Malware Analysis Report

2024-09-09 18:59

Sample ID 240618-mazamataqk
Target keylogger.exe
SHA256 556f39b521ff9cba0b5c3bf77526b55995f03614a4d2e924d30ac5532bb3758b
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

556f39b521ff9cba0b5c3bf77526b55995f03614a4d2e924d30ac5532bb3758b

Threat Level: Shows suspicious behavior

The file keylogger.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Detects Pyinstaller

Unsigned PE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Uses Task Scheduler COM API

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 10:16

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 10:16

Reported

2024-06-18 10:19

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\keylogger.exe

"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"

C:\Users\Admin\AppData\Local\Temp\keylogger.exe

"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI21562\ucrtbase.dll

MD5 793eaa5f4b9e9433d63231a3da0cd2ae
SHA1 71dcba32528af7574a1bf463e1affd6ee25834b8
SHA256 da23ba5c0a69c2199bd2ba04ea6d2c022eac59829ac489f9286e4df7079ccf91
SHA512 7bfe866088037df804fc8979ddca6137aeabf48d59d171bdd0ca81c516f644aa8ad47b14458d73ab24800a829d4309987e1290234aace13e2a42e22127b463cb

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-core-localization-l1-2-0.dll

MD5 4fe440d0e1a94a6edf0082b898a90a23
SHA1 500a5920628606e75ec65620501593d6b96e5aad
SHA256 e7bc70deb2906c8da619ed47875cdd3ba3773c0b51f364d72e614e12d8faa099
SHA512 dc5bac73ce41f896bbdc675dda38975020efd15df38d71e2d31e3bb4529754270e87361a41ac9963713358aa11ebc541399bb7fe15eb86f1bfb37b19f7c0195f

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-core-processthreads-l1-1-1.dll

MD5 48299ab17180ef65231230a6f3ef313c
SHA1 7888684ed8c2416f7fab17f54fa82cc55398c414
SHA256 5d319f2d2d023c1606caed2f11286152f320290a6c3896bd00ecb19259a60395
SHA512 97a1580c87287dafdc0ee3002dab61080bf07c48779992f7c5dbd33c36c65096ef36302c2a97d03e317fa904824fc1631d8af814a1856338a520b9165699d1f9

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-core-file-l1-2-0.dll

MD5 652c7cb040b1c20e19e1b821f3f24459
SHA1 40140c4376d61e1df4985824ad5c8fd7e971dc27
SHA256 5bef7c226a29987a90075a393e85d0ba86ddd156a7fceaeb364d293cd3905e5a
SHA512 30833247e798b8000dad361296499246f84ead1ccca57be07418bdfcb9e5a23fd5702552507044f9d329a257faf08ec9a5aaa8b0ce16eb9a94813b62bd4951c6

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-core-timezone-l1-1-0.dll

MD5 d6dc0ea86ebf841b156e741339465f7f
SHA1 c0c04afb1857ce01458d71b53baebcbf7adb8c3c
SHA256 8b40a5d5a607f0426901bfd30810095e2c9da10f4c49233a6e43d4bb91739b8d
SHA512 cb24164fef7bfb3e4fa211ce75362076909e2b7a555ca530024aac83365c33c3f643982aa6646effe3763abfeb86b3a1135d5b0b74c2c962f3416803d223382e

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-core-file-l2-1-0.dll

MD5 4f4674d75b05ec0f1709657ffd1721c4
SHA1 5535569a5af2f29ba21ac8d2253baa723fbf7c7e
SHA256 7d2cf4e557b704d5488cb5c8eabad9b87bca6b56fcdac4b88f5a3181215c8a85
SHA512 bd6e6382eba1fdee6de512a63c47dda9ecce64393d3b9848359e1cdaaaf2e333f85264def9e8cd9ebb9f113ced44d1c130d941bd7680558930d2b5938ceb9814

C:\Users\Admin\AppData\Local\Temp\_MEI21562\python38.dll

MD5 15dc83636ae9a81d7655b96c5e35ceb9
SHA1 d1d24acbde8cbae61a023200a457b152f2f41959
SHA256 2ff297c95ec95f584edde4e1f852aa4aa7976ca659380a86551cbaa20b20a33a
SHA512 bc145b0db0e9ed08f37603ee0a5fab50e2168c6ed43f75b22b2b03f853aa2c019ca85bf877079e38e5b616688cc641ed81e2421ab2f3940ac826e188a1aa1225

