Malware Analysis Report

2024-11-15 04:39

Sample ID 231201-l4vzmagh63
Target nopen.exe
SHA256 154115262885b920680ca7d9160a046a1d3d01ddadbe43ae9af80dad1c0b03d0
Tags
umbral persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

154115262885b920680ca7d9160a046a1d3d01ddadbe43ae9af80dad1c0b03d0

Threat Level: Known bad

The file nopen.exe was found to be: Known bad.

Malicious Activity Summary

umbral persistence stealer

Detect Umbral payload

Umbral family

Umbral

Modifies Installed Components in the registry

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-01 10:05

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-01 10:05

Reported

2023-12-01 10:07

Platform

win10v2004-20231127-de

Max time kernel

27s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nopen.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\mshdc.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\acpi.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\swenum.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\rdpbus.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\keyboard.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\monitor.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\cdrom.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\compositebus.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\vdrvroot.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\spaceport.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\pci.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\mssmbios.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\volume.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\volmgr.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\msmouse.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\hdaudio.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\input.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\usbport.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\vhdmp.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\umbus.PNF C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\INF\hdaudbus.PNF C:\Windows\explorer.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1067295379-1486014338-1703171060-1000\{6F825BE1-0E06-4E51-934D-0DB59610C40C} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1067295379-1486014338-1703171060-1000\{998F8E78-055C-45CB-A252-77C4BA67E640} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nopen.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3332 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\nopen.exe C:\Windows\System32\Wbem\wmic.exe
PID 3332 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\nopen.exe C:\Windows\System32\Wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\nopen.exe

"C:\Users\Admin\AppData\Local\Temp\nopen.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\system32\werfault.exe

werfault.exe /h /shared Global\afc59c9e27674337a8850492c116900d /t 3272 /p 3268

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
NL 142.250.179.131:443 gstatic.com tcp
US 8.8.8.8:53 98.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 138.175.53.84.in-addr.arpa udp

Files

memory/3332-0-0x000001F0C15E0000-0x000001F0C1620000-memory.dmp

memory/3332-1-0x00007FFD62B90000-0x00007FFD63651000-memory.dmp

memory/3332-2-0x000001F0DBBC0000-0x000001F0DBBD0000-memory.dmp

memory/3332-3-0x000001F0DBD40000-0x000001F0DBD82000-memory.dmp

memory/3332-4-0x000001F0DBEA0000-0x000001F0DBFA4000-memory.dmp

memory/3332-6-0x00007FFD62B90000-0x00007FFD63651000-memory.dmp

C:\Windows\INF\keyboard.PNF

MD5 646a0dc2bcc4bfd1b76552ace050ed11
SHA1 60dff58d08fdff5f60fec15bbe06f137c0ae6d71
SHA256 773a5d3ed1b08a3b8004a3492b774fe9e6c0f3eaed6a23d0aff712ccd57dbd80
SHA512 6a3be23c19e939b90eb03cc151f9e3b8002130893e4e9db3b88123ce92d3079b830649857b1a7b8a9bb6e62192210a1cc68ba68452e6144f36a6374cf0e10d15

C:\Windows\INF\volmgr.PNF

MD5 99164849c3aff3c649a7b416705cfb94
SHA1 53365469638a5038152cdb921ae0d74365313bd6
SHA256 dfef65f1f962b78df5d640ca7fb314c30283f4fd28a0b5eefa3931cfe87b3535
SHA512 2b3775265d8a7f5b1721459dea8bdd0b01da1592194807fc0e72155b8f0bb6a7f331845be3b9d9a4f002ce510030f9a3339f1674772a1ed5a8f6b5d2931cfba2

C:\Windows\INF\input.PNF

MD5 5bde6d4d6aa6ab1e0577abfbe930abc2
SHA1 1edfc596dcd05a275ddfa42cc36e0ec7e457cee0
SHA256 cf53a27dd806035fb8cde8220df000e07f7c1a276032be466fc75395a5562195
SHA512 7ab1d5c04797aa5d56a2b9bb982e7dd55b84d0dcc5e36e74ca1af49ea49d844ea9c288455a205447c39ef84e7e351bfd01855df2ce6c98b3cac5caa1832a7e9a

C:\Windows\INF\volume.PNF

MD5 c67d0e539cf61c0d6d9dc959e826401c
SHA1 43a2961fa427893def9982273fe9e5ebdde053c6
SHA256 88f880cf5ba1204f000764613b6cdd895ba57b71b4b111e1d0aebd524553161f
SHA512 afc9c251913debd410ad8be041228611e5c8c95c222e8aa8c70b03b28c8e6acef112e8dbb4cbd99dc5d3a12fe45551af6504afe7c41913476b849361f0df9ea9

