Analysis Overview
SHA256
556f39b521ff9cba0b5c3bf77526b55995f03614a4d2e924d30ac5532bb3758b
Threat Level: Shows suspicious behavior
The file keylogger.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
Detects Pyinstaller
Unsigned PE
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Uses Task Scheduler COM API
Opens file in notepad (likely ransom note)
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-18 10:16
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-18 10:16
Reported
2024-06-18 10:19
Platform
win7-20240221-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Loads dropped DLL
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"
C:\Users\Admin\AppData\Local\Temp\keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI21562\ucrtbase.dll
| MD5 | 793eaa5f4b9e9433d63231a3da0cd2ae |
| SHA1 | 71dcba32528af7574a1bf463e1affd6ee25834b8 |
| SHA256 | da23ba5c0a69c2199bd2ba04ea6d2c022eac59829ac489f9286e4df7079ccf91 |
| SHA512 | 7bfe866088037df804fc8979ddca6137aeabf48d59d171bdd0ca81c516f644aa8ad47b14458d73ab24800a829d4309987e1290234aace13e2a42e22127b463cb |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 4fe440d0e1a94a6edf0082b898a90a23 |
| SHA1 | 500a5920628606e75ec65620501593d6b96e5aad |
| SHA256 | e7bc70deb2906c8da619ed47875cdd3ba3773c0b51f364d72e614e12d8faa099 |
| SHA512 | dc5bac73ce41f896bbdc675dda38975020efd15df38d71e2d31e3bb4529754270e87361a41ac9963713358aa11ebc541399bb7fe15eb86f1bfb37b19f7c0195f |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 48299ab17180ef65231230a6f3ef313c |
| SHA1 | 7888684ed8c2416f7fab17f54fa82cc55398c414 |
| SHA256 | 5d319f2d2d023c1606caed2f11286152f320290a6c3896bd00ecb19259a60395 |
| SHA512 | 97a1580c87287dafdc0ee3002dab61080bf07c48779992f7c5dbd33c36c65096ef36302c2a97d03e317fa904824fc1631d8af814a1856338a520b9165699d1f9 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-core-file-l1-2-0.dll
| MD5 | 652c7cb040b1c20e19e1b821f3f24459 |
| SHA1 | 40140c4376d61e1df4985824ad5c8fd7e971dc27 |
| SHA256 | 5bef7c226a29987a90075a393e85d0ba86ddd156a7fceaeb364d293cd3905e5a |
| SHA512 | 30833247e798b8000dad361296499246f84ead1ccca57be07418bdfcb9e5a23fd5702552507044f9d329a257faf08ec9a5aaa8b0ce16eb9a94813b62bd4951c6 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | d6dc0ea86ebf841b156e741339465f7f |
| SHA1 | c0c04afb1857ce01458d71b53baebcbf7adb8c3c |
| SHA256 | 8b40a5d5a607f0426901bfd30810095e2c9da10f4c49233a6e43d4bb91739b8d |
| SHA512 | cb24164fef7bfb3e4fa211ce75362076909e2b7a555ca530024aac83365c33c3f643982aa6646effe3763abfeb86b3a1135d5b0b74c2c962f3416803d223382e |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-core-file-l2-1-0.dll
| MD5 | 4f4674d75b05ec0f1709657ffd1721c4 |
| SHA1 | 5535569a5af2f29ba21ac8d2253baa723fbf7c7e |
| SHA256 | 7d2cf4e557b704d5488cb5c8eabad9b87bca6b56fcdac4b88f5a3181215c8a85 |
| SHA512 | bd6e6382eba1fdee6de512a63c47dda9ecce64393d3b9848359e1cdaaaf2e333f85264def9e8cd9ebb9f113ced44d1c130d941bd7680558930d2b5938ceb9814 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\python38.dll
| MD5 | 15dc83636ae9a81d7655b96c5e35ceb9 |
| SHA1 | d1d24acbde8cbae61a023200a457b152f2f41959 |
| SHA256 | 2ff297c95ec95f584edde4e1f852aa4aa7976ca659380a86551cbaa20b20a33a |
| SHA512 | bc145b0db0e9ed08f37603ee0a5fab50e2168c6ed43f75b22b2b03f853aa2c019ca85bf877079e38e5b616688cc641ed81e2421ab2f3940ac826e188a1aa1225 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\VCRUNTIME140.dll
| MD5 | 2ebf45da71bd8ef910a7ece7e4647173 |
| SHA1 | 4ecc9c2d4abe2180d345f72c65758ef4791d6f06 |
| SHA256 | cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b |