C:\Users\Admin\AppData\Local\Temp\_MEI21562\VCRUNTIME140.dll

MD5 2ebf45da71bd8ef910a7ece7e4647173
SHA1 4ecc9c2d4abe2180d345f72c65758ef4791d6f06
SHA256 cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b
SHA512 a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-runtime-l1-1-0.dll

MD5 dfe4099b6fd8fe8046f049fb62fdc268
SHA1 ab68760a07d90a8f05cebf193e99abc5284bb5cb
SHA256 7b3fa7bbbe8e5322468f8bc6cebbca2961d79d1afb8c185f1c7f86ec20a42b26
SHA512 4adedc5ab61a07a9f40219b2357e689933a97a64647efd42ee20e5915fc38a8045af8ccb8748589d31f6eacfeb04365cf5c1a6433914b577e02624c07e578de2

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-heap-l1-1-0.dll

MD5 468fc4b93704924a19bb66df967f6e36
SHA1 02dcde5c958b430e2234504c5e9e0cfc3c51037d
SHA256 44305b85aae2a8321ba129a2f4c7db6810272b6393963f1c52bd921540f79d99
SHA512 81b1ff15c31a94bf030058158257c6963872be405cc2eb0addb1a88eebb6e41846139bc681fafa5ee17cee033bbe04c0c44806dcd09dd746c5f4877f137ec370

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-string-l1-1-0.dll

MD5 a5e84828ce5143a0de7ee6915cd436b3
SHA1 a9fab2c91c7ebe4fe94c10574c52591e46ec80ff
SHA256 2b86d225683dd5b010caf66b8c30a47ae6c9125219e4f25dbf0f535db898ef53
SHA512 7ddd527737163d71fdb778e906999d1700b8b117a5444ca245b057d193da7d7fbbe88513273aafcf13d743e76784beaa007639c386152b8855683723c9ee4f02

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-stdio-l1-1-0.dll

MD5 233a3ddc8a4765d25cc871a059e3b2d5
SHA1 fa771ecf63a7e0ae59920189fb892ec10783ff18
SHA256 58f77e55602a130557abfbbb68bfcd38ad682015971fac0f1eb9f70c5e5fac9a
SHA512 4740ca5e62441416706614af66ba70d1b5dcac294016ddec8a51bf2a1bfc78e9bed6c0b909bf80f23a99309bdfe323be49f76d26f3eefbbdfdb7facc0142c52a

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-convert-l1-1-0.dll

MD5 c2b3fda844a63720d2d538c180bc099d
SHA1 2e193af1d5bb555eceab2567e6bdc8de5ea37389
SHA256 03308d18c25c91c7842435aeae6ac2a881d944a476ca08c3c31b225bb694e2f9
SHA512 085c22480f21d1a00c416d88002e90d69a98b6f22ffbede9fb4be47160afde39594e4c347b8f528138ceb414e42853638a364a7c76196eb5b87aa0f0e939673f

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-math-l1-1-0.dll

MD5 88f33a15df3b2b607641355efca9045e
SHA1 3a8d44df0db031f04de26b989b6354fa503286f1
SHA256 dec6b63bd8bafbfaffeac60d1893f65db493330c47b004e15077d36a9f6b5620
SHA512 fde91877e10b2c849f40976cbafb52d14250a2d7bad3d1fbd06a99733e8bff301af2a3456c174eb65b8e836ba3ca73bb129621c077538ffadbe7e3090f5d5f5f

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-locale-l1-1-0.dll

MD5 035aa6a1726b0ea41c77654abc193ffa
SHA1 5829e379e36aedc747544d8b68a50c887796a866
SHA256 001103cfd5744e5edeb9afc71a5003bd96bca16905af875962c0ce8554c569d4
SHA512 3f5f50a2969f11f6153786712db423414a84646851960b47572cf07519fe8c57157c00f07a4f77ef94b278d536c703d634dfc8e06c815be417e3794bb7d8450c

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-time-l1-1-0.dll

MD5 bb221fa7123ce13acc3b9d07f9b3772f
SHA1 9cc71495b8e0ce99d11e7d819bae4a60cfd1a331
SHA256 5ff841504800e7ac70b417be6267d75d1898d249d3d29dbafd0821c9167cabac
SHA512 4ba4a0bddfffa9331da0baadb7d6bae8a2ad0185cac13c9aaf0c7ffe50ebc342c6597b457f957224eda192528a81001df45a72362cc0348bbf35b8d93fa8d599

