General Info

File name

exec.bin.zip

Full analysis
https://app.any.run/tasks/44ea25fe-afbd-44fb-ad8b-741ef4357d21
Verdict
Malicious activity
Analysis date
7/18/2019, 16:19:50
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ransomware

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

3c7bdce2ee2254c697cb82ac2b16b32e

SHA1

c94f23c9a1b29b5e35b3e9689a2d71fb62e33ae9

SHA256

a6bc15de4c0537e7fba12cccd2c5ed28c784ca7f98384ac64223e8a5ec0233d8

SSDEEP

768:1vQVHiQtqAFmm4vgXak/1x6GGo1dsZWEEK5:1vLQQAFmmHRDfGSkWEt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
300 seconds
Additional time used
240 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • exec.bin.exe (PID: 3064)
Changes the autorun value in the registry
  • exec.bin.exe (PID: 3064)
Actions looks like stealing of personal data
  • exec.bin.exe (PID: 3064)
Renames files like Ransomware
  • exec.bin.exe (PID: 3064)
Starts CMD.EXE for commands execution
  • exec.bin.exe (PID: 3064)
Creates files in the user directory
  • exec.bin.exe (PID: 3064)
Reads the cookies of Mozilla Firefox
  • exec.bin.exe (PID: 3064)
Writes to a desktop.ini file (may be used to cloak folders)
  • exec.bin.exe (PID: 3064)
Executable content was dropped or overwritten
  • exec.bin.exe (PID: 3064)
  • WinRAR.exe (PID: 3828)
Creates files in the program directory
  • exec.bin.exe (PID: 3064)
Manual execution by user
  • rundll32.exe (PID: 2496)
  • iexplore.exe (PID: 2488)
  • iexplore.exe (PID: 2704)
  • exec.bin.exe (PID: 3064)
Reads internet explorer settings
  • iexplore.exe (PID: 2968)
  • iexplore.exe (PID: 680)
Changes internet zones settings
  • iexplore.exe (PID: 2488)
  • iexplore.exe (PID: 2704)
Creates files in the user directory
  • iexplore.exe (PID: 2704)
Reads Internet Cache Settings
  • iexplore.exe (PID: 2704)
Dropped object may contain Bitcoin addresses
  • exec.bin.exe (PID: 3064)
Application launched itself
  • iexplore.exe (PID: 2704)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
788
ZipBitFlag:
0x0001
ZipCompression:
Deflated
ZipModifyDate:
2019:07:18 16:19:03
ZipCRC:
0x96796d8b
ZipCompressedSize:
28564
ZipUncompressedSize:
54272
ZipFileName:
exec.bin

Screenshots

Processes

Total processes
54
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

+
start winrar.exe exec.bin.exe iexplore.exe iexplore.exe no specs rundll32.exe no specs cmd.exe no specs notepad.exe no specs iexplore.exe iexplore.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3828
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\exec.bin.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
3064
CMD
"C:\Users\admin\Desktop\exec.bin.exe"
Path
C:\Users\admin\Desktop\exec.bin.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\exec.bin.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll

PID
2704
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Documents\#NEW_WAVE.html
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\version.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\naturallanguage6.dll
c:\windows\system32\nlsdata0009.dll
c:\windows\system32\nlslexicons0009.dll
c:\windows\system32\tquery.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wpc.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll

PID
680
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2704 CREDAT:79873
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
No indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\program files\java\jre1.8.0_92\bin\deploy.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msimtf.dll

PID
2496
CMD
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Documents\buyererror.rtf.[[email protected]].LotR
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\version.dll
c:\windows\ehome\ehshell.exe
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\mspaint.exe
c:\windows\system32\notepad.exe
c:\program files\opera\opera.exe
c:\program files\windows photo viewer\photoviewer.dll
c:\program files\windows media player\wmplayer.exe
c:\program files\windows nt\accessories\wordpad.exe
c:\windows\system32\shdocvw.dll
c:\windows\system32\netutils.dll

PID
2060
CMD
"C:\Windows\system32\cmd.exe" /c del C:\Users\admin\Desktop\exec.bin.exe > nul
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
exec.bin.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3844
CMD
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Documents\buyererror.rtf.[[email protected]].LotR
Path
C:\Windows\system32\NOTEPAD.EXE
Indicators
No indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Notepad
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll

PID
2488
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Qemu-ga\#NEW_WAVE.html
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\cryptbase.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\version.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ieui.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\url.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\sxs.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll

PID
2968
CMD
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2488 CREDAT:79873
Path
C:\Program Files\Internet Explorer\iexplore.exe
Indicators
No indicators
Parent process
iexplore.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Internet Explorer
Version
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\comdlg32.dll
c:\program files\internet explorer\ieshims.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\internet explorer\sqmapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rsaenh.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\mlang.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\apphelp.dll
c:\program files\java\jre1.8.0_92\bin\ssv.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\version.dll
c:\program files\java\jre1.8.0_92\bin\jp2ssv.dll
c:\program files\java\jre1.8.0_92\bin\msvcr100.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\msimtf.dll
c:\windows\system32\sxs.dll
c:\windows\system32\msxml3.dll
c:\program files\internet explorer\iedvtool.dll
c:\windows\system32\msimg32.dll

Registry activity

Total events
1850
Read events
1679
Write events
168
Delete events
3

Modification events

PID
Process
Operation
Key
Name
Value
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
3828
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\exec.bin.zip
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000960111000000000039000000B40200000000000001000000
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000004E010F0000000000160000002A0000000000000002000000
3828
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000CC0107000000000016000000640000000000000003000000
3064
exec.bin.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
BrowserUpdateCheck
C:\Users\admin\AppData\Local\exec.bin.exe
3064
exec.bin.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3064
exec.bin.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2704
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\0
2704
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache\1
2704
iexplore.exe
delete key
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000078000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{65413523-A967-11E9-95C0-5254004A04AF}
0
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
2
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E3070700040012000E00150039001601
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
2
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E3070700040012000E00150039001601
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
0800000002000000E0010000010000000300000074000000000000006600320090110000F24EA1722000234E45575F577E312E48544D00004A0008000400EFBEF24EA172F24EA1722A00000038CB000000000400000000000000000000000000000023004E00450057005F0057004100560045002E00680074006D006C0000001C00000000000000AE00000001000000A0003200A0040000F24EA17220005355474745537E312E4C4F540000840008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C002E005B006E00650077005F007700610076006500400074007500740061002E0069006F005D002E004C006F007400520000001C00000000000000B200000002000000A4003200A0040000F24EA1722000574542534C497E312E4C4F540000880008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C002E005B006E00650077005F007700610076006500400074007500740061002E0069006F005D002E004C006F007400520000001C00000000000000
2704
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
680
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
680
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
2
680
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E3070700040012000E0015003A002C00
680
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
19
680
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
680
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
2
680
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070700040012000E0015003A005B00
680
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
30
680
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
680
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
2
680
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E3070700040012000E0015003A007A00
680
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
31
680
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
680
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
680
iexplore.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Default MHTML Editor
Last
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "%1"
2496
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Windows\system32\NOTEPAD.EXE
Notepad
2496
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.LotR\OpenWithList
a
NOTEPAD.EXE
2496
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.LotR\OpenWithList
MRUList
a
2496
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3844
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosX
22
3844
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosY
22
3844
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDX
960
3844
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDY
501
2488
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
CompatibilityFlags
0
2488
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2488
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2488
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
SecuritySafe
1
2488
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2488
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000079000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2488
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
{AA8760A5-A967-11E9-95C0-5254004A04AF}
0
2488
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Type
4
2488
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Count
3
2488
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Time
E3070700040012000E0017003500CC00
2488
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Type
4
2488
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Count
3
2488
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{789FE86F-6FC4-46A1-9849-EDE0DB0C95CA}\iexplore
Time
E3070700040012000E0017003500DC00
2488
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
FullScreen
no
2488
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Window_Placement
2C0000000200000003000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF20000000200000004003000078020000
2488
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links
Order
0800000002000000E0010000010000000300000074000000000000006600320090110000F24EA1722000234E45575F577E312E48544D00004A0008000400EFBEF24EA172F24EA1722A00000038CB000000000400000000000000000000000000000023004E00450057005F0057004100560045002E00680074006D006C0000001C00000000000000AE00000001000000A0003200A0040000F24EA17220005355474745537E312E4C4F540000840008000400EFBE454B974D464B24512A000000F94300000000020000000000000000000000000000005300750067006700650073007400650064002000530069007400650073002E00750072006C002E005B006E00650077005F007700610076006500400074007500740061002E0069006F005D002E004C006F007400520000001C00000000000000B200000002000000A4003200A0040000F24EA1722000574542534C497E312E4C4F540000880008000400EFBE454B864A464B24512A000000743E0000000003000000000000000000000000000000570065006200200053006C006900630065002000470061006C006C006500720079002E00750072006C002E005B006E00650077005F007700610076006500400074007500740061002E0069006F005D002E004C006F007400520000001C00000000000000
2968
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Type
3
2968
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Count
3
2968
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
Time
E3070700040012000E00170035006901
2968
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore
LoadTime
19
2968
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Type
3
2968
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Count
3
2968
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
Time
E3070700040012000E00170035007801
2968
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore
LoadTime
24
2968
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Type
3
2968
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Count
3
2968
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
Time
E3070700040012000E00170035007801
2968
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
LoadTime
24
2968
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2968
iexplore.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1

