General Info

URL

http://engdownload.diskgenius.cn/ERFreeSetup435385_eng.exe

Full analysis
https://app.any.run/tasks/de59c6b8-1b55-4306-bd42-e3b993a19f29
Verdict
Malicious activity
Analysis date
8/13/2019, 22:26:59
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
180 seconds
Additional time used
120 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • EassosRecovery.exe (PID: 3644)
Loads dropped or rewritten executable
  • EassosRecovery.exe (PID: 3644)
Changes settings of System certificates
  • EassosRecovery.exe (PID: 3644)
 Starts Internet Explorer
  • ERFreeSetup435385_eng.tmp (PID: 316)
Executable content was dropped or overwritten
  • ERFreeSetup435385_eng.tmp (PID: 2596)
  • ERFreeSetup435385_eng.exe (PID: 2100)
  • ERFreeSetup435385_eng.exe (PID: 2980)
Reads the Windows organization settings
  • ERFreeSetup435385_eng.tmp (PID: 2596)
Adds / modifies Windows certificates
  • EassosRecovery.exe (PID: 3644)
Modifies the open verb of a shell class
  • ERFreeSetup435385_eng.tmp (PID: 2596)
Reads Windows owner or organization settings
  • ERFreeSetup435385_eng.tmp (PID: 2596)
Low-level read access rights to disk partition
  • EassosRecovery.exe (PID: 3644)
Executed via COM
  • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 1208)
 Application launched itself
  • iexplore.exe (PID: 2932)
  • iexplore.exe (PID: 2156)
Application was dropped or rewritten from another process
  • ERFreeSetup435385_eng.tmp (PID: 2596)
  • ERFreeSetup435385_eng.tmp (PID: 316)
Creates files in the user directory
  • iexplore.exe (PID: 304)
  • iexplore.exe (PID: 2932)
  • iexplore.exe (PID: 3880)
  • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 1208)
Changes internet zones settings
  • iexplore.exe (PID: 2932)
  • iexplore.exe (PID: 2156)
Creates a software uninstall entry
  • ERFreeSetup435385_eng.tmp (PID: 2596)
Creates files in the program directory
  • ERFreeSetup435385_eng.tmp (PID: 2596)
Reads internet explorer settings
  • iexplore.exe (PID: 3880)
Reads Internet Cache Settings
  • iexplore.exe (PID: 2932)
  • iexplore.exe (PID: 304)
  • iexplore.exe (PID: 3880)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Screenshots

Screenshot of unknown taken from 17585 ms from task started Screenshot of unknown taken from 24648 ms from task started Screenshot of unknown taken from 27689 ms from task started Screenshot of unknown taken from 28690 ms from task started Screenshot of unknown taken from 32594 ms from task started Screenshot of unknown taken from 35641 ms from task started Screenshot of unknown taken from 47757 ms from task started Screenshot of unknown taken from 55757 ms from task started Screenshot of unknown taken from 64607 ms from task started Screenshot of unknown taken from 68661 ms from task started Screenshot of unknown taken from 71670 ms from task started Screenshot of unknown taken from 74685 ms from task started Screenshot of unknown taken from 76694 ms from task started Screenshot of unknown taken from 78695 ms from task started Screenshot of unknown taken from 79696 ms from task started Screenshot of unknown taken from 83679 ms from task started Screenshot of unknown taken from 85695 ms from task started Screenshot of unknown taken from 89714 ms from task started Screenshot of unknown taken from 92745 ms from task started Screenshot of unknown taken from 141311 ms from task started Screenshot of unknown taken from 143313 ms from task started Screenshot of unknown taken from 147323 ms from task started Screenshot of unknown taken from 148324 ms from task started Screenshot of unknown taken from 158370 ms from task started Screenshot of unknown taken from 159371 ms from task started Screenshot of unknown taken from 171625 ms from task started Screenshot of unknown taken from 174625 ms from task started Screenshot of unknown taken from 186666 ms from task started

Processes

Total processes
47
Monitored processes
10
Malicious processes
3
Suspicious processes
1

Behavior graph

+
start drop and start drop and start drop and start iexplore.exe iexplore.exe erfreesetup435385_eng.exe erfreesetup435385_eng.tmp no specs erfreesetup435385_eng.exe erfreesetup435385_eng.tmp eassosrecovery.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2932
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\secur32.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\searchfolder.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\mlang.dll
c:\users\admin\downloads\erfreesetup435385_eng.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
304
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2932 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\system32\wpc.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\winmm.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\wintrust.dll

PID
2980
CMD
"C:\Users\admin\Downloads\ERFreeSetup435385_eng.exe"
Path
C:\Users\admin\Downloads\ERFreeSetup435385_eng.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Eassos Co., Ltd.
Description
Eassos Recovery Setup
Version
4.3.5
Modules
Image
c:\users\admin\downloads\erfreesetup435385_eng.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\version.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shell32.dll
c:\users\admin\appdata\local\temp\is-506vv.tmp\erfreesetup435385_eng.tmp

PID
316
CMD
"C:\Users\admin\AppData\Local\Temp\is-506VV.tmp\ERFreeSetup435385_eng.tmp" /SL5="$E01E4,44063119,121344,C:\Users\admin\Downloads\ERFreeSetup435385_eng.exe"
Path
C:\Users\admin\AppData\Local\Temp\is-506VV.tmp\ERFreeSetup435385_eng.tmp
Indicators
No indicators
Parent process
ERFreeSetup435385_eng.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Setup/Uninstall
Version
51.1052.0.0
Modules
Image
c:\users\admin\appdata\local\temp\is-506vv.tmp\erfreesetup435385_eng.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\program files\internet explorer\iexplore.exe

PID
2100
CMD
"C:\Users\admin\Downloads\ERFreeSetup435385_eng.exe" /SPAWNWND=$701C0 /NOTIFYWND=$E01E4
Path
C:\Users\admin\Downloads\ERFreeSetup435385_eng.exe
Indicators
Parent process
ERFreeSetup435385_eng.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Eassos Co., Ltd.
Description
Eassos Recovery Setup
Version
4.3.5
Modules
Image
c:\users\admin\downloads\erfreesetup435385_eng.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\version.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shell32.dll
c:\users\admin\appdata\local\temp\is-290md.tmp\erfreesetup435385_eng.tmp

PID
2596
CMD
"C:\Users\admin\AppData\Local\Temp\is-290MD.tmp\ERFreeSetup435385_eng.tmp" /SL5="$C01E0,44063119,121344,C:\Users\admin\Downloads\ERFreeSetup435385_eng.exe" /SPAWNWND=$701C0 /NOTIFYWND=$E01E4
Path
C:\Users\admin\AppData\Local\Temp\is-290MD.tmp\ERFreeSetup435385_eng.tmp
Indicators
Parent process
ERFreeSetup435385_eng.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Setup/Uninstall
Version
51.1052.0.0
Modules
Image
c:\users\admin\appdata\local\temp\is-290md.tmp\erfreesetup435385_eng.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\version.dll
c:\windows\system32\mpr.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\propsys.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\rstrtmgr.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\imageres.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\program files\eassos recovery\eassosrecovery.exe
c:\program files\eassos recovery\unins000.exe
c:\windows\system32\netutils.dll