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-environment-l1-1-0.dll

MD5 d6be6616c9e09f56e03f624237370000
SHA1 d7abb8b13b767156956020509fb9a44ef47e4a61
SHA256 6540a2c1f61247a3701dc667c7451eae1a80eed12a3fd7b41cb3fdade6b945be
SHA512 979711aae08c067e979afd31e688a8d58835f9beff2e1c2fcb5d3c24ce763a0a483d9fd316c98399ba1d1657a7dc477992963f6e9efcdfa25841a998496595c8

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-process-l1-1-0.dll

MD5 83a20175731641ee65f2d3be3e55370b
SHA1 c73a7c809e91874b358b1ab250b64d76aa1d3b68
SHA256 7c6fac5370ed2e8b99ad0cf8f3126b5abe1ffa1a993200b7fd271a3d9e94719a
SHA512 827261cba5351f21531c5e58f0b76a07398b3443a2d1708a15bcdbbffa9b55cfd6ed73b756eae7554ab5d7c45393590eba1a43d3b7262160e7e4d70fef26c973

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-conio-l1-1-0.dll

MD5 428bc69de382d69a5e1c866af66344d1
SHA1 7386ddd99718d8e314f853ee85dc142a892013ca
SHA256 e78c38c7aeb7c8b0427783c46c030d7e66b7eb5e9b8fbf1242d947a1c3412cd5
SHA512 7960c5895eed6a415bd3a6f9e873a24ff78ebbe2627835542a7380ec45ca63d5dc9a96748893d779702bb744dcf488999f8c024c22771d7b192ed594130d627f

C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 fa9ffd35fe0fa5807f9709c51accdb1c
SHA1 4c554264c04efcedb706c1663f950236cb6fca00
SHA256 0468f39869fabe17fc0a5382cae5eccf4d0c6120ed6ab2e67242eb7c53729347
SHA512 f64f9a7713a1a2a8022b893f08336151e4efe3be25fe7611d52e1e24f08c07da100cccafd076f13e4ee7a22ca5bb70c5d74bc84831174a59fe8367db54b5948a

C:\Users\Admin\AppData\Local\Temp\_MEI21562\base_library.zip

MD5 980803999e3d3bd6bede5686f86fac8a
SHA1 22dc630261b52c28ba6a96087cea822860b20862
SHA256 ae8d5a7ffdf6e0b75b930e2253fae4a241e198625cf8579c1dc3113ea8280dea
SHA512 7d586948f7c06bf5bb12cb45d8ab1535a8a3e955419d5b1349870259b3b4ae6b29a1bc546631f384dc6e8f98d01d32d71f9f57f61b18c8b0b6ac004592b4d092

C:\Users\Admin\AppData\Local\Temp\_MEI21562\_ctypes.pyd

MD5 6264e928d931bd665febeda1d1b15117
SHA1 f656513a17237543de115a5864a49e71e7a6049a
SHA256 a12fc926903b095c7cde1c020b2519428845f485ff5964c296667246b2e0f262
SHA512 b4e1cdf8b12ca026e3d330037eb570cf055e95e8d96e5700cf752191b5b1b468cff3a5317cbdfc54e71e1ab1e75674f15f7df246d75d3a29b47ecb373226166d

C:\Users\Admin\AppData\Local\Temp\_MEI21562\libffi-7.dll

MD5 bc20614744ebf4c2b8acd28d1fe54174
SHA1 665c0acc404e13a69800fae94efd69a41bdda901
SHA256 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57
SHA512 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

C:\Users\Admin\AppData\Local\Temp\_MEI21562\_bz2.pyd

MD5 afc7802468dca43cff7bf902feace6a0
SHA1 cd028e3178ed5cff9e2d2b5752c3651124b66614
SHA256 8efbc8f4dd21267a6b9a72276a48aff5944f0982b577172675db2bda457cceb1
SHA512 b445a61b8e1e56273169a2f55b88a3ccd3351bc03e99b3edf8ba1792483e7bb33eaedfe5561a2f6070c41c9c41a878a2367bcd4662da22532d905af7638a8155

C:\Users\Admin\AppData\Local\Temp\_MEI21562\_lzma.pyd

MD5 fcbceb644f1d31ef3ee573bca0a11601
SHA1 fabdda171a58b2d07e4fafa1a15629e1f5039b4f
SHA256 1b597eeb44fe2986e85c9c501670b88c267b8cddbb453fcc5832f609080f13fc
SHA512 21fa8ab08a5e4a4d02fe6678e89c3f2be8576a5c15bcef38b88504889794e23d8de223052f963c42075b5548a6a9364ac8f100171f47b6fe1d917d7b2684a7b5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 10:16