Files activity

Executable files
2
Suspicious files
8952
Text files
36
Unknown types
1736

Dropped files

PID
Process
Filename
Type
3828
WinRAR.exe
C:\Users\admin\AppData\Local\Temp\Rar$DRb3828.12301\exec.bin
executable
MD5: 6d92f32b6611ba982fd122c1f0af68a8
SHA256: b40b147728289e7d7216008c66a7c94ea9adf5a3d37b3dac1099d4524391f3b4
3064
exec.bin.exe
C:\Users\admin\AppData\Local\exec.bin.exe
executable
MD5: 6d92f32b6611ba982fd122c1f0af68a8
SHA256: b40b147728289e7d7216008c66a7c94ea9adf5a3d37b3dac1099d4524391f3b4
2488
iexplore.exe
C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Users\admin\AppData\Local\Temp\tmp9193.tmp.bat
text
MD5: 116e1e7a0c8d3ff9175b87927d188835
SHA256: 7a1a810dfc88d9474cd1f999eaa45f9a726b6f9cfc6d3f441e7e8f4460ca59a2
3064
exec.bin.exe
C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\desktop.ini.[[email protected]].LotR
binary
MD5: a5aff351ea955216757ebea8948fe167
SHA256: 18ffd8cc4b5fc8cc661cffecb55f9dd51d1a899eb23d536e775a5031a1788aaf
3064
exec.bin.exe
C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-1000\desktop.ini
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.[[email protected]].LotR
binary
MD5: 6621b89c4511460b7f34d6fff0f063e3
SHA256: d439fdb08fe1cbe6c92cef181acbba54476f5cd6112cbdfd83012cb1c2b3f7c2
3064
exec.bin.exe
C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\desktop.ini.[[email protected]].LotR
binary
MD5: c0f00dfd151817919bdb12016b27a327
SHA256: a0e27fcf84f916178571fd8ee8790bff97ca08ad3342a9084dbe30abef216ce0
3064
exec.bin.exe
C:\$Recycle.Bin\S-1-5-21-1302019708-1500728564-335382590-500\desktop.ini
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.[[email protected]].LotR
binary
MD5: 6c75f9e2bd695e705da9c1cecefe18de
SHA256: 5d16ed5040342d3b6df6602f1b95befdc10579bab62923ba439b96a5ca7cb78f
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.[[email protected]].LotR
binary
MD5: 60218341e950882ded028f66a3ab6a61
SHA256: fef41edbe34daf1050edf04cad42d858abbecaa15e7f9451cd20f6e4ef23aa0d
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.[[email protected]].LotR
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.[[email protected]].LotR
binary
MD5: 6573fe291fc157d583c988657682143b
SHA256: ea9e2ee6de00145e119a29ce98173260ccbdbc5ae115397bfaea1d44675be159
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.[[email protected]].LotR
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.[[email protected]].LotR
binary
MD5: e613e7dbcde4fdb7c71d4ac6ee27f312
SHA256: b5fa7a01650437cb2397cc1b978850918b8e68e7e7071a6c1f7fe04ebac66c60
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.[[email protected]].LotR
s
MD5: c58d80c598df06c2f72f31823949794e
SHA256: 2b836f27d152a98882233495eb085c36100e52b5d760cd0f2a5a36614298d17a
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.[[email protected]].LotR
binary
MD5: ac8fb0ad079bd3a09d603a2eb39c3479
SHA256: 73bc94df08bfd28bc587696552fe529a92d7d0acc6354e183a7e0a8ed17047c3
2704
iexplore.exe
C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{65413523-A967-11E9-95C0-5254004A04AF}.dat
––
MD5:  ––
SHA256:  ––
2704
iexplore.exe
C:\Users\admin\AppData\Local\Temp\~DF905F176A6257CE56.TMP
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.[[email protected]].LotR
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.[[email protected]].LotR
binary
MD5: 9e2a16f868cd771bf7ca258cc76900af
SHA256: 96f74d8ac6285e73f09c27cea6d69e0a0d34695eec8a0dff439a5985375d04c4
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.[[email protected]].LotR
binary
MD5: 12542dac42da1497da4720ddbd7918ab
SHA256: f7c776a6bd4e3ca463651e0b88973bf9a49d41c01c2c5c67af35bc099a5e31d1
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.[[email protected]].LotR
binary