PID
3644
CMD
"C:\Program Files\Eassos Recovery\EassosRecovery.exe"
Path
C:\Program Files\Eassos Recovery\EassosRecovery.exe
Indicators
Parent process
ERFreeSetup435385_eng.tmp
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\program files\eassos recovery\eassosrecovery.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\oledlg.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\userenv.dll
c:\windows\system32\schannel.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\secur32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\program files\eassos recovery\dsoframer.ocx
c:\windows\system32\sxs.dll
c:\windows\system32\acppage.dll

PID
2156
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
ERFreeSetup435385_eng.tmp
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\clbcatq.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\version.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\msfeeds.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\mlang.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\wship6.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
3880
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2156 CREDAT:71937
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
iexplore.exe
User
admin
Integrity Level
LOW
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\ole32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\progra~1\micros~1\office14\urlredir.dll
c:\windows\system32\secur32.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\progra~1\micros~1\office14\msohev.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\qagentrt.dll
c:\windows\system32\fveui.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\iepeers.dll
c:\windows\system32\winspool.drv
c:\windows\system32\msimtf.dll
c:\windows\system32\feclient.dll
c:\windows\system32\t2embed.dll
c:\windows\system32\jscript.dll
c:\windows\system32\macromed\flash\flash32_26_0_0_131.ocx
c:\windows\system32\winmm.dll
c:\windows\system32\dsound.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\mscms.dll
c:\windows\system32\dinput8.dll
c:\windows\system32\imgutil.dll
c:\windows\system32\pngfilt.dll
c:\windows\system32\dxtrans.dll
c:\windows\system32\atl.dll
c:\windows\system32\ddrawex.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\dxtmsft.dll

PID
1208
CMD
C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding
Path
C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Adobe Systems Incorporated
Description
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version
26,0,0,131
Modules
Image
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\comres.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\secur32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\version.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\macromed\flash\flashutil32_26_0_0_131_activex.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\dinput8.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mlang.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll

Registry activity

Total events
2014
Read events
1772
Write events
239
Delete events
3

Modification events

PID
Process
Operation
Key
Name
Value
2932
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019032320190324
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{BCD9771B-BE08-11E9-9885-5254004A04AF}
0
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
2
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307080002000D0014001B001000D301
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
2
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307080002000D0014001B001000D301
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
2
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307080002000D0014001B0010006002
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
8
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
2
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307080002000D0014001B0010006F02
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
61
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
2
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307080002000D0014001B0010000C03
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
26
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
0
43003A005C00500072006F006700720061006D002000460069006C00650073005C0049006E007400650072006E006500740020004500780070006C006F007200650072005C0069006500780070006C006F00720065002E00650078006500000043003A005C00550073006500720073005C00610064006D0069006E005C0044006F0077006E006C006F006100640073000000
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\FirstFolder
MRUListEx
00000000FFFFFFFF
2932
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
NodeSlots
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
2932
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
MRUListEx
0700000001000000000000000200000006000000030000000500000004000000FFFFFFFF
2932
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\7
MRUListEx
0000000001000000FFFFFFFF
2932
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\Shell
SniffedFolderType
Generic
2932
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
1
69006500780070006C006F00720065002E00650078006500000014001F44471A0359723FA74489C55595FE6B30EE200000001A00EEBBFE230000100090E24D373F126545916439C4925E467B00000000
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
MRUListEx
0100000000000000FFFFFFFF
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\exe
0
14001F44471A0359723FA74489C55595FE6B30EE200000001A00EEBBFE230000100090E24D373F126545916439C4925E467B0000880032000000000000000000800045524672656553657475703433353338355F656E672E65786500600008000400EFBE00000000000000002A00000000000000000000000000000000000000000000000000450052004600720065006500530065007400750070003400330035003300380035005F0065006E0067002E00650078006500000028000000
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\exe
MRUListEx
00000000FFFFFFFF
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
1
14001F44471A0359723FA74489C55595FE6B30EE200000001A00EEBBFE230000100090E24D373F126545916439C4925E467B0000880032000000000000000000800045524672656553657475703433353338355F656E672E65786500600008000400EFBE00000000000000002A00000000000000000000000000000000000000000000000000450052004600720065006500530065007400750070003400330035003300380035005F0065006E0067002E00650078006500000028000000
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\*
MRUListEx
0100000000000000FFFFFFFF
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
1
69006500780070006C006F00720065002E0065007800650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
1
69006500780070006C006F00720065002E00650078006500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000B1010000BE000000310400009E020000000000000000000000000000000000000100000000000000
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
1
69006500780070006C006F00720065002E0065007800650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000AE010000B000000051030000BA01000000000000000000000000000000000000B1010000BE000000310400009E020000000000000000000000000000000000000100000000000000
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU
MRUListEx
0100000000000000FFFFFFFF
2932
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Mode
4
2932
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
LogicalViewMode
1
2932
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1092616257
2932
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
IconSize
16
2932
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
ColInfo
00000000000000000000000000000000FDDFDFFD100000000000000000000000040000001800000030F125B7EF471A10A5F102608C9EEBAC0A0000001001000030F125B7EF471A10A5F102608C9EEBAC0E0000007800000030F125B7EF471A10A5F102608C9EEBAC040000007800000030F125B7EF471A10A5F102608C9EEBAC0C00000050000000
2932
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
Sort
000000000000000000000000000000000100000030F125B7EF471A10A5F102608C9EEBAC0A00000001000000
2932
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupView
0
2932
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:FMTID
{00000000-0000-0000-0000-000000000000}
2932
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByKey:PID
0
2932
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
GroupByDirection
1
2932
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\53\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}
FFlags
1
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CIDSave\Modules\GlobalSettings\ProperTreeModuleInner
ProperTreeModuleInner
9C000000980000003153505305D5CDD59C2E1B10939708002B2CF9AE3B0000002A000000004E0061007600500061006E0065005F004300460044005F0046006900720073007400520075006E0000000B000000000000004100000030000000004E0061007600500061006E0065005F00530068006F0077004C00690062007200610072007900500061006E00650000000B000000FFFF00000000000000000000
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Modules\NavPane
ExpandedState
06000000160014001F8080A63C324DC29940B94D446DD2D7249E0000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F4225481E03947BC34DB131E946B44C8DD50000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F43983FFBB4EAC18D42A78AD1F5659CBA930000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D0000000000000000002000000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F580D1A2CF021BE504388B07367FC96EF3C0000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B00000000000000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000160014001F50E04FD020EA3A6910A2D808002B30309D0000010000004D0000002D00000031535053357EC777E31B5043A48C7563D727776D1100000002000000000B000000FFFF0000000000001C00000031535053A66A63283D95D211B5D600C04FD918D00000000000000000
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
Download Directory
C:\Users\admin\Downloads
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\Enum
Implementing
1C00000001000000E307080002000D0014001B003A003D0000000000
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019081320190814
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CachePrefix
:2019081320190814:
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheLimit
8192
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheOptions
11
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012019081320190814
CacheRepair
0
2932
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
NotifyDownloadComplete
yes
304
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012018082820180829
304
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CachePath
%USERPROFILE%\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019081320190814
304
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CachePrefix
:2019081320190814:
304
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CacheLimit
8192
304
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CacheOptions
11
304
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Extensible Cache\MSHist012019081320190814
CacheRepair
0
2596
ERFreeSetup435385_eng.tmp
delete key
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
2596
ERFreeSetup435385_eng.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Owner
240A0000B6FC9B9B1552D501
2596
ERFreeSetup435385_eng.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
SessionHash
8A09D49FDD9C7BFB1A11C07DB95FFBAA20536793E29B9C515F2DC341174C5F7E
2596
ERFreeSetup435385_eng.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Sequence
1
2596
ERFreeSetup435385_eng.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
RegFiles0000
C:\Program Files\Eassos Recovery\EassosRecovery.exe
2596
ERFreeSetup435385_eng.tmp
write
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
RegFilesHash
8F075D4E55ABC14FACFFF8E759FFB1F6DFCA1FD609AD1733F844106E8162F3F9
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.easrecdata
easrecdatafile
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\easrecdatafile
easrec data file
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\easrecdatafile
dataflags
C63DB8912A87A97052F0E036C8C88544D4B988F76EC2B6350671A1D566C79F5EF6409902E0C5296362D08315EA03AC6B70013B04605E102012305292090F0F3F
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\easrecdatafile\DefaultIcon
C:\Windows\system32\imageres.dll,-102
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\easrecdatafile\Shell\Open\Command
C:\Windows\system32\NOTEPAD.EXE %1
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Eassos\EassosRecovery\Reg
RecData
662958C50F57AA7A3C14E9C0E44F182EE63970A144CD084288C401C78DD3151F6071E9E08315212454083914CE9C11226EF548F569460D615EA931B66544011A
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
Inno Setup: Setup Version
5.6.1 (u)
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
Inno Setup: App Path
C:\Program Files\Eassos Recovery
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
InstallLocation
C:\Program Files\Eassos Recovery\
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
Inno Setup: Icon Group
Eassos Recovery
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
Inno Setup: User
admin
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
Inno Setup: Language
english
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
DisplayName
Eassos Recovery V4.3.5
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
DisplayIcon
C:\Program Files\Eassos Recovery\EassosRecovery.exe
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
UninstallString
"C:\Program Files\Eassos Recovery\unins000.exe"
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
QuietUninstallString
"C:\Program Files\Eassos Recovery\unins000.exe" /SILENT
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
Publisher
Eassos Co., Ltd.
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
URLInfoAbout
http://www.eassos.com/
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
HelpLink
http://www.eassos.com/
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
URLUpdateInfo
http://www.eassos.com/
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
NoModify
1
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
NoRepair
1
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
InstallDate
20190813
2596
ERFreeSetup435385_eng.tmp
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{97B648DA-2BBF-47EE-864E-EF029C23A425}_is1
EstimatedSize
55160
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EassosRecovery_RASAPI32
EnableFileTracing
0
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EassosRecovery_RASAPI32
EnableConsoleTracing
0
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EassosRecovery_RASAPI32