Reported

2024-06-18 10:25

Platform

win10v2004-20240508-en

Max time kernel

532s

Max time network

524s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismhost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\cleanmgr.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\cleanmgr.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\LogFiles\setupcln\setuperr.log C:\Windows\system32\cleanmgr.exe N/A
File opened for modification C:\Windows\system32\LogFiles\setupcln\diagerr.xml C:\Windows\system32\cleanmgr.exe N/A
File opened for modification C:\Windows\system32\LogFiles\setupcln\diagwrn.xml C:\Windows\system32\cleanmgr.exe N/A
File opened for modification C:\Windows\system32\LogFiles\setupcln\setupact.log C:\Windows\system32\cleanmgr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\PBR\SessionID.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe N/A
File created C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe N/A
File created C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\cbs_unattend.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\unattend.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\INF\setupapi.offline.20191207_091437.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\diagerr.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\INF\setupapi.dev.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\Contents1.dir C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\DDACLSys.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\setupact.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\BCDCopy C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\setuperr.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\cleanmgr.exe N/A
File opened for modification C:\Windows\Logs\PBR\INF\setupapi.setup.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\_s_3CAD.tmp C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\setupact.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\rescache\_merged\1973483750\143545448.pri C:\Windows\system32\LogonUI.exe N/A
File created C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\unattend.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\_s_3B25.tmp C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\BCDCopy C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\PushButtonReset.etl C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\SessionID.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\UnattendGC\setuperr.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Timestamp.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\setup.exe C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\setuperr.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\cbs.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\setuperr.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\INF\setupapi.offline.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe N/A
File opened for modification C:\Windows\Logs\DISM\dism.log C:\Windows\system32\cleanmgr.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\setup.etl C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\ReAgent\ReAgent.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\Contents0.dir C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\INF C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\BCDCopy.LOG2 C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\diagwrn.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\CBS\CbsPersist_20240618101704.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\DISM\dism.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\diagwrn.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\setuperr.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\setupinfo C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\ReAgent\ReAgent.xml C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\DISM\dism.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\DISM C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\UnattendGC C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\Panther\cbs_unattend.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\setupact.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File created C:\Windows\Logs\PBR\Panther\Contents1.dir C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
File opened for modification C:\Windows\Logs\PBR\INF\setupapi.offline.20191207_091437.log C:\Windows\system32\SystemSettingsAdminFlows.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 C:\Windows\system32\cleanmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 C:\Windows\system32\cleanmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 C:\Windows\system32\cleanmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs C:\Windows\system32\cleanmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs C:\Windows\system32\cleanmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\cleanmgr.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\AttributesTableCache = a2a0d0ebe5b9334487c068b6b72699c70000000000000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom C:\Windows\system32\cleanmgr.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 C:\Windows\system32\cleanmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\cleanmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\cleanmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ C:\Windows\system32\cleanmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 C:\Windows\system32\cleanmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 C:\Windows\system32\cleanmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\cleanmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 C:\Windows\system32\cleanmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ C:\Windows\system32\cleanmgr.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\cleanmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 C:\Windows\system32\cleanmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\cleanmgr.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\System32\vds.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 C:\Windows\system32\cleanmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133631795529408069" C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217" C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\cleanmgr.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismhost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cleanmgr.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cleanmgr.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cleanmgr.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cleanmgr.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cleanmgr.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cleanmgr.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cleanmgr.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cleanmgr.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cleanmgr.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cleanmgr.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cleanmgr.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cleanmgr.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\cleanmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\lpksetup.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\lpksetup.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\lpksetup.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1172 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Users\Admin\AppData\Local\Temp\keylogger.exe
PID 1172 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Users\Admin\AppData\Local\Temp\keylogger.exe
PID 1172 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Users\Admin\AppData\Local\Temp\keylogger.exe
PID 3364 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Users\Admin\AppData\Local\Temp\keylogger.exe
PID 2556 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Users\Admin\AppData\Local\Temp\keylogger.exe
PID 2556 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Users\Admin\AppData\Local\Temp\keylogger.exe
PID 4684 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Windows\SysWOW64\cmd.exe
PID 4684 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Windows\SysWOW64\cmd.exe
PID 4252 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Users\Admin\AppData\Local\Temp\keylogger.exe
PID 4252 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Users\Admin\AppData\Local\Temp\keylogger.exe
PID 4252 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Users\Admin\AppData\Local\Temp\keylogger.exe
PID 4228 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Windows\SysWOW64\cmd.exe
PID 4228 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Windows\SysWOW64\cmd.exe
PID 4228 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\keylogger.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 4440 wrote to memory of 436 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 436 wrote to memory of 4000 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\keylogger.exe

