Analysis Overview
SHA256
154115262885b920680ca7d9160a046a1d3d01ddadbe43ae9af80dad1c0b03d0
Threat Level: Known bad
The file nopen.exe was found to be: Known bad.
Malicious Activity Summary
Detect Umbral payload
Umbral family
Umbral
Modifies Installed Components in the registry
Enumerates connected drives
Drops file in Windows directory
Unsigned PE
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-01 10:05
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-01 10:05
Reported
2023-12-01 10:07
Platform
win10v2004-20231127-de
Max time kernel
27s
Max time network
72s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Umbral
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\mshdc.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\acpi.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\swenum.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\rdpbus.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\keyboard.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\monitor.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\cdrom.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\compositebus.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\vdrvroot.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\spaceport.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\pci.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\mssmbios.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\volume.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\volmgr.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\msmouse.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\hdaudio.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\input.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\usbport.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\vhdmp.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\umbus.PNF | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\INF\hdaudbus.PNF | C:\Windows\explorer.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1067295379-1486014338-1703171060-1000\{6F825BE1-0E06-4E51-934D-0DB59610C40C} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1067295379-1486014338-1703171060-1000\{998F8E78-055C-45CB-A252-77C4BA67E640} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nopen.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3332 wrote to memory of 3200 | N/A | C:\Users\Admin\AppData\Local\Temp\nopen.exe | C:\Windows\System32\Wbem\wmic.exe |
| PID 3332 wrote to memory of 3200 | N/A | C:\Users\Admin\AppData\Local\Temp\nopen.exe | C:\Windows\System32\Wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\nopen.exe
"C:\Users\Admin\AppData\Local\Temp\nopen.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\afc59c9e27674337a8850492c116900d /t 3272 /p 3268
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| NL | 142.250.179.131:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 98.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.175.53.84.in-addr.arpa | udp |
Files
memory/3332-0-0x000001F0C15E0000-0x000001F0C1620000-memory.dmp
memory/3332-1-0x00007FFD62B90000-0x00007FFD63651000-memory.dmp
memory/3332-2-0x000001F0DBBC0000-0x000001F0DBBD0000-memory.dmp
memory/3332-3-0x000001F0DBD40000-0x000001F0DBD82000-memory.dmp
memory/3332-4-0x000001F0DBEA0000-0x000001F0DBFA4000-memory.dmp
memory/3332-6-0x00007FFD62B90000-0x00007FFD63651000-memory.dmp
C:\Windows\INF\keyboard.PNF
| MD5 | 646a0dc2bcc4bfd1b76552ace050ed11 |