| SHA512 | a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | dfe4099b6fd8fe8046f049fb62fdc268 |
| SHA1 | ab68760a07d90a8f05cebf193e99abc5284bb5cb |
| SHA256 | 7b3fa7bbbe8e5322468f8bc6cebbca2961d79d1afb8c185f1c7f86ec20a42b26 |
| SHA512 | 4adedc5ab61a07a9f40219b2357e689933a97a64647efd42ee20e5915fc38a8045af8ccb8748589d31f6eacfeb04365cf5c1a6433914b577e02624c07e578de2 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 468fc4b93704924a19bb66df967f6e36 |
| SHA1 | 02dcde5c958b430e2234504c5e9e0cfc3c51037d |
| SHA256 | 44305b85aae2a8321ba129a2f4c7db6810272b6393963f1c52bd921540f79d99 |
| SHA512 | 81b1ff15c31a94bf030058158257c6963872be405cc2eb0addb1a88eebb6e41846139bc681fafa5ee17cee033bbe04c0c44806dcd09dd746c5f4877f137ec370 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-string-l1-1-0.dll
| MD5 | a5e84828ce5143a0de7ee6915cd436b3 |
| SHA1 | a9fab2c91c7ebe4fe94c10574c52591e46ec80ff |
| SHA256 | 2b86d225683dd5b010caf66b8c30a47ae6c9125219e4f25dbf0f535db898ef53 |
| SHA512 | 7ddd527737163d71fdb778e906999d1700b8b117a5444ca245b057d193da7d7fbbe88513273aafcf13d743e76784beaa007639c386152b8855683723c9ee4f02 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | 233a3ddc8a4765d25cc871a059e3b2d5 |
| SHA1 | fa771ecf63a7e0ae59920189fb892ec10783ff18 |
| SHA256 | 58f77e55602a130557abfbbb68bfcd38ad682015971fac0f1eb9f70c5e5fac9a |
| SHA512 | 4740ca5e62441416706614af66ba70d1b5dcac294016ddec8a51bf2a1bfc78e9bed6c0b909bf80f23a99309bdfe323be49f76d26f3eefbbdfdb7facc0142c52a |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | c2b3fda844a63720d2d538c180bc099d |
| SHA1 | 2e193af1d5bb555eceab2567e6bdc8de5ea37389 |
| SHA256 | 03308d18c25c91c7842435aeae6ac2a881d944a476ca08c3c31b225bb694e2f9 |
| SHA512 | 085c22480f21d1a00c416d88002e90d69a98b6f22ffbede9fb4be47160afde39594e4c347b8f528138ceb414e42853638a364a7c76196eb5b87aa0f0e939673f |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 88f33a15df3b2b607641355efca9045e |
| SHA1 | 3a8d44df0db031f04de26b989b6354fa503286f1 |
| SHA256 | dec6b63bd8bafbfaffeac60d1893f65db493330c47b004e15077d36a9f6b5620 |
| SHA512 | fde91877e10b2c849f40976cbafb52d14250a2d7bad3d1fbd06a99733e8bff301af2a3456c174eb65b8e836ba3ca73bb129621c077538ffadbe7e3090f5d5f5f |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 035aa6a1726b0ea41c77654abc193ffa |
| SHA1 | 5829e379e36aedc747544d8b68a50c887796a866 |
| SHA256 | 001103cfd5744e5edeb9afc71a5003bd96bca16905af875962c0ce8554c569d4 |
| SHA512 | 3f5f50a2969f11f6153786712db423414a84646851960b47572cf07519fe8c57157c00f07a4f77ef94b278d536c703d634dfc8e06c815be417e3794bb7d8450c |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-time-l1-1-0.dll
| MD5 | bb221fa7123ce13acc3b9d07f9b3772f |
| SHA1 | 9cc71495b8e0ce99d11e7d819bae4a60cfd1a331 |
| SHA256 | 5ff841504800e7ac70b417be6267d75d1898d249d3d29dbafd0821c9167cabac |
| SHA512 | 4ba4a0bddfffa9331da0baadb7d6bae8a2ad0185cac13c9aaf0c7ffe50ebc342c6597b457f957224eda192528a81001df45a72362cc0348bbf35b8d93fa8d599 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | d6be6616c9e09f56e03f624237370000 |
| SHA1 | d7abb8b13b767156956020509fb9a44ef47e4a61 |
| SHA256 | 6540a2c1f61247a3701dc667c7451eae1a80eed12a3fd7b41cb3fdade6b945be |
| SHA512 | 979711aae08c067e979afd31e688a8d58835f9beff2e1c2fcb5d3c24ce763a0a483d9fd316c98399ba1d1657a7dc477992963f6e9efcdfa25841a998496595c8 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 83a20175731641ee65f2d3be3e55370b |
| SHA1 | c73a7c809e91874b358b1ab250b64d76aa1d3b68 |
| SHA256 | 7c6fac5370ed2e8b99ad0cf8f3126b5abe1ffa1a993200b7fd271a3d9e94719a |