"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"

C:\Users\Admin\AppData\Local\Temp\keylogger.exe

"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\keylogger.exe

"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"

C:\Users\Admin\AppData\Local\Temp\keylogger.exe

"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Users\Admin\AppData\Local\Temp\keylogger.exe

"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"

C:\Users\Admin\AppData\Local\Temp\keylogger.exe

"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\jusched.log

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.0.6729523\10116199" -parentBuildID 20230214051806 -prefsHandle 1808 -prefMapHandle 1800 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c90b44d6-d760-4f34-891c-18cdc401a2ed} 436 "\\.\pipe\gecko-crash-server-pipe.436" 1900 1ce56ef6658 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.1.1478798230\304745961" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bec637a-ae27-4590-afca-3251ee3fcace} 436 "\\.\pipe\gecko-crash-server-pipe.436" 2468 1ce4b489358 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.2.2121412063\38665499" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9714b19-83ca-4210-a303-10a9c6a7ce15} 436 "\\.\pipe\gecko-crash-server-pipe.436" 2972 1ce5aaed858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.3.393318138\1438030093" -childID 2 -isForBrowser -prefsHandle 4072 -prefMapHandle 4068 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c02f3a2-8aed-418b-bffd-4842b3c0729e} 436 "\\.\pipe\gecko-crash-server-pipe.436" 4084 1ce5d177058 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.4.1132473238\1857119703" -childID 3 -isForBrowser -prefsHandle 5104 -prefMapHandle 5088 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17cdb964-d5fd-4baa-9242-4351610aed06} 436 "\\.\pipe\gecko-crash-server-pipe.436" 5112 1ce5ef48e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.5.2121281201\363789744" -childID 4 -isForBrowser -prefsHandle 5328 -prefMapHandle 5324 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59e2f81b-02c0-4e42-ad37-a0ac9fa631d7} 436 "\\.\pipe\gecko-crash-server-pipe.436" 5336 1ce5ef49158 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.6.760905987\1644721872" -childID 5 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b60e316f-627b-4995-b88b-c17a54ef64e5} 436 "\\.\pipe\gecko-crash-server-pipe.436" 5232 1ce5ef4ac58 tab

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffefbbdab58,0x7ffefbbdab68,0x7ffefbbdab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2124 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3144 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3184 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4008 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5112 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4348 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4516 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5136 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3304 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5284 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3148 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1

C:\Windows\system32\cleanmgr.exe

"C:\Windows\system32\cleanmgr.exe"

C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismhost.exe

C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismhost.exe {CADB0222-403C-41BE-8B6D-774C222D0E19}

C:\Windows\system32\lpksetup.exe

/s /r /u de-DE es-ES fr-FR it-IT ja-JP uk-UA

C:\Windows\system32\lpksetup.exe

"C:\Windows\system32\lpksetup.exe" -Embedding

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultbf57352fh91fbh45c9h8785hf40a041fcdb2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0xfc,0x104,0x7ffef6c646f8,0x7ffef6c64708,0x7ffef6c64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,4633697736553077998,12522378877829617252,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,4633697736553077998,12522378877829617252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,4633697736553077998,12522378877829617252,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\SystemSettingsAdminFlows.exe

"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa397c855 /state1:0x41c64e6d

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe Update /Queue /Delay

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe Update /Queue /Delay

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
N/A 127.0.0.1:56245 tcp
N/A 127.0.0.1:56251 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 roblox.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 clients2.google.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 roblox.com udp
US 8.8.8.8:53 cxcs.microsoft.net udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI11722\ucrtbase.dll

MD5 793eaa5f4b9e9433d63231a3da0cd2ae
SHA1 71dcba32528af7574a1bf463e1affd6ee25834b8
SHA256 da23ba5c0a69c2199bd2ba04ea6d2c022eac59829ac489f9286e4df7079ccf91
SHA512 7bfe866088037df804fc8979ddca6137aeabf48d59d171bdd0ca81c516f644aa8ad47b14458d73ab24800a829d4309987e1290234aace13e2a42e22127b463cb

C:\Users\Admin\AppData\Local\Temp\_MEI11722\python38.dll

MD5 15dc83636ae9a81d7655b96c5e35ceb9
SHA1 d1d24acbde8cbae61a023200a457b152f2f41959
SHA256 2ff297c95ec95f584edde4e1f852aa4aa7976ca659380a86551cbaa20b20a33a
SHA512 bc145b0db0e9ed08f37603ee0a5fab50e2168c6ed43f75b22b2b03f853aa2c019ca85bf877079e38e5b616688cc641ed81e2421ab2f3940ac826e188a1aa1225