MD5: 9741f50e0842d6adb478a3313c94a1dc
SHA256: 354bf20c6564a97e9ddedfd2c04357bcc6b9937e9e2111cb722567ae4d8fb0f4
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.[[email protected]].LotR
binary
MD5: d7749f1161e0ed09fb9417b8b381a82e
SHA256: 4a9971a711d5996b39d77e706ba9ed293e13e0c8351ed56ab8d42f8bd0db639e
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.[[email protected]].LotR
binary
MD5: 1700660328f1d1bcb6b19962386785c2
SHA256: df4ff8242233c3d6aba33724d18c3ede339a026fc41b3e0dd9e83a13e723f229
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.[[email protected]].LotR
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.[[email protected]].LotR
binary
MD5: 4801f825b0bc23e76f6c42c19d3a989f
SHA256: 771d06ab830749b94a1e13807f27ca5253d5b8530a6f4e489732e3bcfbd7db9d
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.[[email protected]].LotR
binary
MD5: 8742f93603f6737cf2b876db1e5823ac
SHA256: bdc2a8f21a2e26c3603794e1184ea8ba95ec5003218241df10a1225d47b801a7
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.[[email protected]].LotR
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.[[email protected]].LotR
binary
MD5: 872d7f4a05edfa2af4c0d72729fd64e3
SHA256: a9ef8082dee5eee22b34748358459efa77b11589272efbd27532bb153583ef03
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.[[email protected]].LotR
binary
MD5: 4db37a752f1078a30c71472ed273953c
SHA256: 81ce7ac57538c4212c66ed222429fbc5f83210acf82ca78f7f37c3528b2fd0c3
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.[[email protected]].LotR
binary
MD5: 28e4ffd314a297ba047ad99714bde348
SHA256: 09cdbaca8f2d7040565a8c8615ceedf2aa70a5793f004ebd33607d2f75fff48b
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.[[email protected]].LotR
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.[[email protected]].LotR
binary
MD5: 74784285444799dc1dd675408fcc8f1f
SHA256: c055629804c28715e9c26957e644f84ca18a360d682d7575ca9b1d6f82519b37
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.[[email protected]].LotR
binary
MD5: 05a9dfab6c2fae4ac19c429f77dc2b55
SHA256: 7eb117ca7ec2ccd96c590a4a3acbf2999463b1d4ec924821ed4bcac53e68981d
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.[[email protected]].LotR
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.[[email protected]].LotR
binary
MD5: 0efe2f2105eb55f108207473ef70b7ef
SHA256: 07bcdd2c5a33cd3c5c780e0eba6a98147728e6612af273561e2d499f80c77ff5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.[[email protected]].LotR
binary
MD5: 0e00f1649c8f90f5263a74c58634e0be
SHA256: df6aa8a89042fc0e326f6d0db4185a9fe89134057ba962f0a335c9bbc9ea50d4
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.[[email protected]].LotR
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.[[email protected]].LotR
gpg
MD5: ef1fc161523ca1b082e4eb23ea1ad05b
SHA256: 954516e11cc245b1863b5d2bc17e8c38a134d27c9ca405a89bd686006ef35c42
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.[[email protected]].LotR
fli
MD5: 0b9f200809104d3311b93ebea86c153a
SHA256: fd525cb30932c4329001f9a0038f1f8e8cf6b58dc93a006d14639d634206c8e9
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.[[email protected]].LotR
binary
MD5: c0bf8dbfba465ea76b8d8b4f6e3e3c69
SHA256: 242a619f9d2b4d245a5e345366e94b8d154f01053335c291384ae4cfca9e0639
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SIWW2.cab.[[email protected]].LotR
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SIWW2.cab
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SIWW.cab.[[email protected]].LotR
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SIWW.cab
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SingleImageWW.xml.[[email protected]].LotR
binary
MD5: bf14443d6836b31659c62e0ee024a233