| SHA512 | 827261cba5351f21531c5e58f0b76a07398b3443a2d1708a15bcdbbffa9b55cfd6ed73b756eae7554ab5d7c45393590eba1a43d3b7262160e7e4d70fef26c973 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 428bc69de382d69a5e1c866af66344d1 |
| SHA1 | 7386ddd99718d8e314f853ee85dc142a892013ca |
| SHA256 | e78c38c7aeb7c8b0427783c46c030d7e66b7eb5e9b8fbf1242d947a1c3412cd5 |
| SHA512 | 7960c5895eed6a415bd3a6f9e873a24ff78ebbe2627835542a7380ec45ca63d5dc9a96748893d779702bb744dcf488999f8c024c22771d7b192ed594130d627f |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | fa9ffd35fe0fa5807f9709c51accdb1c |
| SHA1 | 4c554264c04efcedb706c1663f950236cb6fca00 |
| SHA256 | 0468f39869fabe17fc0a5382cae5eccf4d0c6120ed6ab2e67242eb7c53729347 |
| SHA512 | f64f9a7713a1a2a8022b893f08336151e4efe3be25fe7611d52e1e24f08c07da100cccafd076f13e4ee7a22ca5bb70c5d74bc84831174a59fe8367db54b5948a |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\base_library.zip
| MD5 | 980803999e3d3bd6bede5686f86fac8a |
| SHA1 | 22dc630261b52c28ba6a96087cea822860b20862 |
| SHA256 | ae8d5a7ffdf6e0b75b930e2253fae4a241e198625cf8579c1dc3113ea8280dea |
| SHA512 | 7d586948f7c06bf5bb12cb45d8ab1535a8a3e955419d5b1349870259b3b4ae6b29a1bc546631f384dc6e8f98d01d32d71f9f57f61b18c8b0b6ac004592b4d092 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\_ctypes.pyd
| MD5 | 6264e928d931bd665febeda1d1b15117 |
| SHA1 | f656513a17237543de115a5864a49e71e7a6049a |
| SHA256 | a12fc926903b095c7cde1c020b2519428845f485ff5964c296667246b2e0f262 |
| SHA512 | b4e1cdf8b12ca026e3d330037eb570cf055e95e8d96e5700cf752191b5b1b468cff3a5317cbdfc54e71e1ab1e75674f15f7df246d75d3a29b47ecb373226166d |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\libffi-7.dll
| MD5 | bc20614744ebf4c2b8acd28d1fe54174 |
| SHA1 | 665c0acc404e13a69800fae94efd69a41bdda901 |
| SHA256 | 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57 |
| SHA512 | 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\_bz2.pyd
| MD5 | afc7802468dca43cff7bf902feace6a0 |
| SHA1 | cd028e3178ed5cff9e2d2b5752c3651124b66614 |
| SHA256 | 8efbc8f4dd21267a6b9a72276a48aff5944f0982b577172675db2bda457cceb1 |
| SHA512 | b445a61b8e1e56273169a2f55b88a3ccd3351bc03e99b3edf8ba1792483e7bb33eaedfe5561a2f6070c41c9c41a878a2367bcd4662da22532d905af7638a8155 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\_lzma.pyd
| MD5 | fcbceb644f1d31ef3ee573bca0a11601 |
| SHA1 | fabdda171a58b2d07e4fafa1a15629e1f5039b4f |
| SHA256 | 1b597eeb44fe2986e85c9c501670b88c267b8cddbb453fcc5832f609080f13fc |
| SHA512 | 21fa8ab08a5e4a4d02fe6678e89c3f2be8576a5c15bcef38b88504889794e23d8de223052f963c42075b5548a6a9364ac8f100171f47b6fe1d917d7b2684a7b5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-18 10:16
Reported
2024-06-18 10:25
Platform
win10v2004-20240508-en
Max time kernel
532s
Max time network
524s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismhost.exe | N/A |
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\A: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\cleanmgr.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\setuperr.log | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\diagerr.xml | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\diagwrn.xml | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\system32\LogFiles\setupcln\setupact.log | C:\Windows\system32\cleanmgr.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\PBR\SessionID.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Microsoft.NET\ngenserviceclientlock.dat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\actionqueue\oobeSystem.uaq | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\cbs_unattend.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\unattend.