FileTracingMask
4294901760
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EassosRecovery_RASAPI32
ConsoleTracingMask
4294901760
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EassosRecovery_RASAPI32
MaxFileSize
1048576
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EassosRecovery_RASAPI32
FileDirectory
%windir%\tracing
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EassosRecovery_RASMANCS
EnableFileTracing
0
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EassosRecovery_RASMANCS
EnableConsoleTracing
0
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EassosRecovery_RASMANCS
FileTracingMask
4294901760
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EassosRecovery_RASMANCS
ConsoleTracingMask
4294901760
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EassosRecovery_RASMANCS
MaxFileSize
1048576
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EassosRecovery_RASMANCS
FileDirectory
%windir%\tracing
3644
EassosRecovery.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
3644
EassosRecovery.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000094000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
3644
EassosRecovery.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3644
EassosRecovery.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3644
EassosRecovery.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
0400000001000000100000008CCADC0B22CEF5BE72AC411A11A8D8120F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B81190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D2000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A
Blob
0F00000001000000100000005F3D1AA6F471A760663EB7EF254281EF53000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C0620000000100000020000000AB7036365C7154AA29C2C29F5D4191163B162A2225011357D56D07FFA7BC1F72090000000100000016000000301406082B0601050507030106082B060105050703031400000001000000140000005FF3246C8F9124AF9B5F3EB0346AF42D5CA85DCC1D0000000100000010000000D4803AC36C256817D4EC5936F29BC4E70B000000010000000E00000074006800610077007400650000006800000001000000080000000000876ACE99D101030000000100000014000000627F8D7827656399D27D7F9044C9FEB3F33EFA9A20000000010000002B0300003082032730820290A003020102020101300D06092A864886F70D01010405003081CE310B3009060355040613025A41311530130603550408130C5765737465726E204361706531123010060355040713094361706520546F776E311D301B060355040A131454686177746520436F6E73756C74696E6720636331283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E3121301F06035504031318546861777465205072656D69756D205365727665722043413128302606092A864886F70D01090116197072656D69756D2D736572766572407468617774652E636F6D301E170D3936303830313030303030305A170D3230313233313233353935395A3081CE310B3009060355040613025A41311530130603550408130C5765737465726E204361706531123010060355040713094361706520546F776E311D301B060355040A131454686177746520436F6E73756C74696E6720636331283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E3121301F06035504031318546861777465205072656D69756D205365727665722043413128302606092A864886F70D01090116197072656D69756D2D736572766572407468617774652E636F6D30819F300D06092A864886F70D010101050003818D0030818902818100D236366A8BD7C25B9EDA8141628F38EE490455D6D0EF1C1B951647EF1848353A52F42B6A068F3B2FEA56E3AF868D9E17F79EB46575024DEFCB09A22151D89BD067D0BA0D92061473D493CB972A009C5C4E0CBCFA1552FCF2446EDA114A6E089F2F2DE3F9AA3A8673B6465358C88905BD8311B8733FAA078DF4424DE7409D1C370203010001A3133011300F0603551D130101FF040530030101FF300D06092A864886F70D01010405000381810026482C16C258FAE816740CAAAA5F543FF2D7C978605E5E6E37632277367EB217C434B9F50885FCC90138FF4DBEF2164243E7BB5A46FBC1C6111FF14AB02846C9C3C4427DBCFAAB596ED5B7518811E3A485196B824CA40C12ADE9A4AE3FF1C349659A8CC5C83E25B79499BB92327107F0865EED5027A60DA623F9BBCBA6071442
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A
Blob
1900000001000000100000005DC45E2CD1845791BDDE7600050AF510030000000100000014000000627F8D7827656399D27D7F9044C9FEB3F33EFA9A6800000001000000080000000000876ACE99D1010B000000010000000E00000074006800610077007400650000001D0000000100000010000000D4803AC36C256817D4EC5936F29BC4E71400000001000000140000005FF3246C8F9124AF9B5F3EB0346AF42D5CA85DCC090000000100000016000000301406082B0601050507030106082B06010505070303620000000100000020000000AB7036365C7154AA29C2C29F5D4191163B162A2225011357D56D07FFA7BC1F7253000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C00F00000001000000100000005F3D1AA6F471A760663EB7EF254281EF20000000010000002B0300003082032730820290A003020102020101300D06092A864886F70D01010405003081CE310B3009060355040613025A41311530130603550408130C5765737465726E204361706531123010060355040713094361706520546F776E311D301B060355040A131454686177746520436F6E73756C74696E6720636331283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E3121301F06035504031318546861777465205072656D69756D205365727665722043413128302606092A864886F70D01090116197072656D69756D2D736572766572407468617774652E636F6D301E170D3936303830313030303030305A170D3230313233313233353935395A3081CE310B3009060355040613025A41311530130603550408130C5765737465726E204361706531123010060355040713094361706520546F776E311D301B060355040A131454686177746520436F6E73756C74696E6720636331283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E3121301F06035504031318546861777465205072656D69756D205365727665722043413128302606092A864886F70D01090116197072656D69756D2D736572766572407468617774652E636F6D30819F300D06092A864886F70D010101050003818D0030818902818100D236366A8BD7C25B9EDA8141628F38EE490455D6D0EF1C1B951647EF1848353A52F42B6A068F3B2FEA56E3AF868D9E17F79EB46575024DEFCB09A22151D89BD067D0BA0D92061473D493CB972A009C5C4E0CBCFA1552FCF2446EDA114A6E089F2F2DE3F9AA3A8673B6465358C88905BD8311B8733FAA078DF4424DE7409D1C370203010001A3133011300F0603551D130101FF040530030101FF300D06092A864886F70D01010405000381810026482C16C258FAE816740CAAAA5F543FF2D7C978605E5E6E37632277367EB217C434B9F50885FCC90138FF4DBEF2164243E7BB5A46FBC1C6111FF14AB02846C9C3C4427DBCFAAB596ED5B7518811E3A485196B824CA40C12ADE9A4AE3FF1C349659A8CC5C83E25B79499BB92327107F0865EED5027A60DA623F9BBCBA6071442
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}
DSO Framer Control Object
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\InprocServer32
ThreadingModel
Apartment
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\InprocServer32
C:\Program Files\Eassos Recovery\dsoframer.ocx
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\ProgID
DSOFramer.FramerControl
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\ToolboxBitmap32
C:\Program Files\Eassos Recovery\dsoframer.ocx,102
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\TypeLib
{00460180-9E5E-11d5-B7C8-B8269041DD57}
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\Version
1.3
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\MiscStatus
131473
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00460182-9E5E-11d5-B7C8-B8269041DD57}\DataFormats\GetSet\0
3,1,32,1
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DSOFramer.FramerControl
DSO ActiveX Document Framer Control
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DSOFramer.FramerControl\CLSID
{00460182-9E5E-11d5-B7C8-B8269041DD57}
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00460180-9E5E-11D5-B7C8-B8269041DD57}\1.3
DSO ActiveX Document Framer Control
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00460180-9E5E-11D5-B7C8-B8269041DD57}\1.3\FLAGS
2
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00460180-9E5E-11D5-B7C8-B8269041DD57}\1.3\0\win32
C:\Program Files\Eassos Recovery\dsoframer.ocx
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00460180-9E5E-11D5-B7C8-B8269041DD57}\1.3\HELPDIR
C:\Program Files\Eassos Recovery
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}
_FramerControl
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\ProxyStubClsid
{00020424-0000-0000-C000-000000000046}
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\ProxyStubClsid32
{00020424-0000-0000-C000-000000000046}
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\TypeLib
{00460180-9E5E-11D5-B7C8-B8269041DD57}
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00460181-9E5E-11D5-B7C8-B8269041DD57}\TypeLib
Version
1.3
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}
_DFramerCtlEvents
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}\ProxyStubClsid
{00020420-0000-0000-C000-000000000046}
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}\ProxyStubClsid32
{00020420-0000-0000-C000-000000000046}
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}\TypeLib
{00460180-9E5E-11D5-B7C8-B8269041DD57}
3644
EassosRecovery.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00460185-9E5E-11D5-B7C8-B8269041DD57}\TypeLib
Version
1.3
3644
EassosRecovery.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
@C:\Windows\System32\acppage.dll,-6002
Windows Batch File
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000093000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{E247A82F-BE08-11E9-9885-5254004A04AF}
0
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
3
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E307080002000D0014001C001200E703
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
3
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E307080002000D0014001C001200E703
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
08000000020000000C01000001000000020000007E0000000000000070003200EC000000464B245120005355474745537E312E55524C0000540008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C0000001C00000000000000820000000100000074003200E2000000464B24512000574542534C497E312E55524C0000580008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C0000001C00000000000000
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
3
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E307080002000D0014001C0013000901
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
10
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
3
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E307080002000D0014001C0013002801
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
55
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
3
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E307080002000D0014001C0013004701
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
25
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Path
C:\Users\admin\Favorites\Links\Suggested Sites.url
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
FeedUrl
https://ieonline.microsoft.com/#ieslice
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayName
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
ErrorState
0
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
DisplayMask
0
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Path
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
Handler
{B0FA7D7C-7195-4F03-B03E-9DC1C9EBC394}
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
FeedUrl
http://go.microsoft.com/fwlink/?LinkId=121315
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayName
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
ErrorState
0
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
DisplayMask
0
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Type
1
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Count
1
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore
Time
E307080002000D0014001C001D001F00
2156
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\WindowsSearch
UpgradeTime
00A420AD1552D501
2156
iexplore.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US