C:\Windows\INF\umbus.PNF

MD5 52cfabf0b3271ee556d79840bc7e61aa
SHA1 93fbb931a4a00891583b12635b9366372debc7cc
SHA256 927218e56dc9a9678206e75347fec62bf90400394281c7c6b79c1a02f21472e7
SHA512 2fabc57ff58df7cd511f1f7be324f6a882268d5f45be744425885451d795026ff5a8a3393ce2add5e4727461c1ed3acf4ea060f109bdfbfccb368c8759699bca

C:\Windows\INF\spaceport.PNF

MD5 25a1e3ad33bec735a3002425f16d1bec
SHA1 5fefa45a6bba09d06ec921133c47d3bf6e5d693c
SHA256 0c3959fd0f8d2dae0dddcb7d48b68ef9cb6db29f91689e2dc90c09753b7f4366
SHA512 b0a428674a9aa19b995fca6e0878fb728003f7d57befd09d1fe4c301bd12b5dbba7703621dae7d49d6c8fc943ded37b0ec9ec0794f8903dc398f2660480f3f74

C:\Windows\INF\vdrvroot.PNF

MD5 ae5821ef430886abbe29d9562fd02f51
SHA1 ea1cef8365608012a4b2f4bf4de21a6f118fdbb1
SHA256 e5857daa7825d488fa6f3878bf09c4508d200a6bef271a199fb945d93b9a5c1f
SHA512 83e01733bc12d94939dd3271ae7c6ed2b5114ab32aadfab8cfc8fc984ca79b07637685e6d81d597772ccc5caf322772e6ccde285aca98faa1151f01f5fb1c40c

C:\Windows\INF\compositebus.PNF

MD5 0fd3329e66a209f7fce9a811227bfd58
SHA1 4548f835139977bb47872713addca89195776568
SHA256 1ed9fa52c4700850d1f2b6eaecaa96a3893690ce5763f0b0dcf1f3d5a311abdb
SHA512 c42fb97c41aed6d6fa5e09551da3b37de29d462ed85225e31b4916d0c6a48811bd0e0cfc025f3e9fb7b39c91c604b9d175b3bab6154606ec7b4fa4dbc5e5430e

C:\Windows\INF\monitor.PNF

MD5 e9b047f9b469ef7627d3ebe47ec23740
SHA1 0c40d7c5ad92f147f1854d8e4590162ef9795bbb
SHA256 636938a8142a92c8cf249b88f4571a388a9ff963c2c7b2d06e5735a134f427d4
SHA512 ca677a50f558930f9958aac9fa74d32f23274bfd8140dd6e345d563a24fcd5d46e8a56b16bd4e9a05db557bd221718d66d656a732121ab019b7e742f986481a3

C:\Windows\INF\hdaudio.PNF

MD5 96bde3f3ee615050ab3fa6937d4c6596
SHA1 5b35368095ceec94603869e964a22d4f4991af38
SHA256 f8b087c21b2b9d262b98c2a2ecb8b51c5e7976fc36235d1324157abea0982a60
SHA512 9929e077ce3150515176a7efa1b196faa09a7e325ff7f771dba5b439fe725d6c357bbd7941824f1f0d9e083ae8e21c38217319d7f70210a99b38b02135ab1168

C:\Windows\INF\rdpbus.PNF

MD5 35fb4341824596a3c13bba99cfef0cca
SHA1 43f63b5dc6aed82deb3933d87df80ea61ef5dca0
SHA256 be33568cdd1a75733160ff35538a8e1ef0b5bbed9b8b34d804120d61da0ed963
SHA512 51d8dbf4b86726da805430c7a759afa79a283c1b431296b14cb08e3970d724729235aa5799c0918f4750b7804739cd0f751226a27268f1a8f0239471bb915151

C:\Windows\INF\swenum.PNF

MD5 a1833cfde4cf86fe3b9311a9b4c724d5
SHA1 265a39b3301dab3bf27d5254098d60854d4f9256
SHA256 c7055e91842d6786cdda51c1f0d363fcc847d8f14928c76d76469dba15306cc6
SHA512 67b6a458c322f36a3df5a55070ebb70585b422f59c43d56179d4489ef772fb53e6db91f1587395b54fb291e0ead343ce7751ddf9acfefd79a5aadd81916d1852