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\actionqueue | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\INF\setupapi.offline.20191207_091437.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\diagerr.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\INF\setupapi.dev.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\Contents1.dir | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\DDACLSys.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\setupact.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\BCDCopy | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\setuperr.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\INF\setupapi.setup.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\MainQueueOnline0.que | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\_s_3CAD.tmp | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\setupact.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\rescache\_merged\1973483750\143545448.pri | C:\Windows\system32\LogonUI.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\unattend.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\_s_3B25.tmp | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\BCDCopy | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\PushButtonReset.etl | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\SessionID.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\UnattendGC\setuperr.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Timestamp.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\setup.exe | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\UnattendGC\diagerr.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\UnattendGC\setuperr.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\cbs.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\setuperr.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\INF\setupapi.offline.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\cleanmgr.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\setup.etl | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\ReAgent\ReAgent.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\Contents0.dir | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\INF | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\BCDCopy.LOG2 | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\UnattendGC\setupact.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\diagwrn.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\CBS\CbsPersist_20240618101704.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\DISM\dism.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\UnattendGC\diagwrn.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\diagwrn.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\MainQueueOnline1.que | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\setuperr.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\setupinfo | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\ReAgent\ReAgent.xml | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\DISM\dism.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\DISM | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\actionqueue\specialize.uaq | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\UnattendGC | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\Panther\cbs_unattend.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\setupact.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File created | C:\Windows\Logs\PBR\Panther\Contents1.dir | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| File opened for modification | C:\Windows\Logs\PBR\INF\setupapi.offline.20191207_091437.log | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\cleanmgr.