939e7016bdd1af079f7f4f7f3498ee18481ddc073d49c2fbf2f8cadd0431c4dd5df274a5b4264325e34972177e28504290a2bcd33a36

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 ae8a71eb738903532d8ee88a76f311b1
SHA1 875161cbf7745f7dd8a34c1f99a32a0529ba710e
SHA256 17190c1add5178183048963f021e968fccc69b710053e4fe1af6a98178bbdb17
SHA512 cbb43de1bdf258ea14dbe4c9d11eb3b2b2b3b9009c74f06dc8b6831cecf002f21136239b1380e8ae5efa7bb4c5f19522c8efdb984220ec569a44c13eba4d432b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 8a30a9b50fedce017b52120d4343b95a
SHA1 8de5de177d1008f9667108f6b5802a2a52b88a88
SHA256 4550fdafe58e9e306e641eefdb4bfd0a0f560bad671dfe5730a4ef029b3ffb3d
SHA512 7edf4b47f415103805bf251adb8e135398ca632eced27d87ee5d40f8854edc7bdf06e84173ed537791dd0a56554d6e692e500274f991bec08d408f9dc73cbab1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 c92768057aba1f694f0cfe072cc9a3f2
SHA1 0091ad939dd5767aa3d6916789db561bb1da8b97
SHA256 d41fed6d3d85a744023c5e54b120057f6953f736d8c1d29c56493edbc6e3dbb1
SHA512 fe24f7ee70f6575f48b1d71db77aeb216cd603964ce58d3f1fe00a0d93ed0bc81be69ac48062413f680c0aec46e35faedb8ee833048c2ae826be5c8d5f2abc60

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRC0001.tmp

MD5 8f4f1417203d453f9fcbbfc7db0d04d3
SHA1 90c0170447a52f1f7419f1e08744b31a42bb376c
SHA256 dcae6dddc1e08fb0035cf2d49777640da19d5d80afb08f4b30eacf6944ae2b26
SHA512 4f4bed2ab24ca280f2b0b862949a2c7e25e44aa0cbfcf58b081992c0575f6d94fbb7006915947aa7d9f2c12b00aaa71c509c56e6618bf3baafbbf02b2eaf3983

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 d6b77cbd45e4d0797607d9e11cdd86b9
SHA1 07358a296d550e2a125314923f7747f3bcc25442
SHA256 54d7cba3d04cd5eb3fb745cb213c630f522d0ed31f65b917dc33f25e103f4c21
SHA512 ac3ac4c89e439641e9a335f20d79ec4685199023da8d0ed545e9eb436c3aacfa42a0822d154dbbf02c980d23091f16c399dd32d34b0a54adf3ce829bfb8c3f10

C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

MD5 3317d372ce032eab6706ee100b856df5
SHA1 46a9dcbc70d70f379b6444cb468313396799374c
SHA256 c4d7903f46825098a414861330dd6ea8c5fc581c0f0159300d8d4f0b2b2ab4db
SHA512 e094d477cec444397875186e049c9d8ca1a574a3fee4cb6f1b9893742347640b5cbcb6dbc3fd28f9989c9c17ac5ca02923bf485c22602cdc59087c05223b5e3d

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 6c3cca902d502b5a1d0a85fbc7674d34
SHA1 abef9fb6d4c8c44ccdab404397b26bf8a36d6315
SHA256 545da78824e86b34793908942bb99b6d5ea66eb02008bc6cb04930a52d93daea
SHA512 51b043452cb2c6adab6445462efefc81f162b06b378ffabc05581781ba37a4c51ad6c454ed67d78473917cc5e68e536d189b4e50dc497fe38431f403120c1367

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal

MD5 76163590deb7eca4602819cc7a0a39fb
SHA1 091010b186778d68b6f50ac46ce0b7dc6e0af689
SHA256 4eaa4bdf747ce9f986228c683669cd4620531d3e910708eb6deebaa618b33c27
SHA512 d79c84409d1cc6a76fbb9d72b3369cd67eb347995eab0b63c04f33c4384e0db47f3d43877cf36a6e738e747ee101a511f8ec30d7dd298226b4056c68a1b3dc05

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\11JOSQNO\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

MD5 1f2ed385e3e3921cd7565a7cb0cade67
SHA1 4214704094e016b9e73390b0fb28ed378a3afbb1
SHA256 202f09d4180668545b943e331644455e10c2650246869d0ab2b872c572cb222b
SHA512 629f5e57c1078140d170b9b00989d14eedb03d1c1f44d7fc7f06b423e3161df987411c22eba7bb3bee843417d57366534eacdf2aa226273222807de79e20210f