C:\Windows\INF\mssmbios.PNF

MD5 679a48857aad32a6c85f3f3a2c929f2a
SHA1 8105b7b7aaa84dfd2b00a331b41ef957045662e4
SHA256 4e0fabe3ca86b62195c7f3de089b5a14abfd0e19423c800b614977403918c5d1
SHA512 af564bbaca37e0c8a9ee28a6ef7d5cc3008069521342552c790582d41d9f06b3bce53696c852f28165b74825cfd7d163ca053174baaaac79f728bf40810d1a8c

C:\Windows\INF\vhdmp.PNF

MD5 2d385ca324d13e8d067fd4151deaad0e
SHA1 59e2c2d6a537d7921dd8f37aacef7df48666096f
SHA256 75aa17d885f133639a94164e91e7df2f4c708547e98257bd990abf5f18e050e5
SHA512 cdc13172acf6dadbf6eb32bac00825a3e87219dc5424e2292e6dcf1d3062148cd43d19a50dcb83cbf36b98c1e1769251b481d864f17e72e155e990b75317abe8

C:\Windows\INF\msmouse.PNF

MD5 1bbe5d72e8dd5342f62d6888e968d1bf
SHA1 510c49182738b88dfbf889da7c8743f4ed756cbe
SHA256 45f3e9ccd1f974bd6aed1c2526d29864afd0ba1319a285cf62bec03083440d47
SHA512 b1def84cb283ef0c3a96200ccdbdc42db1785f4b7b090a2f8d8ce1063ffa2cc8b3c48be402925ba860069a2ab81e9d65262c8f4b8dc74058c6e11cf15efb785d

C:\Windows\INF\acpi.PNF

MD5 9aa546f6033a556bcbf63aa8b5e45a18
SHA1 59599fb14fbc50f7394591df3e53caac1d41b1ff
SHA256 5d2178b8ae0d82c023e40c6938215365a68c11a8f66dfb9c72703fe728ef993b
SHA512 0cb0743e6638b7a4d7847d415ec97b05afea660e7bc38659787da222cb64a91300271f0bde4a5a59c70dc513b90c6dd527ca508564a3be1b097f4c42aa0e1532

C:\Windows\INF\mshdc.PNF

MD5 ea4728892c7ec108577a2444babe32d8
SHA1 266296b45a4d09781d4a7c92041b87332f584d7c
SHA256 bdbe29fcfd16673521d4df9b073230050a205ee2478b0df53aa01d0f9a78254b
SHA512 1f2f200452ac6550a2d1672e4dd43d1b726ffa4c8e66df1ed10599cf8da8895cd28d658b1f46f601d0f3abcd87fad1afb1db5fc3a7dbf6f4a968c6fae7a94526

C:\Windows\INF\hdaudbus.PNF

MD5 339f38a34a45b88ec9b97addd8d2202f
SHA1 7ad12de33ab86b395ff3a349ece5ef7a0044c05a
SHA256 92590015426e3d83e5e6e385a2fb55af4c45d5ec1442f5802f5ce2f2998471c8
SHA512 3d7049221faec3b3e968ee0feee711058248ec314a66108a9669ba01ef851bb379cb8e087bab491e6878dc3e55d68944ec033f94fb117aebb6cbd2253eeb8506

C:\Windows\INF\pci.PNF

MD5 1c67ee0504ad4dd5cf6f5431b5aee155
SHA1 0e49f4a36e56ca3a679e381236754da2135f911a
SHA256 658b9e6959f413a743af8d474a26fab53253b3f70e6e9f5670a16f2db6920244
SHA512 760859f4072a0881517be9d7d7b619f5c228775090d09f2f1d779b52a5e9c4038295e71ce884e182332464a6b5e39f36ba7261440d15f97c222eeab4a7832f45

C:\Windows\INF\usbport.PNF

MD5 830adf61bd79ad412e1b57bb09bb27fa
SHA1 9fbc5fe7c2b18f239bc67801eb11af7bffc72833
SHA256 20511453d4721a15c6c0dcc6e2351662e52f8ae0bb355cc3aefa920939e81cff
SHA512 c2f7c1877cc4a5ed767a37738ddc675ecca7d2fcb5a4f874e7d595b3ea05f179f4c9bcf2f82d70a8ecb80c7d6e7df3dfc010433e25d0c96c80b638b2be6f42c7