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\AttributesTableCache = a2a0d0ebe5b9334487c068b6b72699c70000000000000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom | C:\Windows\system32\cleanmgr.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\system32\cleanmgr.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003f3ccc8c3b3921e10000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003f3ccc8c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003f3ccc8c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3f3ccc8c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003f3ccc8c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\ | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\cleanmgr.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\System32\vds.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015 | C:\Windows\system32\cleanmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133631795529408069" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Windows\system32\lpksetup.exe | N/A |
| N/A | N/A | C:\Windows\system32\lpksetup.exe | N/A |
| N/A | N/A | C:\Windows\system32\lpksetup.exe | N/A |
| N/A | N/A | C:\Windows\system32\lpksetup.exe | N/A |
| N/A | N/A | C:\Windows\system32\lpksetup.exe | N/A |
| N/A | N/A | C:\Windows\system32\lpksetup.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cleanmgr.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Windows\system32\SystemSettingsAdminFlows.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"
C:\Users\Admin\AppData\Local\Temp\keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"
C:\Users\Admin\AppData\Local\Temp\keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Users\Admin\AppData\Local\Temp\keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"
C:\Users\Admin\AppData\Local\Temp\keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\keylogger.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\jusched.log
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.0.6729523\10116199" -parentBuildID 20230214051806 -prefsHandle 1808 -prefMapHandle 1800 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c90b44d6-d760-4f34-891c-18cdc401a2ed} 436 "\\.\pipe\gecko-crash-server-pipe.436" 1900 1ce56ef6658 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.1.1478798230\304745961" -parentBuildID 20230214051806 -prefsHandle 2440 -prefMapHandle 2428 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bec637a-ae27-4590-afca-3251ee3fcace} 436 "\\.\pipe\gecko-crash-server-pipe.436" 2468 1ce4b489358 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.2.2121412063\38665499" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9714b19-83ca-4210-a303-10a9c6a7ce15} 436 "\\.\pipe\gecko-crash-server-pipe.436" 2972 1ce5aaed858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.3.393318138\1438030093" -childID 2 -isForBrowser -prefsHandle 4072 -prefMapHandle 4068 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c02f3a2-8aed-418b-bffd-4842b3c0729e} 436 "\\.\pipe\gecko-crash-server-pipe.436" 4084 1ce5d177058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.4.1132473238\1857119703" -childID 3 -isForBrowser -prefsHandle 5104 -prefMapHandle 5088 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17cdb964-d5fd-4baa-9242-4351610aed06} 436 "\\.\pipe\gecko-crash-server-pipe.436" 5112 1ce5ef48e58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.5.2121281201\363789744" -childID 4 -isForBrowser -prefsHandle 5328 -prefMapHandle 5324 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59e2f81b-02c0-4e42-ad37-a0ac9fa631d7} 436 "\\.\pipe\gecko-crash-server-pipe.436" 5336 1ce5ef49158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="436.6.760905987\1644721872" -childID 5 -isForBrowser -prefsHandle 5240 -prefMapHandle 5244 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b60e316f-627b-4995-b88b-c17a54ef64e5} 436 "\\.\pipe\gecko-crash-server-pipe.436" 5232 1ce5ef4ac58 tab