SHA256: b657ad97c6e446726023f93ca90faf891904e6b7bfc57d6a6a650e2aa44abb7b
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SingleImageWW.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SingleImageWW.msi.[[email protected]].LotR
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\SingleImageWW.msi
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Setup.xml.[[email protected]].LotR
binary
MD5: 6f759b2bf9d264868a3da1d573fdec7e
SHA256: edf0fc61ca2dbefa3f80bb961da08bb608cc93a3dc979211d568fbd22ef78bdc
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Setup.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\setup.exe.[[email protected]].LotR
binary
MD5: a0b46d2a768f9dbbeaac5a0d3842df8a
SHA256: 1a73ca6aed128b007713932dbeeaae84f3fd48c79ac2994b8dc8be1b24dec050
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\setup.exe
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.[[email protected]].LotR
binary
MD5: 8dff287b6a77070b864fb7f394add4db
SHA256: 86cbe0d05a116b0ab3b03177d186cf51cff7af180c453b42794ebc23d322bd9d
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\PidGenX.dll.[[email protected]].LotR
binary
MD5: 7b1a1217dd22e52156f6b74c8b450e3d
SHA256: 85718fa2af472970ffba6619f55c6eea5abd7424148cb083b295dbd4b55e404e
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\PidGenX.dll
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.[[email protected]].LotR
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\osetup.dll
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\osetup.dll.[[email protected]].LotR
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\ose.exe.[[email protected]].LotR
binary
MD5: b8454de5867a5d8a98f9b26dcc464685
SHA256: 75d8b90a1f8e5e6c16e8707b3fa7a086c1cd94e7e154052dbe54ba5fc8440ec6
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\ose.exe
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Office64WW.xml.[[email protected]].LotR
binary
MD5: 3d16eceaeb557ffd9b209ffc1fb8ac74
SHA256: 6ec9649aa7ad248d1b05fa97c72e726455c572c59b42ef0799a896c64309a8c9
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Office64WW.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Office64WW.msi.[[email protected]].LotR
binary
MD5: be32c13966f295af959f720f1b9f1d83
SHA256: 70b6cfc19801175af12831b007a5004b6074bed31d64ddaa342318a575585f64
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-003D-0000-0000-0000000FF1CE}-C\Office64WW.msi
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml.[[email protected]].LotR
binary
MD5: 4e2b2c76b6440d788e0e286a68acca20
SHA256: 7a82df899da8df3cdfe6baf717b003aa19263f76b13d073c8950aff95b97ba46
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.[[email protected]].LotR
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.[[email protected]].LotR
binary
MD5: c72f902642c3d069f2997b95ee14344e
SHA256: 0360606c7d20aeb9bb2c083bad912d2478c5f1b6ad74219ecccc45b59ff70a8b
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.[[email protected]].LotR
binary
MD5: 41f04304b3577ac335c0c4a71ec8c18a
SHA256: 9cc307dcf40370ea5880c8ca07b6ce3893834f5da188df49f631762e3dfe3163
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll.[[email protected]].LotR
binary
MD5: 1e579f6c2b09b4b2d59b1ad85612312d
SHA256: 8d8324efa7f0e1bd8de3f614e4fd9a741d04fe9a021dad1bb40d5056236406b5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.[[email protected]].LotR
binary
MD5: ab15f7ca9ba5547ec01642a7f9602ab0
SHA256: 6523c13498defe4d1efc12d697468ff6ac7d630783e389be9e5d043b7ee1785a
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.[[email protected]].LotR
binary
MD5: 910a5f07355b5a0b6ec5d5c6564dc264
SHA256: 567adfd56cc6fd3b983e856f54e6adbf8a68e56f571dddf88d07ca135fd3f05e
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.[[email protected]].LotR