| SHA1 | 60dff58d08fdff5f60fec15bbe06f137c0ae6d71 |
| SHA256 | 773a5d3ed1b08a3b8004a3492b774fe9e6c0f3eaed6a23d0aff712ccd57dbd80 |
| SHA512 | 6a3be23c19e939b90eb03cc151f9e3b8002130893e4e9db3b88123ce92d3079b830649857b1a7b8a9bb6e62192210a1cc68ba68452e6144f36a6374cf0e10d15 |
C:\Windows\INF\volmgr.PNF
| MD5 | 99164849c3aff3c649a7b416705cfb94 |
| SHA1 | 53365469638a5038152cdb921ae0d74365313bd6 |
| SHA256 | dfef65f1f962b78df5d640ca7fb314c30283f4fd28a0b5eefa3931cfe87b3535 |
| SHA512 | 2b3775265d8a7f5b1721459dea8bdd0b01da1592194807fc0e72155b8f0bb6a7f331845be3b9d9a4f002ce510030f9a3339f1674772a1ed5a8f6b5d2931cfba2 |
C:\Windows\INF\input.PNF
| MD5 | 5bde6d4d6aa6ab1e0577abfbe930abc2 |
| SHA1 | 1edfc596dcd05a275ddfa42cc36e0ec7e457cee0 |
| SHA256 | cf53a27dd806035fb8cde8220df000e07f7c1a276032be466fc75395a5562195 |
| SHA512 | 7ab1d5c04797aa5d56a2b9bb982e7dd55b84d0dcc5e36e74ca1af49ea49d844ea9c288455a205447c39ef84e7e351bfd01855df2ce6c98b3cac5caa1832a7e9a |
C:\Windows\INF\volume.PNF
| MD5 | c67d0e539cf61c0d6d9dc959e826401c |
| SHA1 | 43a2961fa427893def9982273fe9e5ebdde053c6 |
| SHA256 | 88f880cf5ba1204f000764613b6cdd895ba57b71b4b111e1d0aebd524553161f |
| SHA512 | afc9c251913debd410ad8be041228611e5c8c95c222e8aa8c70b03b28c8e6acef112e8dbb4cbd99dc5d3a12fe45551af6504afe7c41913476b849361f0df9ea9 |
C:\Windows\INF\umbus.PNF
| MD5 | 52cfabf0b3271ee556d79840bc7e61aa |
| SHA1 | 93fbb931a4a00891583b12635b9366372debc7cc |
| SHA256 | 927218e56dc9a9678206e75347fec62bf90400394281c7c6b79c1a02f21472e7 |
| SHA512 | 2fabc57ff58df7cd511f1f7be324f6a882268d5f45be744425885451d795026ff5a8a3393ce2add5e4727461c1ed3acf4ea060f109bdfbfccb368c8759699bca |
C:\Windows\INF\spaceport.PNF
| MD5 | 25a1e3ad33bec735a3002425f16d1bec |
| SHA1 | 5fefa45a6bba09d06ec921133c47d3bf6e5d693c |
| SHA256 | 0c3959fd0f8d2dae0dddcb7d48b68ef9cb6db29f91689e2dc90c09753b7f4366 |
| SHA512 | b0a428674a9aa19b995fca6e0878fb728003f7d57befd09d1fe4c301bd12b5dbba7703621dae7d49d6c8fc943ded37b0ec9ec0794f8903dc398f2660480f3f74 |
C:\Windows\INF\vdrvroot.PNF
| MD5 | ae5821ef430886abbe29d9562fd02f51 |
| SHA1 | ea1cef8365608012a4b2f4bf4de21a6f118fdbb1 |
| SHA256 | e5857daa7825d488fa6f3878bf09c4508d200a6bef271a199fb945d93b9a5c1f |
| SHA512 | 83e01733bc12d94939dd3271ae7c6ed2b5114ab32aadfab8cfc8fc984ca79b07637685e6d81d597772ccc5caf322772e6ccde285aca98faa1151f01f5fb1c40c |
C:\Windows\INF\compositebus.PNF
| MD5 | 0fd3329e66a209f7fce9a811227bfd58 |
| SHA1 | 4548f835139977bb47872713addca89195776568 |
| SHA256 | 1ed9fa52c4700850d1f2b6eaecaa96a3893690ce5763f0b0dcf1f3d5a311abdb |
| SHA512 | c42fb97c41aed6d6fa5e09551da3b37de29d462ed85225e31b4916d0c6a48811bd0e0cfc025f3e9fb7b39c91c604b9d175b3bab6154606ec7b4fa4dbc5e5430e |
C:\Windows\INF\monitor.PNF
| MD5 | e9b047f9b469ef7627d3ebe47ec23740 |
| SHA1 | 0c40d7c5ad92f147f1854d8e4590162ef9795bbb |
| SHA256 | 636938a8142a92c8cf249b88f4571a388a9ff963c2c7b2d06e5735a134f427d4 |
| SHA512 | ca677a50f558930f9958aac9fa74d32f23274bfd8140dd6e345d563a24fcd5d46e8a56b16bd4e9a05db557bd221718d66d656a732121ab019b7e742f986481a3 |
C:\Windows\INF\hdaudio.PNF
| MD5 | 96bde3f3ee615050ab3fa6937d4c6596 |
| SHA1 | 5b35368095ceec94603869e964a22d4f4991af38 |
| SHA256 | f8b087c21b2b9d262b98c2a2ecb8b51c5e7976fc36235d1324157abea0982a60 |
| SHA512 | 9929e077ce3150515176a7efa1b196faa09a7e325ff7f771dba5b439fe725d6c357bbd7941824f1f0d9e083ae8e21c38217319d7f70210a99b38b02135ab1168 |
C:\Windows\INF\rdpbus.PNF
| MD5 | 35fb4341824596a3c13bba99cfef0cca |