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffefbbdab58,0x7ffefbbdab68,0x7ffefbbdab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2124 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3144 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3184 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4008 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5112 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4348 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4516 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5136 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3304 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5284 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3148 --field-trial-handle=1900,i,13965943586848136313,15661680188348556085,131072 /prefetch:1
C:\Windows\system32\cleanmgr.exe
"C:\Windows\system32\cleanmgr.exe"
C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismhost.exe {CADB0222-403C-41BE-8B6D-774C222D0E19}
C:\Windows\system32\lpksetup.exe
/s /r /u de-DE es-ES fr-FR it-IT ja-JP uk-UA
C:\Windows\system32\lpksetup.exe
"C:\Windows\system32\lpksetup.exe" -Embedding
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultbf57352fh91fbh45c9h8785hf40a041fcdb2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0xfc,0x104,0x7ffef6c646f8,0x7ffef6c64708,0x7ffef6c64718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,4633697736553077998,12522378877829617252,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,4633697736553077998,12522378877829617252,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,4633697736553077998,12522378877829617252,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa397c855 /state1:0x41c64e6d
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe Update /Queue /Delay
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe Update /Queue /Delay
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:56245 | tcp | |
| N/A | 127.0.0.1:56251 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | roblox.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.4.4:53 | google.com | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roblox.com | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI11722\ucrtbase.dll
| MD5 | 793eaa5f4b9e9433d63231a3da0cd2ae |
| SHA1 | 71dcba32528af7574a1bf463e1affd6ee25834b8 |
| SHA256 | da23ba5c0a69c2199bd2ba04ea6d2c022eac59829ac489f9286e4df7079ccf91 |
| SHA512 | 7bfe866088037df804fc8979ddca6137aeabf48d59d171bdd0ca81c516f644aa8ad47b14458d73ab24800a829d4309987e1290234aace13e2a42e22127b463cb |
C:\Users\Admin\AppData\Local\Temp\_MEI11722\python38.dll
| MD5 | 15dc83636ae9a81d7655b96c5e35ceb9 |
| SHA1 | d1d24acbde8cbae61a023200a457b152f2f41959 |
| SHA256 | 2ff297c95ec95f584edde4e1f852aa4aa7976ca659380a86551cbaa20b20a33a |
| SHA512 | bc145b0db0e9ed08f37603ee0a5fab50e2168c6ed43f75b22b2b03f853aa2c019ca85bf877079e38e5b616688cc641ed81e2421ab2f3940ac826e188a1aa1225 |
C:\Users\Admin\AppData\Local\Temp\_MEI11722\VCRUNTIME140.dll
| MD5 | 2ebf45da71bd8ef910a7ece7e4647173 |
| SHA1 | 4ecc9c2d4abe2180d345f72c65758ef4791d6f06 |
| SHA256 | cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b |