C:\Users\Admin\AppData\Local\Temp\_MEI11722\VCRUNTIME140.dll

MD5 2ebf45da71bd8ef910a7ece7e4647173
SHA1 4ecc9c2d4abe2180d345f72c65758ef4791d6f06
SHA256 cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b
SHA512 a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457

C:\Users\Admin\AppData\Local\Temp\_MEI11722\base_library.zip

MD5 980803999e3d3bd6bede5686f86fac8a
SHA1 22dc630261b52c28ba6a96087cea822860b20862
SHA256 ae8d5a7ffdf6e0b75b930e2253fae4a241e198625cf8579c1dc3113ea8280dea
SHA512 7d586948f7c06bf5bb12cb45d8ab1535a8a3e955419d5b1349870259b3b4ae6b29a1bc546631f384dc6e8f98d01d32d71f9f57f61b18c8b0b6ac004592b4d092

C:\Users\Admin\AppData\Local\Temp\_MEI11722\_ctypes.pyd

MD5 6264e928d931bd665febeda1d1b15117
SHA1 f656513a17237543de115a5864a49e71e7a6049a
SHA256 a12fc926903b095c7cde1c020b2519428845f485ff5964c296667246b2e0f262
SHA512 b4e1cdf8b12ca026e3d330037eb570cf055e95e8d96e5700cf752191b5b1b468cff3a5317cbdfc54e71e1ab1e75674f15f7df246d75d3a29b47ecb373226166d

C:\Users\Admin\AppData\Local\Temp\_MEI11722\libffi-7.dll

MD5 bc20614744ebf4c2b8acd28d1fe54174
SHA1 665c0acc404e13a69800fae94efd69a41bdda901
SHA256 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57
SHA512 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

C:\Users\Admin\AppData\Local\Temp\_MEI11722\_bz2.pyd

MD5 afc7802468dca43cff7bf902feace6a0
SHA1 cd028e3178ed5cff9e2d2b5752c3651124b66614
SHA256 8efbc8f4dd21267a6b9a72276a48aff5944f0982b577172675db2bda457cceb1
SHA512 b445a61b8e1e56273169a2f55b88a3ccd3351bc03e99b3edf8ba1792483e7bb33eaedfe5561a2f6070c41c9c41a878a2367bcd4662da22532d905af7638a8155

C:\Users\Admin\AppData\Local\Temp\_MEI11722\_lzma.pyd

MD5 fcbceb644f1d31ef3ee573bca0a11601
SHA1 fabdda171a58b2d07e4fafa1a15629e1f5039b4f
SHA256 1b597eeb44fe2986e85c9c501670b88c267b8cddbb453fcc5832f609080f13fc
SHA512 21fa8ab08a5e4a4d02fe6678e89c3f2be8576a5c15bcef38b88504889794e23d8de223052f963c42075b5548a6a9364ac8f100171f47b6fe1d917d7b2684a7b5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

MD5 fa9fdf3b6fb2f722d164e1aec83dc1e2
SHA1 15f572e524a91713a99e10e03894f095297deb85
SHA256 448a2abcc7800a24ae159f5bfc2039fb0da376ee035398967439a11f52a81a82
SHA512 83465bba03f471eb00c30ac505ad1c5e8f12ce8dcad63420ba9c4fd5c0b75ba2fc204d2522c8b81668b7a350996de8cccd64f808571f599381e9710d25925010

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

MD5 fb5c4b73d500729ed223a49a04322453
SHA1 f59c938e64b931674edd21bc47b0cf03adc07802
SHA256 c0fc5626b213a791e45091b9aca48247e7cca4a2fb46bec077bc962b6e6309fd
SHA512 5108fd6b18c052b06660fb1838896368ac32b98e3a597c0f3df70736efecba0ffd06c9ffe250f2f710498cd3ab966f86a11b770fdea089c6787218426ec25953

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4

MD5 e45ca71e56e1b6eeb6d9656f9e6c4848
SHA1 4a510a6542e028d4f52621af0ba69c81f59a5cc2
SHA256 bb2fa97da4e28805a6b8ec66af99d13831e6366424ae43c651d8397ca7a7b732
SHA512 a17fd3a8dd9d1343e844b6be816cfc3fa87858ea74b30f3c9b05e99e7afcb76366e65e349c432ca8592b2fb066632628bb1c62835c7f025a4c9c995365faa72f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp

MD5 c11c2bbcab654cd1670fecd3492eaed5
SHA1 3a0edc9eda7e05e2ed2a55d94860596a0a1a710e
SHA256 6e0018e7c248b234b4b5a7022a117b2d873027410f6b45eb18ad32c03badeaff
SHA512 91f3a235acf55a1c35f723176ac951179a22495c0a387219ad7c1096bd36593fe781931292b1e966b3b516f9d090ac83cfa28d9868ece47ca969e79311cb3a37

\??\pipe\crashpad_1252_GGZNAAKIJRFCEIYG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 01ef81764c8b2eedf4369ebc819af5fd
SHA1 5f1e97219b9cd9dd48b05b44f0a5af25d293cc6f
SHA256 0ab7284830c369298ec4c78223804623594b3160771385961d2afca6b3d794f2
SHA512 f7afc54b2867caf1323c243f38ac87e909d5ef8c217fe0614ff346b5239bab264ba8d9afc9d892f30f86f098a3bc0045ad16ac0e72c10cf25f748f186847a185

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 8ce30cbafa10c1edbcb07a14e3aff28f
SHA1 03f8faf2199a09252cc563982957ca67e937b448
SHA256 ef581ba2071649a4edaa4f1a2544ff9e2f397252e7a56098b39941da034414bf
SHA512 59f8c34570cdd7609a4ef088be2c995643e92df414c62f8f3926d7015848b7547f8ce969be910579f5ef5a386e494f75ef1a3ee816d53dd08a7e9d001394f788

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7d457e94ee9083b9c6a683fd8050f492
SHA1 1ef69a8ccaaccebecf1c21bcf6e8d662fe405ea4
SHA256 b7157181b288958caecc241fe5820f377b0cc919f92863e7857685b64939d16f
SHA512 af5e480549efb403a958273eb598647c55e81e130043d0f3bb5512d455e534e369d1891c6c89694ea553dd050007a57d4c4175f91fa7e07f588570b850e790d9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 25feefab3499df7ddf65fe04defc2b5e
SHA1 72372425fbdc0fcb8d061a8b27242bc6a8305c9d
SHA256 d832d5633345adf6328c3f94fa88812a590b583085deac65b2ee03e3af188dcd
SHA512 5ef98439630cad22f599ccacf9bffd95c6bf0578763fa828235b1eeeb89a0f4a8b148d7a1684c052102dc6aa628a0ea7e288821767f04eca822a4e26bdee0670

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 f6bd51bcec5f91435fc8de4fc3b0f92b
SHA1 a25a9dba335f14b30d9c5a0c83cee27eb953a002
SHA256 024de790505efa497dee5021170bfc62e261e3e09bb8bd934c30fc79363efff7
SHA512 2544ed1425fdbdfd628195bd4241646d7ed087cfcfef49a59c05217d95d83f7f34adaa43b239fda9b2be82130b02155e169b791da99603eb2ce089f3e4db9cf2

C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\DismHost.exe

MD5 e5d5e9c1f65b8ec7aa5b7f1b1acdd731
SHA1 dbb14dcda6502ab1d23a7c77d405dafbcbeb439e
SHA256 e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80
SHA512 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\DismCorePS.dll

MD5 a033f16836d6f8acbe3b27b614b51453
SHA1 716297072897aea3ec985640793d2cdcbf996cf9
SHA256 e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e
SHA512 ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismprov.dll

MD5 490be3119ea17fa29329e77b7e416e80
SHA1 c71191c3415c98b7d9c9bbcf1005ce6a813221da
SHA256 ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a
SHA512 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\OSProvider.dll

MD5 db4c3a07a1d3a45af53a4cf44ed550ad
SHA1 5dea737faadf0422c94f8f50e9588033d53d13b3
SHA256 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758
SHA512 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

C:\Windows\Logs\DISM\dism.log

MD5 202bdcb81eed75096bfb5ebecf3df369
SHA1 1ea0fe5a63c624dbdb00bb28e31461b92a415bb1
SHA256 9817c05d5f33f85034eab6659c0ce9667627a734c4fa80711a3ece04af2e82f6
SHA512 c40852f0f0b6a2d9f384d4668974f0719979249a14d6469bbb708584c88ff247d1f364eafc06defdadca150d04c3dfa544ad2f3a877d481a1ee8323431c1cea7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0a31c81451a06be1a7904c0de9935b4e
SHA1 78aab32a1f084ea8d7bafac0a26e990e2cbeee6b
SHA256 662b122283f9171355b3c9386d8556dfa2c8608a2089d7ae0a37d18b16e46f2c
SHA512 3e53e1240c9741af8668ca9c82a3de62f492724fb6cdd4a965de3a7595436539a97391af3330993f69bee8f2b681e3bfa5ed3d3c6ea696c95e3ad19bf2a9ef23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 72ee872dfbed29e1175117bbab52a487
SHA1 b7b107b133aa5a9bfe64be38623eb65509d6ffbc
SHA256 74e567284f2ab4ab4db741b4fd4918f4549366ea1af55e140b436c7f98fc6f38
SHA512 0f985ba93342ef11ac3567ec1d385d38074d95599351135e49ad095fc5bbbda5d98d10cf05cfab1a20438364ca3c5b0b29a4f0291b806b0fdf990a3537e4682b