| SHA1 | 43f63b5dc6aed82deb3933d87df80ea61ef5dca0 |
| SHA256 | be33568cdd1a75733160ff35538a8e1ef0b5bbed9b8b34d804120d61da0ed963 |
| SHA512 | 51d8dbf4b86726da805430c7a759afa79a283c1b431296b14cb08e3970d724729235aa5799c0918f4750b7804739cd0f751226a27268f1a8f0239471bb915151 |
C:\Windows\INF\swenum.PNF
| MD5 | a1833cfde4cf86fe3b9311a9b4c724d5 |
| SHA1 | 265a39b3301dab3bf27d5254098d60854d4f9256 |
| SHA256 | c7055e91842d6786cdda51c1f0d363fcc847d8f14928c76d76469dba15306cc6 |
| SHA512 | 67b6a458c322f36a3df5a55070ebb70585b422f59c43d56179d4489ef772fb53e6db91f1587395b54fb291e0ead343ce7751ddf9acfefd79a5aadd81916d1852 |
C:\Windows\INF\mssmbios.PNF
| MD5 | 679a48857aad32a6c85f3f3a2c929f2a |
| SHA1 | 8105b7b7aaa84dfd2b00a331b41ef957045662e4 |
| SHA256 | 4e0fabe3ca86b62195c7f3de089b5a14abfd0e19423c800b614977403918c5d1 |
| SHA512 | af564bbaca37e0c8a9ee28a6ef7d5cc3008069521342552c790582d41d9f06b3bce53696c852f28165b74825cfd7d163ca053174baaaac79f728bf40810d1a8c |
C:\Windows\INF\vhdmp.PNF
| MD5 | 2d385ca324d13e8d067fd4151deaad0e |
| SHA1 | 59e2c2d6a537d7921dd8f37aacef7df48666096f |
| SHA256 | 75aa17d885f133639a94164e91e7df2f4c708547e98257bd990abf5f18e050e5 |
| SHA512 | cdc13172acf6dadbf6eb32bac00825a3e87219dc5424e2292e6dcf1d3062148cd43d19a50dcb83cbf36b98c1e1769251b481d864f17e72e155e990b75317abe8 |
C:\Windows\INF\msmouse.PNF
| MD5 | 1bbe5d72e8dd5342f62d6888e968d1bf |
| SHA1 | 510c49182738b88dfbf889da7c8743f4ed756cbe |
| SHA256 | 45f3e9ccd1f974bd6aed1c2526d29864afd0ba1319a285cf62bec03083440d47 |
| SHA512 | b1def84cb283ef0c3a96200ccdbdc42db1785f4b7b090a2f8d8ce1063ffa2cc8b3c48be402925ba860069a2ab81e9d65262c8f4b8dc74058c6e11cf15efb785d |
C:\Windows\INF\acpi.PNF
| MD5 | 9aa546f6033a556bcbf63aa8b5e45a18 |
| SHA1 | 59599fb14fbc50f7394591df3e53caac1d41b1ff |
| SHA256 | 5d2178b8ae0d82c023e40c6938215365a68c11a8f66dfb9c72703fe728ef993b |
| SHA512 | 0cb0743e6638b7a4d7847d415ec97b05afea660e7bc38659787da222cb64a91300271f0bde4a5a59c70dc513b90c6dd527ca508564a3be1b097f4c42aa0e1532 |
C:\Windows\INF\mshdc.PNF
| MD5 | ea4728892c7ec108577a2444babe32d8 |
| SHA1 | 266296b45a4d09781d4a7c92041b87332f584d7c |
| SHA256 | bdbe29fcfd16673521d4df9b073230050a205ee2478b0df53aa01d0f9a78254b |
| SHA512 | 1f2f200452ac6550a2d1672e4dd43d1b726ffa4c8e66df1ed10599cf8da8895cd28d658b1f46f601d0f3abcd87fad1afb1db5fc3a7dbf6f4a968c6fae7a94526 |
C:\Windows\INF\hdaudbus.PNF
| MD5 | 339f38a34a45b88ec9b97addd8d2202f |
| SHA1 | 7ad12de33ab86b395ff3a349ece5ef7a0044c05a |
| SHA256 | 92590015426e3d83e5e6e385a2fb55af4c45d5ec1442f5802f5ce2f2998471c8 |
| SHA512 | 3d7049221faec3b3e968ee0feee711058248ec314a66108a9669ba01ef851bb379cb8e087bab491e6878dc3e55d68944ec033f94fb117aebb6cbd2253eeb8506 |
C:\Windows\INF\pci.PNF
| MD5 | 1c67ee0504ad4dd5cf6f5431b5aee155 |
| SHA1 | 0e49f4a36e56ca3a679e381236754da2135f911a |
| SHA256 | 658b9e6959f413a743af8d474a26fab53253b3f70e6e9f5670a16f2db6920244 |
| SHA512 | 760859f4072a0881517be9d7d7b619f5c228775090d09f2f1d779b52a5e9c4038295e71ce884e182332464a6b5e39f36ba7261440d15f97c222eeab4a7832f45 |
C:\Windows\INF\usbport.PNF
| MD5 | 830adf61bd79ad412e1b57bb09bb27fa |
| SHA1 | 9fbc5fe7c2b18f239bc67801eb11af7bffc72833 |
| SHA256 | 20511453d4721a15c6c0dcc6e2351662e52f8ae0bb355cc3aefa920939e81cff |
| SHA512 | c2f7c1877cc4a5ed767a37738ddc675ecca7d2fcb5a4f874e7d595b3ea05f179f4c9bcf2f82d70a8ecb80c7d6e7df3dfc010433e25d0c96c80b638b2be6f42c7 |
C:\Windows\INF\cdrom.PNF
| MD5 | 1f3f032d20209df9be97b81f42599e74 |