Files activity

Executable files
13
Suspicious files
6
Text files
77
Unknown types
14

Dropped files

PID
Process
Filename
Type
2980
ERFreeSetup435385_eng.exe
C:\Users\admin\AppData\Local\Temp\is-506VV.tmp\ERFreeSetup435385_eng.tmp
executable
MD5: 42c8edbc1523800acb901c45e6d6b9e2
SHA256: fbb9e655d2656ba343f2e921a2054638d3e698b4c1d3987483b9f248f16a9f39
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\avformat-57.dll
executable
MD5: 5dd77930595719821e6b351c442ab46e
SHA256: 032c70de7348ab1596b71d70228cf330b9a0f0ff77fb7040fecec62bbc1e250c
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\SDL2.dll
executable
MD5: 0c83d629d47895ec130cd791f33e3c90
SHA256: 149781bbcbd38dfe6a0b71200adf7593a4af7bfa3e44975abc7144da494c1fe5
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\VPreview.dll
executable
MD5: 445a8abb6e4efc37b1150d163fb54417
SHA256: a58c01cf149b6edb8a8485443cdb92fa33b7737c800b098968bd25e795601dbd
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\avutil-55.dll
executable
MD5: a72eeb987826a886f4757def4baf014e
SHA256: def1e642a909a1b747032e26797be85a6ba22ebb121755b6be84204c9d11efaf
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\EassosRecovery.exe
executable
MD5: 5397ad9a0ae00197f786837baec96818
SHA256: ead1026bb44870b90f461d87914cb261a5b7050f7c34250ccf6416265b5724dc
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\unins000.exe
executable
MD5: 42c8edbc1523800acb901c45e6d6b9e2
SHA256: fbb9e655d2656ba343f2e921a2054638d3e698b4c1d3987483b9f248f16a9f39
2100
ERFreeSetup435385_eng.exe
C:\Users\admin\AppData\Local\Temp\is-290MD.tmp\ERFreeSetup435385_eng.tmp
executable
MD5: 42c8edbc1523800acb901c45e6d6b9e2
SHA256: fbb9e655d2656ba343f2e921a2054638d3e698b4c1d3987483b9f248f16a9f39
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\OfflineReg.exe
executable
MD5: ac018ee8ad9cddc15fcbe093da596016
SHA256: 6f5a672677832bf6f48da0df8c0f9b63cef5c095a7b41aa85f833d96da58bfb7
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\avcodec-57.dll
executable
MD5: fab36f23dca708801dd91e26ce0b6704
SHA256: fdc91ff9165cbc0737395c377845412dbc98e060bfaffbd68c7dd0e0ad370507
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\swresample-2.dll
executable
MD5: d0b9b9bbf59e62da292966391d8c185a
SHA256: 2165c51b49247722a527290329be5b7a514de9f18e167a741d2b75754a0964d9
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\swscale-4.dll
executable
MD5: 6b7bbebab47522b8e5d78d81a29c3b0e
SHA256: 0857910fad0a523aa0176b979d19fb27767d1ab627390e97d96c32209dee07e1
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\dsoframer.ocx
executable
MD5: 3f4fa9fd2adc31923165465f893e1680
SHA256: d5019a52524c63cd1b2c1b84af706c023b98b4eec1c2afdbcfe9c1dcb570542a
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\eassos-recovery-free[1].htm
html
MD5: e2224855f47747c542ae6dc8b916dfe3
SHA256: d51aa41810a91a2c189f3644310483a74cc2940fbc960fa703edf2cdda7280b8
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XP74BC1\twintter[1].png
image
MD5: f0d9ff7e2f33479430266bb2c53fe66c
SHA256: 03d2581699d2e6daf534a60a8c512ae90ffacca15f79a34c5f70ad1700b23dd5
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JEHT8RY0\facebook[1].png
image
MD5: d41c74fae3e5c7622f0c84f3aa6d9c08
SHA256: 4c4bec23e2036467430e597f0cb234fb709aa60e6035c20232c77b839cbac224
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\norton[1].png
image
MD5: 60ae697a4b55d64cc23d5017930aa027
SHA256: 890d6c30d7cd231b3de5798570752f9fd769eae1d4485580442f3ed7346647cf
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JEHT8RY0\bottom-logo[1].png
image
MD5: ed060c09c7b2d09c9a396d5b634af3f9
SHA256: f94bb636839d85dc464bf353118fa2e1d8317987ee8bd26a94d386426d233490
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XP74BC1\secure[1].png
image
MD5: 3f8d6490d3e40ab827be5d869c827017
SHA256: 3c38c4dcb023f7a57d7a57eccda01d9de87b60c040c482980cd9251d23399f16
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\erf-04[1].png
image
MD5: 047d48dc1986596217efaf65c75ced74
SHA256: 4bc73d9c6dbe32816ac5162085d339dad6c3c16985cffea0c07ce6f41c8fc32c
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XP74BC1\erf-09[1].png
image
MD5: 31e9df2859af0a44ca16d29474f22467
SHA256: 53366798ec3805e2c7bbf0af7b61c0a862874311c27f5584db5ebd533fc765bf
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JEHT8RY0\erf-08[1].png
image
MD5: a7505699c599e5f1dfa67ca1c1dd6fee
SHA256: 3bb0dd5ff689f27ce4f928f2be7b2fa144add82e2a49c7acaa37dc55bdd6a58e
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\erf-07[1].png
image
MD5: 0edb996f47bc9672f2e6e51293519c73
SHA256: b95aab2cd5f264c8e5a95851bbb92dd5d2236e962af5ee3a63bd15561e923622
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\erf-06[1].png
image
MD5: 4a042726cd2de6a72f53515a8da59604
SHA256: 7c5e25b82c0a8a4c70f155832d21ec15a11ffc5eb49d23a47cb61647f22500e5
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JEHT8RY0\erf-01[1].png
image
MD5: aa35b9d0ad8799a1fd9d949b4b880458
SHA256: 31457fcfdd828dd9c1b215e8e115e78744719d7354b20d7f77ab54f3e6a58102
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XP74BC1\cr-tab-fast[1].png
image
MD5: b9a956ef428f5d40554fc08ee69a4b44
SHA256: 91a39603a7a2c4b9b3bb817988b35d0120b8198354de9f0ea339a019d85eafda
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XP74BC1\erf-03[1].png
image
MD5: a9fcb082a54379213328c515c3336bc7
SHA256: 5027eb7697dc08441976126136498cf8e88c2dd11326fce11384c0b72a1c0ca7
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JEHT8RY0\cr-tab-scan[1].png
image
MD5: e39d9a6a4f7acd776d72a624a1496e1b
SHA256: ea73e54559366061b60ffdad70d75e1ca29e213fc67fff6678d120e4aa0e2c3d
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\menu-button-bg[1].png
image
MD5: c1880078d19e2d457e906e78ef204c95
SHA256: 181892a0a60d2e6fc8bb666ea768e873ecf64c26a45b8dd2814f70fc374ddcae
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XP74BC1\logo-min[1].png
image
MD5: a817b86e2085b39ca023d781d221c2c4
SHA256: 38efedefc954b3896472635c3d42368fc1418ed28bdcd4aa0fa4ce5364eb5057
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JEHT8RY0\cr-tab-preview[1].png
image
MD5: 51ac84e9dd2f791697d24aa78b38f39d
SHA256: 5c44d043c57409b3ae4222ec46d701dcc184a68aa15d703c242230a6fcccebae
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\top-logos[1].png
image
MD5: 5f14bf9b99c411f14acb5a2e327ab083
SHA256: 4fa173a0e5893d7fd030d927056a1e329b42eaf91acd44e69d3543965ba7b066
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PQVBTWUS\esr-backing-up[1].png
image
MD5: ae59b64a79912ab06f3b15c76de00533
SHA256: dd5e80f3d5f5e4f97bedd3d4593812b1a7488014455c4fd12bff48dd1becf5ed
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PQVBTWUS\esr-backup[1].png
image
MD5: 63019e8d46ef551b92b4985f3618d7b0
SHA256: 7df99162d62ca6769901a77f1e7768e6b7be68b72178b61be0fc7643d4baadb6
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PQVBTWUS\esr-efi[1].png
image
MD5: 7912da86de020c73c86e5f67f10a2dcf
SHA256: 2f7f6263d937dab4028c08a906b8a219b4d4052159488cdb3b931269ce81bba3
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PQVBTWUS\esr-multiple-restore[1].png
image
MD5: 918a1bf398b767df7512a2fd5c74ec44
SHA256: 02fd46ea39c24c665f5ebcbddc150fc84832f263c12bfd929058d94d81588734
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PQVBTWUS\esr-home-page[1].png
image
MD5: 9acf9229113fdfed255fe888e17e77f4
SHA256: 2fda4653d4824ddd00f7ab45163fe18e92694118132b762e426d2096d8c04bfa
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PQVBTWUS\logo-er[1].png
image
MD5: af6ea1ec9953bef65fb53d413d3f559a
SHA256: 4b81168a77ba416b1b991a722f3a09cc83a5ed6d6f114e5cd88c2749aee42e30