C:\Windows\Logs\PBR\Panther\diagerr.xml

MD5 cfc8402943ee9f1aefc870fede7f41a7
SHA1 e20517b671c2df0ab537818c38752ad2cc2fd97f
SHA256 b35618e2c04c700b164b9691c059e1e366bb818c81dbf50ff044e1709411b5f4
SHA512 554af527b28d103c012d365034cd9cc1e1acc018bb2817bbe3d4bf006573b109b9c8551a3bd3f14ee9a35e4485b1ca5bb6e8e1a07d827adb003e11dbd2454e89

C:\$SysReset\Logs\setupact.log

MD5 b341ff6de586e8392b0e1b0f2d6eeb95
SHA1 e345403e3123dd84e32ccb2f67e9a95e0f4cb9e4
SHA256 8e2499f9b26dc138647ef03889486c35d4a348cd07e75aab83246bc45220e5b1
SHA512 10546576d363f67edac3c368ca9263776580ff8c95c65c1eb915a78ef7053dc49fcf7cb5f655a023e4f9612a794623a7a5d12407c000e48fb3b953a6f0343e77

C:\Windows\Logs\PBR\Timestamp.xml

MD5 be6b9a9a54831447ec54f011f138168d
SHA1 4b6df5c50bc67fd86efecb3efa14e7783f9b7827
SHA256 a7650c104d479abcaac0788f81ef3f483b98c16eec325966c1a2680c169793de
SHA512 488d18e07c2f2a8101971e58ba462edcc19d45338892045c11dc84f4257e308f06533703f7b868daf6f9a2c83e5cd0da6b608f460f1331adca43d361e2f7c933

C:\$SysReset\Logs\setuperr.log

MD5 204e06e530352a7033f975f83af5bcde
SHA1 809fdecb0000b9069881e8d7fdb763fc626e922b
SHA256 e930cbbb8e930cfc8ec8f1b3e90f02f0c9a3bbf20ef291c2c7933912acf75d03
SHA512 66738119fd6d913a0e48f2806bacd75b2a4846c9c85fdbcc15bd60ba4db7a1f06542e3907371e4241fcfa6b2860e56ff6bd4f3c2ca61c8df31724fe4c5ceb717

C:\Windows\Logs\PBR\SessionID.xml

MD5 769875efc6aebbf7ad61a64d62b1bf03
SHA1 7e08b469ca2de4e8468a0ee76564934ad72f7895
SHA256 61ea755649bf119acf7ef04400f306df6426086ce6e70819b7853ec778f8062f
SHA512 4608bb0217bb32264d7dfc08bd3fbddc1778e31668cb6da09b28b1909246d5afa42a818a03c5f3e7d169e54233c77b70ae8bf30c08820afc8de1051dd11b497d

C:\Windows\Panther\UnattendGC\diagerr.xml

MD5 a9ffad446e25374b3ab222c8aeaa5ccb
SHA1 b9ffd24f33872e2d7c0a30d1cca37fab35ee178d
SHA256 5bb326ffe12624adbe5241cbded046efabfe5792032e42a11e1baa635e3313fc
SHA512 4a171c9386130f580781f10b743d145a001edba2fa32f19cf620ca5250fe15888b248c56baaa21912f864d418537fcc97ab1e3231a3cc2ef706bdfceab15cf42

C:\Windows\Panther\UnattendGC\diagwrn.xml

MD5 d42a8a40a0e52ab47a8cc930e112ddaa
SHA1 c470153c69b4578c919d79c111af2ccf891e4848
SHA256 f6b87d88cbb3ea0317ac2d7d2cef3a37985a9ed12e5986539a63932d6a064204
SHA512 8cdcf3ce549df7d91d2eefc88d6915854cb84d644c4ac489fea6fb78ff990683cb42aac48d09879f2602daeff2443b971c43a7fe1f0b2d04984c108d303d25c0