| SHA1 | 9e1025e88cea491e5d59caa317e119851e24e866 |
| SHA256 | 1086ab72021586ebbacd354985997b0d433e189f554afc3693d723407e3c8200 |
| SHA512 | 0145bc12462cf3cc29d3fdbd7f8c5bdf42ab813e177e1e985470fb373c837041c3920fc60ff048eba71a8a85ff69e930f7b4e9d4dd593b0fb2f9ab91e3d6eb52 |
memory/1556-58-0x0000000004000000-0x0000000004001000-memory.dmp
memory/3308-65-0x000001F8118F0000-0x000001F811910000-memory.dmp
memory/3308-67-0x000001F8118B0000-0x000001F8118D0000-memory.dmp
memory/3308-71-0x000001F811EC0000-0x000001F811EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BNMBZPOS\microsoft.windows[1].xml
| MD5 | 58ed46f158bed1abf076e00201274843 |
| SHA1 | a7d8ae1491d3d12f363d33a12379d5730e6f1dfb |
| SHA256 | 75bce75c49737202f1f4848a02f52952499d8bbcf28e3c2e45474c7b5e9f0a72 |
| SHA512 | e7e195475bbd9ce55f2452af7baa08f6dbb3b0a71f100bab3e5c07312d9c37896aa2685f1fc8cb13ee5c289c265be605fc43052ca82db79fb7f706c96144eebd |
memory/1704-86-0x000002204A590000-0x000002204A5B0000-memory.dmp
memory/1704-88-0x000002204A550000-0x000002204A570000-memory.dmp
memory/1704-91-0x000002204AB60000-0x000002204AB80000-memory.dmp
memory/1240-102-0x000001D19D090000-0x000001D19D0B0000-memory.dmp
memory/1240-104-0x000001D19D050000-0x000001D19D070000-memory.dmp
memory/1240-106-0x000001D19D460000-0x000001D19D480000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BNMBZPOS\microsoft.windows[1].xml
| MD5 | 58ed46f158bed1abf076e00201274843 |
| SHA1 | a7d8ae1491d3d12f363d33a12379d5730e6f1dfb |
| SHA256 | 75bce75c49737202f1f4848a02f52952499d8bbcf28e3c2e45474c7b5e9f0a72 |
| SHA512 | e7e195475bbd9ce55f2452af7baa08f6dbb3b0a71f100bab3e5c07312d9c37896aa2685f1fc8cb13ee5c289c265be605fc43052ca82db79fb7f706c96144eebd |
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BNMBZPOS\microsoft.windows[1].xml
| MD5 | 58ed46f158bed1abf076e00201274843 |
| SHA1 | a7d8ae1491d3d12f363d33a12379d5730e6f1dfb |
| SHA256 | 75bce75c49737202f1f4848a02f52952499d8bbcf28e3c2e45474c7b5e9f0a72 |
| SHA512 | e7e195475bbd9ce55f2452af7baa08f6dbb3b0a71f100bab3e5c07312d9c37896aa2685f1fc8cb13ee5c289c265be605fc43052ca82db79fb7f706c96144eebd |
memory/4268-123-0x000001D706D20000-0x000001D706D40000-memory.dmp
memory/4268-127-0x000001D7070E0000-0x000001D707100000-memory.dmp
memory/4268-125-0x000001D7069D0000-0x000001D7069F0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BNMBZPOS\microsoft.windows[1].xml
| MD5 | 58ed46f158bed1abf076e00201274843 |
| SHA1 | a7d8ae1491d3d12f363d33a12379d5730e6f1dfb |
| SHA256 | 75bce75c49737202f1f4848a02f52952499d8bbcf28e3c2e45474c7b5e9f0a72 |
| SHA512 | e7e195475bbd9ce55f2452af7baa08f6dbb3b0a71f100bab3e5c07312d9c37896aa2685f1fc8cb13ee5c289c265be605fc43052ca82db79fb7f706c96144eebd |
memory/2668-144-0x000002325D300000-0x000002325D320000-memory.dmp
memory/2668-147-0x0000022A5BFC0000-0x0000022A5BFE0000-memory.dmp
memory/2668-149-0x000002325D790000-0x000002325D7B0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BNMBZPOS\microsoft.windows[1].xml
| MD5 | 58ed46f158bed1abf076e00201274843 |
| SHA1 | a7d8ae1491d3d12f363d33a12379d5730e6f1dfb |
| SHA256 | 75bce75c49737202f1f4848a02f52952499d8bbcf28e3c2e45474c7b5e9f0a72 |
| SHA512 | e7e195475bbd9ce55f2452af7baa08f6dbb3b0a71f100bab3e5c07312d9c37896aa2685f1fc8cb13ee5c289c265be605fc43052ca82db79fb7f706c96144eebd |
memory/2648-165-0x0000025747130000-0x0000025747150000-memory.dmp
memory/2648-168-0x00000257470F0000-0x0000025747110000-memory.dmp
memory/2648-171-0x0000025747700000-0x0000025747720000-memory.dmp