C:\Windows\INF\cdrom.PNF

MD5 1f3f032d20209df9be97b81f42599e74
SHA1 9e1025e88cea491e5d59caa317e119851e24e866
SHA256 1086ab72021586ebbacd354985997b0d433e189f554afc3693d723407e3c8200
SHA512 0145bc12462cf3cc29d3fdbd7f8c5bdf42ab813e177e1e985470fb373c837041c3920fc60ff048eba71a8a85ff69e930f7b4e9d4dd593b0fb2f9ab91e3d6eb52

memory/1556-58-0x0000000004000000-0x0000000004001000-memory.dmp

memory/3308-65-0x000001F8118F0000-0x000001F811910000-memory.dmp

memory/3308-67-0x000001F8118B0000-0x000001F8118D0000-memory.dmp

memory/3308-71-0x000001F811EC0000-0x000001F811EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BNMBZPOS\microsoft.windows[1].xml

MD5 58ed46f158bed1abf076e00201274843
SHA1 a7d8ae1491d3d12f363d33a12379d5730e6f1dfb
SHA256 75bce75c49737202f1f4848a02f52952499d8bbcf28e3c2e45474c7b5e9f0a72
SHA512 e7e195475bbd9ce55f2452af7baa08f6dbb3b0a71f100bab3e5c07312d9c37896aa2685f1fc8cb13ee5c289c265be605fc43052ca82db79fb7f706c96144eebd

memory/1704-86-0x000002204A590000-0x000002204A5B0000-memory.dmp

memory/1704-88-0x000002204A550000-0x000002204A570000-memory.dmp

memory/1704-91-0x000002204AB60000-0x000002204AB80000-memory.dmp

memory/1240-102-0x000001D19D090000-0x000001D19D0B0000-memory.dmp

memory/1240-104-0x000001D19D050000-0x000001D19D070000-memory.dmp

memory/1240-106-0x000001D19D460000-0x000001D19D480000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BNMBZPOS\microsoft.windows[1].xml

MD5 58ed46f158bed1abf076e00201274843
SHA1 a7d8ae1491d3d12f363d33a12379d5730e6f1dfb
SHA256 75bce75c49737202f1f4848a02f52952499d8bbcf28e3c2e45474c7b5e9f0a72
SHA512 e7e195475bbd9ce55f2452af7baa08f6dbb3b0a71f100bab3e5c07312d9c37896aa2685f1fc8cb13ee5c289c265be605fc43052ca82db79fb7f706c96144eebd

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BNMBZPOS\microsoft.windows[1].xml

MD5 58ed46f158bed1abf076e00201274843
SHA1 a7d8ae1491d3d12f363d33a12379d5730e6f1dfb
SHA256 75bce75c49737202f1f4848a02f52952499d8bbcf28e3c2e45474c7b5e9f0a72
SHA512 e7e195475bbd9ce55f2452af7baa08f6dbb3b0a71f100bab3e5c07312d9c37896aa2685f1fc8cb13ee5c289c265be605fc43052ca82db79fb7f706c96144eebd

memory/4268-123-0x000001D706D20000-0x000001D706D40000-memory.dmp

memory/4268-127-0x000001D7070E0000-0x000001D707100000-memory.dmp

memory/4268-125-0x000001D7069D0000-0x000001D7069F0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BNMBZPOS\microsoft.windows[1].xml

MD5 58ed46f158bed1abf076e00201274843
SHA1 a7d8ae1491d3d12f363d33a12379d5730e6f1dfb
SHA256 75bce75c49737202f1f4848a02f52952499d8bbcf28e3c2e45474c7b5e9f0a72
SHA512 e7e195475bbd9ce55f2452af7baa08f6dbb3b0a71f100bab3e5c07312d9c37896aa2685f1fc8cb13ee5c289c265be605fc43052ca82db79fb7f706c96144eebd

memory/2668-144-0x000002325D300000-0x000002325D320000-memory.dmp

memory/2668-147-0x0000022A5BFC0000-0x0000022A5BFE0000-memory.dmp

memory/2668-149-0x000002325D790000-0x000002325D7B0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\BNMBZPOS\microsoft.windows[1].xml

MD5 58ed46f158bed1abf076e00201274843
SHA1 a7d8ae1491d3d12f363d33a12379d5730e6f1dfb
SHA256 75bce75c49737202f1f4848a02f52952499d8bbcf28e3c2e45474c7b5e9f0a72
SHA512 e7e195475bbd9ce55f2452af7baa08f6dbb3b0a71f100bab3e5c07312d9c37896aa2685f1fc8cb13ee5c289c265be605fc43052ca82db79fb7f706c96144eebd

memory/2648-165-0x0000025747130000-0x0000025747150000-memory.dmp

memory/2648-168-0x00000257470F0000-0x0000025747110000-memory.dmp

memory/2648-171-0x0000025747700000-0x0000025747720000-memory.dmp