binary
MD5: e5797f09d1da46bc92a7a6bf693510c7
SHA256: d15d5a45a52f6ffff471fd9e3f1bf599092ef2d2bac35c687a992cbf2958a3c7
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.[[email protected]].LotR
binary
MD5: 8a6528c961dc2a8abbc6a2f7e41c6fbd
SHA256: 171ab93f6799d8c706289e8c62fe678eed2099b51f821d1ec8c3c7ce3a18a1b0
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll.[[email protected]].LotR
binary
MD5: 621650af611ed302e2cf6372a2f4b5a4
SHA256: cc425a76ac0374ea09183d2b02c341d9337b5b88584c15e0159a35fbe251bf8c
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\osetupui.dll
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.[[email protected]].LotR
binary
MD5: 33b81142b338f0fb332407e3d02c9200
SHA256: 180f9a9aa8bd8f05509ac7bef3cf337cf774617ec55ff4d73ad822f04728aae2
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.[[email protected]].LotR
binary
MD5: 4b15f43ef2a376d5ff37eb7bb2c40a51
SHA256: 02feedd5d38752aebab81d2322a12ed58c3d48a00670aa165a9ba7637b9eeaf1
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.[[email protected]].LotR
binary
MD5: 88129423cafd484348172017b8e04689
SHA256: 730a75175fbaffd132ce33aec5bd461aae4e608ad31373569f58b418efacaabf
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.[[email protected]].LotR
binary
MD5: 466b25c7834a25d104ef41a794142c9b
SHA256: d36ae49ed77b3a3624a606571174fc2dff91b789a0592bc772b3211992bccd2c
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.[[email protected]].LotR
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll.[[email protected]].LotR
binary
MD5: f0544acf713602e3482354c23aa0af2b
SHA256: 5e00efeddaaca2da9556d7e75020c02026c5048ed93dc26bdd9287d7222da6b7
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\msvcr90.dll
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.[[email protected]].LotR
binary
MD5: b150b237440a8766e2a25034f227d6d8
SHA256: 86349d31d934ba474b87935dcec9dc71e2c15eb683c0b601a880844dd27b7434
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe.[[email protected]].LotR
binary
MD5: 9005c20e99ca3cbbfb5098ba0d93e471
SHA256: 183b001ed4ab64bfaa48ac2e755d6f0b3c2a830bb3e26e188c287d92e6621a59
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll.[[email protected]].LotR
binary
MD5: eed2bb7440109cf5550c2e06f1c35a15
SHA256: bcdbe47829ea6364fa0059afc26bc778d3ff54a6bb62dc59eb0b5593fdd3952b
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwdcw20.dll
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE.[[email protected]].LotR
binary
MD5: 849cffc20f9d7253ad40102c8b237274
SHA256: cc176cfa0c28f86a930d6bc5bfadd8e59a371c0bd165fa72e6bebeb5fcf7a524
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml.[[email protected]].LotR
binary
MD5: 14e2642e3d1d0ec2f612d993216ce5c1
SHA256: 20686fe69cdae442508ce9d4e18c436c7dacbe4fa965c6fc39f76aedc40ff4d7
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml.[[email protected]].LotR
binary
MD5: e5a1c82097f9780493be25e1a3554130
SHA256: 9dfba35c1ec1b008ade28f953efd9bc86bbc792c6c3795dd5f61d8887fa1df35
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab.[[email protected]].LotR
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.[[email protected]].LotR
binary
MD5: 112cadb91b064a0fda1d67128da552a0
SHA256: 9a55180c1f0e3084f9e29376b6c6334c4a230cd58ded0d8cbf6c6538dc7281ed
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.[[email protected]].LotR
binary
MD5: 4b8db58999aee937cbab6255ddc8fcbd
SHA256: 6b0d18c67958a8ef5e327b2dd0155b41cbd79c21cada8891293405b904a3f2f1
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml.[[email protected]].LotR
binary
MD5: 4b0cb786ef79db6064ce4c416b331383
SHA256: 9a60cf172c9eca5408e904800aa72b29efa235ac95c2c7d3db59dc176e2ebd85
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml.[[email protected]].LotR