| SHA512 | a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457 |
C:\Users\Admin\AppData\Local\Temp\_MEI11722\base_library.zip
| MD5 | 980803999e3d3bd6bede5686f86fac8a |
| SHA1 | 22dc630261b52c28ba6a96087cea822860b20862 |
| SHA256 | ae8d5a7ffdf6e0b75b930e2253fae4a241e198625cf8579c1dc3113ea8280dea |
| SHA512 | 7d586948f7c06bf5bb12cb45d8ab1535a8a3e955419d5b1349870259b3b4ae6b29a1bc546631f384dc6e8f98d01d32d71f9f57f61b18c8b0b6ac004592b4d092 |
C:\Users\Admin\AppData\Local\Temp\_MEI11722\_ctypes.pyd
| MD5 | 6264e928d931bd665febeda1d1b15117 |
| SHA1 | f656513a17237543de115a5864a49e71e7a6049a |
| SHA256 | a12fc926903b095c7cde1c020b2519428845f485ff5964c296667246b2e0f262 |
| SHA512 | b4e1cdf8b12ca026e3d330037eb570cf055e95e8d96e5700cf752191b5b1b468cff3a5317cbdfc54e71e1ab1e75674f15f7df246d75d3a29b47ecb373226166d |
C:\Users\Admin\AppData\Local\Temp\_MEI11722\libffi-7.dll
| MD5 | bc20614744ebf4c2b8acd28d1fe54174 |
| SHA1 | 665c0acc404e13a69800fae94efd69a41bdda901 |
| SHA256 | 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57 |
| SHA512 | 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b |
C:\Users\Admin\AppData\Local\Temp\_MEI11722\_bz2.pyd
| MD5 | afc7802468dca43cff7bf902feace6a0 |
| SHA1 | cd028e3178ed5cff9e2d2b5752c3651124b66614 |
| SHA256 | 8efbc8f4dd21267a6b9a72276a48aff5944f0982b577172675db2bda457cceb1 |
| SHA512 | b445a61b8e1e56273169a2f55b88a3ccd3351bc03e99b3edf8ba1792483e7bb33eaedfe5561a2f6070c41c9c41a878a2367bcd4662da22532d905af7638a8155 |
C:\Users\Admin\AppData\Local\Temp\_MEI11722\_lzma.pyd
| MD5 | fcbceb644f1d31ef3ee573bca0a11601 |
| SHA1 | fabdda171a58b2d07e4fafa1a15629e1f5039b4f |
| SHA256 | 1b597eeb44fe2986e85c9c501670b88c267b8cddbb453fcc5832f609080f13fc |
| SHA512 | 21fa8ab08a5e4a4d02fe6678e89c3f2be8576a5c15bcef38b88504889794e23d8de223052f963c42075b5548a6a9364ac8f100171f47b6fe1d917d7b2684a7b5 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | fa9fdf3b6fb2f722d164e1aec83dc1e2 |
| SHA1 | 15f572e524a91713a99e10e03894f095297deb85 |
| SHA256 | 448a2abcc7800a24ae159f5bfc2039fb0da376ee035398967439a11f52a81a82 |
| SHA512 | 83465bba03f471eb00c30ac505ad1c5e8f12ce8dcad63420ba9c4fd5c0b75ba2fc204d2522c8b81668b7a350996de8cccd64f808571f599381e9710d25925010 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js
| MD5 | fb5c4b73d500729ed223a49a04322453 |
| SHA1 | f59c938e64b931674edd21bc47b0cf03adc07802 |
| SHA256 | c0fc5626b213a791e45091b9aca48247e7cca4a2fb46bec077bc962b6e6309fd |
| SHA512 | 5108fd6b18c052b06660fb1838896368ac32b98e3a597c0f3df70736efecba0ffd06c9ffe250f2f710498cd3ab966f86a11b770fdea089c6787218426ec25953 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4
| MD5 | e45ca71e56e1b6eeb6d9656f9e6c4848 |
| SHA1 | 4a510a6542e028d4f52621af0ba69c81f59a5cc2 |
| SHA256 | bb2fa97da4e28805a6b8ec66af99d13831e6366424ae43c651d8397ca7a7b732 |
| SHA512 | a17fd3a8dd9d1343e844b6be816cfc3fa87858ea74b30f3c9b05e99e7afcb76366e65e349c432ca8592b2fb066632628bb1c62835c7f025a4c9c995365faa72f |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | c11c2bbcab654cd1670fecd3492eaed5 |
| SHA1 | 3a0edc9eda7e05e2ed2a55d94860596a0a1a710e |
| SHA256 | 6e0018e7c248b234b4b5a7022a117b2d873027410f6b45eb18ad32c03badeaff |
| SHA512 | 91f3a235acf55a1c35f723176ac951179a22495c0a387219ad7c1096bd36593fe781931292b1e966b3b516f9d090ac83cfa28d9868ece47ca969e79311cb3a37 |
\??\pipe\crashpad_1252_GGZNAAKIJRFCEIYG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 01ef81764c8b2eedf4369ebc819af5fd |
| SHA1 | 5f1e97219b9cd9dd48b05b44f0a5af25d293cc6f |
| SHA256 | 0ab7284830c369298ec4c78223804623594b3160771385961d2afca6b3d794f2 |