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PQVBTWUS\logo-pg[1].png
image
MD5: f6482f0ee0f6f884ee6307d92e306d54
SHA256: 5b5f4a16245c15a48bc87ac0d287e873a275eac143bb60f9d372786f0abe1c99
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JEHT8RY0\eassosLogo[1].png
image
MD5: 796845ee967a9d6b87f5b310246358b7
SHA256: 4525a200c2990aaa58c34c7f4099b347fe57c3c9b66bd94069a8fd88ff9e94c9
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\logo-esr[1].png
image
MD5: a821feddb1b57cb503068127cc3d4b1e
SHA256: 24293a719fdae9d388248d016fee789e8bb0c06f3242d4dc204d34ed310e67f5
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XP74BC1\data5[1].png
image
MD5: 96de70aeb8f96ceb89547a1575992c17
SHA256: 34613867616163f6d4a3c8d5d7f80b5689ffe8436df8d75035fe2d3a81886911
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
dat
MD5: bf1fcc643000d1fbcfa8c84056a536c0
SHA256: 02b821041d14a152ad678ff40886f31a1be5dc47350a10a6e7431d52b54c6e8c
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XP74BC1\data6[1].png
image
MD5: 3ddd5bc0854a3bd72f0556a6e7d4596b
SHA256: f98620fb5ad3101a2f607331f861b0007d7683b34b33d16def605f2c6037c7cc
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JEHT8RY0\nav3[1].png
image
MD5: da6db5e5ae5857d60088d2dfceeb6690
SHA256: c646495b0a38fb935d513cab10b8219299bf5cd606b678cf575b3a4dd9201eba
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XP74BC1\data3[1].png
image
MD5: e17007745fc5e911ca4058b9bcb52bd0
SHA256: ad0598f4d3257eac43c6453c215aaf8ba15c80a490ba2e632626623896d358a6
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PQVBTWUS\nav4[1].png
image
MD5: a9a6fb2bbae4354dab75c13104b91b4e
SHA256: 05f0b8b912222ee6fb4f5e1b059311c5ca0f2ad90afe900fe1a92b1cdc94105c
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XP74BC1\data4[1].png
image
MD5: a137c684a9bc1fb2a5d16937990f876a
SHA256: 8a21010d6c5a694372b9cfd144ae14ccde46afe23618d026372dc71134a9bbe8
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\chart[1].png
image
MD5: ebc539de1061ebd6efb74368e91144c4
SHA256: baede23d18b4421940a03e878b7dd768ce40b8e5523fae312335cdb369c64dca
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PQVBTWUS\nav5[1].png
image
MD5: 6bf0e1e1dd0c4388e8d98b9cd223f7cd
SHA256: 2cafb49e1272fabb28e5724616d9320484beb8d3e705304c6f5ea095a6af4020
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JEHT8RY0\data1[1].png
image
MD5: 41c8999e4562fe647574f48a11b44fca
SHA256: efc70a57d57630132f4eb98c7a7b3797ca0675cf30221a9a3645a793059997c1
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JEHT8RY0\y[1].png
image
MD5: dc1a5393ae39169cc97f1e3acb1514c7
SHA256: 8ffc4caa9afcb0f4966560daec3aab259ee89c6e0ed8ad70648f04cb96de45b6
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\nav2[1].png
image
MD5: 7bbceba9da96c7637df987616ba63234
SHA256: 554fbc6590cef75a47ef29b5f871a12ada164438862323c632a8f7aab0c5616f
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\nav-store[1].png
image
MD5: 2f98ce44ae9ea51829269ff88ab3005f
SHA256: 36f1a72e4863e22e965fad683615c966a490edd1fc4ee82cea6a056635428869
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JEHT8RY0\top-src[1].js
text
MD5: 03e0048289765a8fd82420b55672a374
SHA256: 94e733834e4499bf5c7bbe366a3cfbd2d31ac8bf849253424402ab09bd268104
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XP74BC1\bat[1].js
text
MD5: b994a4b8d5581e81c24fd9bcccfef95c
SHA256: 6b4c72b8214beaceed57a85c54eed2c61cfc4911b3d677db9a6e00849ef6be05
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\vivo-common[1].js
text
MD5: d026e62fba0b609119641af3be62d9bd
SHA256: c308b244f5236bcd7270586369686c7977361b4cade9771ee173c0d0ab2c82d9
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT
smt
MD5: 60272cba5ad84466b761ccb17bc51037
SHA256: ed2a144c57ac894562da29c3ed8df7a741f5a07e4c053cd366417c3574ec4cae
3880
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
text
MD5: bf50c581524b4db098676bc57bd15dca
SHA256: f5f63c01bc92b300cdc087c0c39858cceb268162535f1ba3411aa22c2e3137da
3880
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
––
MD5:  ––
SHA256:  ––
3880
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
dat
MD5: bbcd534a69288faf2c036b53dfcc8ca7
SHA256: c09b8b9256ee98b8613566852e2f6ce24190b62c60efed5164a5d872e1d3cddc
1208
FlashUtil32_26_0_0_131_ActiveX.exe
C:\Users\admin\AppData\Roaming\Adobe\Flash Player\NativeCache\NativeCache.directory:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PQVBTWUS\jquery.min[1].js
text
MD5: 397754ba49e9e0cf4e7c190da78dda05
SHA256: c12f6098e641aaca96c60215800f18f5671039aecf812217fab3c0d152f6adb4
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PQVBTWUS\analytics[1].js
text
MD5: a477b40dcc869e74d6414e8e42e36844
SHA256: cec3748d0c3da4700300d5424aaea375b03550b0ee8b3dd38e242c4022261446
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XP74BC1\top-icon[1].eot
eot
MD5: d2e932317ba7b01560a9408b4557f583
SHA256: 0563952b8a8b5bd3fbf05b7c67e51bbaeebeefd3025abbc4a2e29d01b47a71be
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JEHT8RY0\style[1].css
text
MD5: 5edf5beff136e0d56695ef440d086d28
SHA256: 281fc2d1492c413d073a80066752c0519344e1066ebdc8e70e8c8ae09f251655
304
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
dat
MD5: 49a4195cf61f4adb98695803b059f25a
SHA256: 533e4150ac61f7f057fac53dc687d992f8dafd54237fe760b2d2139b395df69f
3644
EassosRecovery.exe
C:\Program Files\Eassos Recovery\Options.ini
text
MD5: 2a982008648ab1d82e5a8a6d8ff8896c
SHA256: 0524d9a1d1762aa851c5ab0622a7f2d65dc757481aec5950b52cfe9c0aae800b
3644
EassosRecovery.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
binary
MD5: 01afeda8e580f090ea416890941e6daa
SHA256: 32ddecee8c65868de01544203cb7b6235ad3b882833bfc0a09209269c25bee4c
3644
EassosRecovery.exe
C:\Users\admin\AppData\Local\Temp\Tar9CB2.tmp
––
MD5:  ––
SHA256:  ––
3644
EassosRecovery.exe
C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
compressed
MD5: 58a3badc25e15583224e2b922f370a4f
SHA256: 7e0630e9c468031329cad1a21bfb37c12153bda0f4d6298ee1b8682dd0c35f8a
3644
EassosRecovery.exe
C:\Users\admin\AppData\Local\Temp\Cab9CB1.tmp
––
MD5:  ––
SHA256:  ––
3644
EassosRecovery.exe
C:\Users\admin\AppData\Local\Temp\Cab9C30.tmp
––
MD5:  ––
SHA256:  ––
3644
EassosRecovery.exe
C:\Users\admin\AppData\Local\Temp\Tar9C31.tmp
––
MD5:  ––
SHA256:  ––
3644
EassosRecovery.exe
C:\Users\admin\AppData\Local\Temp\Tar9C33.tmp
––
MD5:  ––
SHA256:  ––
3644
EassosRecovery.exe
C:\Users\admin\AppData\Local\Temp\Cab9C32.tmp
––
MD5:  ––
SHA256:  ––
2156
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\unins000.dat
dat
MD5: 9a0f20ea7287abebc658edd377d984fe
SHA256: 48c5e3da6391b6525639c852ef45015bbccff94c09a6ae593c81ef66f9161355
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\unins000.msg
binary
MD5: 5d86f9f569d8b0e54dc1ba267e910e5c
SHA256: bfa4087b22996232abdfe0ce07c4f34864acf2615fd8441f532bf0cc670b0600
2596
ERFreeSetup435385_eng.tmp
C:\Users\Public\Desktop\Eassos Recovery.lnk
lnk
MD5: 2cae3cafc381e9e93ce2adf5777b4692
SHA256: 321b4aa3424c77649fd5ef837e22a96dc99732c18479bf9800bc38f2f66ed3d4
2596
ERFreeSetup435385_eng.tmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Eassos Recovery\Uninstall Eassos Recovery.lnk
lnk
MD5: 342e4142074571eaa9f027def28a07f1
SHA256: 5d01aaeca250615d0979ad0d2724324d7a8e0b38cd5d9aa8a5fffb766ccb07ec
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\Options.ini
text
MD5: 711c0bc6f8e2cc3372f6e16438cf499c
SHA256: fa950ff50c91929ec11cd09ac77c426d77af0cf143bf7b82e8697b314ab4d69c
2596
ERFreeSetup435385_eng.tmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Eassos Recovery\Run Eassos Recovery.lnk
lnk
MD5: 889edbdceab9defc2c61d5724347256e