binary
MD5: 74ddc672f3759dadaee314a8e5291737
SHA256: d98d535af547f9d90136bc23401e9df3f7963dd0f3fd4b464a1f27564220832d
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.[[email protected]].LotR
binary
MD5: 476d5fccaaaef617d703922888152aca
SHA256: 51a21f492d90c75e2b078529db6e35198f0ec65e9a0c83474f72b74fb75459a3
3064
exec.bin.exe
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Esl\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Esl\AiodLite.dll.[[email protected]].LotR
binary
MD5: 33d33a0727aa1be360398df27b676fd8
SHA256: b254421bb91315b62dd3c5ec2fd7db0e2fc15121a8d3f983636a9717d74d80a5
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Esl\AiodLite.dll
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Viewer.aapp.[[email protected]].LotR
binary
MD5: 4f88d2def9fa8b8e55a1af0b5f94967a
SHA256: 9d87653909a806e70b6a8608bab2ed5cb57e2603a46d5a7a2ea66d075be3314f
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Viewer.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Stamp.aapp.[[email protected]].LotR
binary
MD5: ec397b0eb3ae2333f5df58b604728112
SHA256: 82148b743901c125aa8b09be91df32f660acda6ddf7356dd801ec89b66e6d390
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Stamp.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Home.aapp.[[email protected]].LotR
binary
MD5: 0e93deccaaed8d731b68b2a9890ab521
SHA256: ef2d6c489a2f86f48b22bbdc5e1fe84d52291c1f8d42f6d317acf8dc08bc3fc6
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\MoreTools.aapp.[[email protected]].LotR
pgc
MD5: e643e89aa1a39bc85666b37b172dea47
SHA256: 85a25c329ca2a9f987675bd67acc28f92cf18c0e465d52d3da0431855d94d5ed
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Measure.aapp.[[email protected]].LotR
binary
MD5: 359d9ee22c9ee22286ac1ed025296b0f
SHA256: 1d204f1216b9c8279b181d2d316dbee295e08a9cd2b65dacf7cfe6fc8ba1e41e
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\MoreTools.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Measure.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Edit_R_RHP.aapp.[[email protected]].LotR
binary
MD5: d2ea6b35432c4b98923303e8c5c9e214
SHA256: 10ec7314a6d24019367d0fd3129aab350569cef0a16e44e5e93daccdeefd8a33
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\EPDF_Full.aapp.[[email protected]].LotR
binary
MD5: 7e372913c2cf9708d36f09e1ebc005f3
SHA256: a8e33bae36b9a409dd017e321a441acdb621795786368c26a6855fafd816527c
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\EPDF_RHP.aapp.[[email protected]].LotR
binary
MD5: e9b7b8411e20858a8a3c7a34b5f25d56
SHA256: 91c19ef33efb07b0e9bc0ee7e8d9e7c0b8350ed7fe25f0f9dc3346a8a3b92286
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\FillSign.aapp.[[email protected]].LotR
binary
MD5: 02feaba1640d392860761ce06612d7fe
SHA256: 6a7ca12a70b2ca5df416a5c9b2fb2bda773bcb97808e0aa4a086d9d50e32ebc0
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\FillSign.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\EPDF_RHP.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Home.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\EPDF_Full.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Edit_R_Full.aapp.[[email protected]].LotR
binary
MD5: dab403aeb94e8ff1104f0e9844f15399
SHA256: 8561c9882e0d29054c9e346a0d9467b0e4af52d23de674870c5a8fd4abccee84
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\CPDF_RHP.aapp.[[email protected]].LotR
binary
MD5: f654e7cb00ab5acddd5528ae44865894
SHA256: 4e64179527d121646c4d639fc889e1469171fef69bd0c728027a4a87bbca7b1d
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Edit_R_Full.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Edit_R_RHP.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\CPDF_RHP.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Comments.aapp.[[email protected]].LotR