SHA256: 9d788f541dbf5dde0ca569eb9b6de36d5e5370e0a50f12116586c7c05fea1ebe
2596
ERFreeSetup435385_eng.tmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Eassos Recovery\Eassos Recovery on the Web.url
text
MD5: f607113e4750afdf419552be38316212
SHA256: 8f652bdeaa4a6379753aae1423b076e43e138b8f634d7db80eb90d7b017449a2
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\license_En.txt
text
MD5: 4bbcdf006814325722580bd18d988bb7
SHA256: d7043b37b3ca90a85648aed98c70f671072cc33fc0e97ab277b6dd1f2d3da1e1
2156
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\logoIco[1].ico
image
MD5: 427bca81d1b9b6db022af0e62448d67b
SHA256: 7a9b9b57d5f27ab8633fb4a8347d52a19016eb4e05905d357446c2743897b9b8
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\license_Jp.txt
text
MD5: 733d8e60414ff8bbb07b8060c9d0e1a6
SHA256: 5257b126f98df390f6b2567df0c029fb5884b8077885b99887fd81834856298e
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\is-4J14D.tmp
––
MD5:  ––
SHA256:  ––
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\is-O14OL.tmp
––
MD5:  ––
SHA256:  ––
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\is-72P2B.tmp
––
MD5:  ––
SHA256:  ––
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\recovery-free-bg[1].jpg
image
MD5: 7dc73aa99542d6c2463b66c82701bfcc
SHA256: f8a346b2f68f65b51bd6d504db7c213953adc89d1ede3437638ab667e1277562
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\is-0J744.tmp
––
MD5:  ––
SHA256:  ––
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JEHT8RY0\top-list[1].png
image
MD5: e6d2b090de8d8d1c7058fc018b9db288
SHA256: 1e34fd4d09ecf81a7ef1c3b337a0974ccdba4578c064213f8497643736079a6e
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\is-TDKIH.tmp
––
MD5:  ––
SHA256:  ––
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JEHT8RY0\data2[1].png
image
MD5: 7a41ae6c75741f13728ded11ed372069
SHA256: b4c4d1451845a96d849980a8b998b681b30aa5652c64790951650d20fb95df49
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\is-PTILL.tmp
––
MD5:  ––
SHA256:  ––
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XP74BC1\top-support[1].png
image
MD5: 00f0800ab0b777e0e39c7c4f2f661775
SHA256: 28102a61aad631214beaa147cbad16efc374a0a0765b27fadbe053a8a8ce8f9a
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\is-7A835.tmp
––
MD5:  ––
SHA256:  ––
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\erf-02[1].jpg
image
MD5: 901ad272a61732552b540f39c952be88
SHA256: 773b6cf61683ce2571a743a36d5cc8a951d76583a9a00555b0d391a7ee16ae18
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\is-F9O39.tmp
––
MD5:  ––
SHA256:  ––
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PQVBTWUS\erf-05[1].jpg
image
MD5: c737bfbc271f7f52137c70221959e366
SHA256: 445ba10a907749b6fa216ee55baa66c11a0ac5f83b8e585ecc4a15a706a04b2f
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\is-MJQOI.tmp
––
MD5:  ––
SHA256:  ––
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\bottom-list2[1].png
image
MD5: 4f823991acec8ee65e27309eadd0ff63
SHA256: 707d6aaf23a689cbf7590587ef89eabc9488df19177cc11da1f59a174ee61d96
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PQVBTWUS\bottom-seg[1].png
image
MD5: dd588c2ea7148625f0ac667497dd7dba
SHA256: 81e64f0c9a7b43dedd66fab9cd90cb0286cdd2fb433d0d35771e6ef9568293a4
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\is-03GK9.tmp
––
MD5:  ––
SHA256:  ––
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\is-RQQ7F.tmp
––
MD5:  ––
SHA256:  ––
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XP74BC1\icon6[1].png
image
MD5: 55492d024946d3f7312bf3ce76c1fa02
SHA256: 69e94484b66a1a82080833b4694a8318ab465ef6f95c99d9e2878ddb97acba8a
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\is-IBRJ5.tmp
––
MD5:  ––
SHA256:  ––
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\er-banner-star[1].png
image
MD5: e379d9c4401b2ed6ebf0e89845d81cdd
SHA256: 1dacb4b28c4452d3a2f35832131b8fbab2413fc74d23d720efaca37e646bef7c
2596
ERFreeSetup435385_eng.tmp
C:\Program Files\Eassos Recovery\is-V06UO.tmp
––
MD5:  ––
SHA256:  ––
2932
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
dat
MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
304
iexplore.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\index.dat
dat
MD5: d7a950fefd60dbaa01df2d85fefb3862
SHA256: 75d0b1743f61b76a35b1fedd32378837805de58d79fa950cb6e8164bfa72073a
2932
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF94F41DA7BAC3BA8C.TMP
––
MD5:  ––
SHA256:  ––
2932
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{BCD9771B-BE08-11E9-9885-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––
304
iexplore.exe
C:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.log
text
MD5: c4a9ac24786a494960b289f39608a658
SHA256: f0074dea1903c195a8109b77a36a581e86d9ddb8349b189568183fa8efaee4b0
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JEHT8RY0\header-bottom-erf[1].png
image
MD5: de570c4f406da25294cf84253da902a8
SHA256: 7764a0606bc9d51b1b49c4d6692979eafe0805812fa87f2276a8b331b8dcf243
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PQVBTWUS\youtube[1].png
image
MD5: 1faa6ae930d3bcc98a152a3a9a293074
SHA256: 90e3330fed03aa9f92cfceaa7c96e9519d97a8156d1557b01b0341593be1a4e6
2932
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019081320190814\index.dat
dat
MD5: fbb8c04a5b16db0b75345da1997e5433
SHA256: 666f284990e6602bbf53d9ea7a93dc84871f08ad126bab722bc26dc52250c1ad
304
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019081320190814\index.dat
dat
MD5: 4cb240428648596fb420fb32e0e19398
SHA256: 32d74ac4cae221eddd7676775aaaa52005d71a0083864a6bcb5ba03a809ed2bb
2932
iexplore.exe
C:\Users\admin\Downloads\ERFreeSetup435385_eng.exe:Zone.Identifier
text
MD5: fbccf14d504b7b2dbcb5a5bda75bd93b
SHA256: eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
304
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
dat
MD5: c6d5c86f6984f1a0ace562d1c4d32aeb
SHA256: 9325274b519a8c8842fa57dea42264a233db51cd7c912528b166b781e7c552fb
2932
iexplore.exe
C:\Users\admin\Downloads\ERFreeSetup435385_eng.exe
––
MD5:  ––
SHA256:  ––
304
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PQVBTWUS\ERFreeSetup435385_eng[1].exe
––
MD5:  ––
SHA256:  ––
2932
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{BCD9771C-BE08-11E9-9885-5254004A04AF}.dat
binary
MD5: 7260990f0e9c6b29440cb42e55e3186e
SHA256: 931df5e88a775fc06753a59b49d0113639c44b9183809efd7d9014ae2753c687
2932
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DFAF4C9AC535E9436B.TMP
––
MD5:  ––
SHA256:  ––
2932
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].png
image
MD5: 9fb559a691078558e77d6848202f6541
SHA256: 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
2932
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
2932
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
––
MD5:  ––
SHA256:  ––
304
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PQVBTWUS\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
304
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JEHT8RY0\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
304
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XP74BC1\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
304
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XY27TAH0\desktop.ini
ini
MD5: 4a3deb274bb5f0212c2419d3d8d08612
SHA256: 2842973d15a14323e08598be1dfb87e54bf88a76be8c7bc94c56b079446edf38
3880
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3XP74BC1\top-pg-icons[1].png
image
MD5: 7d2c4ab5d9a1269f3b49d46df7475545
SHA256: b4393c1f0cdce5fb968d33ccf275e9e1586604a36c5bd8b61cb1cc5f000516b8