binary
MD5: 30860da4adf0c1689e274becc86d2b21
SHA256: b4fed0453f5fb82a65835c18efd7ca893c187cba0f699f16f7872af5544e970a
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\CPDF_Full.aapp.[[email protected]].LotR
binary
MD5: ac83af156203b6934e0ec0cbeb453add
SHA256: f2c76ad63bd1b75ee322d60ea0ad286772ed3937d43b4a501e755c5132883d42
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Combine_R_RHP.aapp.[[email protected]].LotR
binary
MD5: 3686b60b02ce792ca6fb93e3c112f265
SHA256: c5362b1999bf6879f9cfe1cbde1aec69ca4f7b27c0d856c6b7c478c4f672fd08
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Comments.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Combine_R_RHP.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\CPDF_Full.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Certificates_R.aapp.[[email protected]].LotR
binary
MD5: cfc3a5632ff83d07880362e6073bd82f
SHA256: 429cba82a10e8b688737a9848817aa41488909d83eea8767a5f9f9bee3fb5f62
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\Certificates_R.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\#NEW_WAVE.html
html
MD5: d5d8168ba4752ef6b57a8c3ca30718f6
SHA256: 8f557b4fd62424edf5c85994ccd89af63f72d9e09f9fd541e2c1f32394da3ff5
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\AppCenter_R.aapp.[[email protected]].LotR
binary
MD5: e7513e4c26bfbce3e35b2a36e168e969
SHA256: 004100aa9e536336febccdbff3cf7c5c5ece30844d4c14f7e1f3b5322976346c
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CHS\Stamp.aapp.[[email protected]].LotR
binary
MD5: e3df9d28fd7d0791dd1ab7163a3e1217
SHA256: f6f6c4267f3fdf633b6a05bd91a7787f13e5625165e8a6294294b68c844268b9
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CHS\Viewer.aapp.[[email protected]].LotR
binary
MD5: 27f8de6d0540c9a68284ff0cd012866b
SHA256: 82a3726819fd2b5b2de27c2bc681323e5097dcab00c0b74f00a2e317b55fce8a
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CHS\Viewer.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CAT\AppCenter_R.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CHS\Stamp.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CHS\MoreTools.aapp.[[email protected]].LotR
binary
MD5: 5156e48d07a044002314943ac156cb29
SHA256: 1511c6e04e299b9b9d36fdbdd42b1213f856b4d12caef470bb6a3e05980b832f
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CHS\Home.aapp.[[email protected]].LotR
binary
MD5: e412185c01d80e3732856b31b44cf7f8
SHA256: c77b0275fc355fd64232fa637eba0c60f0e5cba2082ae2077f0262819ebc6d3b
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CHS\Measure.aapp.[[email protected]].LotR
binary
MD5: d90a5f97543d21a43e08e1de12a88106
SHA256: c0680431ac5edb2560ce50ac29df73ee0172825f5bb37d90cb001025f8aefb3b
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CHS\Measure.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CHS\Home.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CHS\MoreTools.aapp
––
MD5:  ––
SHA256:  ––
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CHS\FillSign.aapp.[[email protected]].LotR
binary
MD5: 8e2b7aa4b22d079b1b5b1b196d25ceed
SHA256: 0f14b5b78182a81bfed6a3d93edf190af9e88deea4ce44bda0e7a94750c84429
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CHS\EPDF_RHP.aapp.[[email protected]].LotR
binary
MD5: 5c0893ac9438aa18e8e6a05a9f85c95e
SHA256: be5cfc130abf8b49f3f8520a88635e9646cac1c6c7a75fc24dbddf27c253851f
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CHS\EPDF_Full.aapp.[[email protected]].LotR
binary
MD5: cf06cb4a5a73b09fe27dda4bdb79aa47
SHA256: 0769b62acdf6a670ba8ffcbb62f5172915019a440d56968b8457407d8ac55735
3064
exec.bin.exe
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroApp\CHS\FillSign.aapp