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
2
TCP/UDP connections
21
DNS requests
8
Threats
1

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3880 iexplore.exe GET 301 198.11.182.166:80 http://www.eassos.com/eassos-recovery-free.php US
html
malicious
3644 EassosRecovery.exe GET 200 205.185.216.10:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab US
compressed
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2932 iexplore.exe 204.79.197.200:80 Microsoft Corporation US whitelisted
304 iexplore.exe 175.6.235.229:80 Hengyang CN suspicious
3880 iexplore.exe 198.11.182.166:80 Alibaba (China) Technology Co., Ltd. US malicious
3880 iexplore.exe 198.11.182.166:443 Alibaba (China) Technology Co., Ltd. US malicious
3644 EassosRecovery.exe 198.11.182.166:443 Alibaba (China) Technology Co., Ltd. US malicious
3644 EassosRecovery.exe 205.185.216.10:80 Highwinds Network Group, Inc. US whitelisted
3880 iexplore.exe 172.217.23.174:443 Google Inc. US whitelisted
3880 iexplore.exe 74.125.140.157:443 Google Inc. US whitelisted
3880 iexplore.exe 204.79.197.200:443 Microsoft Corporation US whitelisted
3880 iexplore.exe 172.217.16.164:443 Google Inc. US whitelisted
2156 iexplore.exe 198.11.182.166:443 Alibaba (China) Technology Co., Ltd. US malicious

DNS requests

Domain IP Reputation
www.bing.com 204.79.197.200
13.107.21.200
whitelisted
engdownload.diskgenius.cn 175.6.235.229
suspicious
www.eassos.com 198.11.182.166
malicious
www.download.windowsupdate.com 205.185.216.10
205.185.216.42
whitelisted
www.google-analytics.com 172.217.23.174
whitelisted
stats.g.doubleclick.net 74.125.140.157
74.125.140.155
74.125.140.156
74.125.140.154
whitelisted
bat.bing.com 204.79.197.200
13.107.21.200
whitelisted
www.google.com 172.217.16.164
whitelisted

Threats

PID Process Class Message
304 iexplore.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP

Debug output strings

No debug info.