| SHA512 | f7afc54b2867caf1323c243f38ac87e909d5ef8c217fe0614ff346b5239bab264ba8d9afc9d892f30f86f098a3bc0045ad16ac0e72c10cf25f748f186847a185 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8ce30cbafa10c1edbcb07a14e3aff28f |
| SHA1 | 03f8faf2199a09252cc563982957ca67e937b448 |
| SHA256 | ef581ba2071649a4edaa4f1a2544ff9e2f397252e7a56098b39941da034414bf |
| SHA512 | 59f8c34570cdd7609a4ef088be2c995643e92df414c62f8f3926d7015848b7547f8ce969be910579f5ef5a386e494f75ef1a3ee816d53dd08a7e9d001394f788 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 7d457e94ee9083b9c6a683fd8050f492 |
| SHA1 | 1ef69a8ccaaccebecf1c21bcf6e8d662fe405ea4 |
| SHA256 | b7157181b288958caecc241fe5820f377b0cc919f92863e7857685b64939d16f |
| SHA512 | af5e480549efb403a958273eb598647c55e81e130043d0f3bb5512d455e534e369d1891c6c89694ea553dd050007a57d4c4175f91fa7e07f588570b850e790d9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 25feefab3499df7ddf65fe04defc2b5e |
| SHA1 | 72372425fbdc0fcb8d061a8b27242bc6a8305c9d |
| SHA256 | d832d5633345adf6328c3f94fa88812a590b583085deac65b2ee03e3af188dcd |
| SHA512 | 5ef98439630cad22f599ccacf9bffd95c6bf0578763fa828235b1eeeb89a0f4a8b148d7a1684c052102dc6aa628a0ea7e288821767f04eca822a4e26bdee0670 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | f6bd51bcec5f91435fc8de4fc3b0f92b |
| SHA1 | a25a9dba335f14b30d9c5a0c83cee27eb953a002 |
| SHA256 | 024de790505efa497dee5021170bfc62e261e3e09bb8bd934c30fc79363efff7 |
| SHA512 | 2544ed1425fdbdfd628195bd4241646d7ed087cfcfef49a59c05217d95d83f7f34adaa43b239fda9b2be82130b02155e169b791da99603eb2ce089f3e4db9cf2 |
C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\DismHost.exe
| MD5 | e5d5e9c1f65b8ec7aa5b7f1b1acdd731 |
| SHA1 | dbb14dcda6502ab1d23a7c77d405dafbcbeb439e |
| SHA256 | e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80 |
| SHA512 | 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc |
C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\DismCorePS.dll
| MD5 | a033f16836d6f8acbe3b27b614b51453 |
| SHA1 | 716297072897aea3ec985640793d2cdcbf996cf9 |
| SHA256 | e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e |
| SHA512 | ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871 |
C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\dismprov.dll
| MD5 | 490be3119ea17fa29329e77b7e416e80 |
| SHA1 | c71191c3415c98b7d9c9bbcf1005ce6a813221da |
| SHA256 | ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a |
| SHA512 | 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13 |
C:\Users\Admin\AppData\Local\Temp\65E64CC2-9E21-4AD1-89D0-97856DC8AA73\OSProvider.dll
| MD5 | db4c3a07a1d3a45af53a4cf44ed550ad |
| SHA1 | 5dea737faadf0422c94f8f50e9588033d53d13b3 |
| SHA256 | 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758 |
| SHA512 | 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde |
C:\Windows\Logs\DISM\dism.log
| MD5 | 202bdcb81eed75096bfb5ebecf3df369 |
| SHA1 | 1ea0fe5a63c624dbdb00bb28e31461b92a415bb1 |
| SHA256 | 9817c05d5f33f85034eab6659c0ce9667627a734c4fa80711a3ece04af2e82f6 |
| SHA512 | c40852f0f0b6a2d9f384d4668974f0719979249a14d6469bbb708584c88ff247d1f364eafc06defdadca150d04c3dfa544ad2f3a877d481a1ee8323431c1cea7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 439b5e04ca18c7fb02cf406e6eb24167 |
| SHA1 | e0c5bb6216903934726e3570b7d63295b9d28987 |
| SHA256 | 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654 |
| SHA512 | d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0a31c81451a06be1a7904c0de9935b4e |
| SHA1 | 78aab32a1f084ea8d7bafac0a26e990e2cbeee6b |
| SHA256 | 662b122283f9171355b3c9386d8556dfa2c8608a2089d7ae0a37d18b16e46f2c |
| SHA512 | 3e53e1240c9741af8668ca9c82a3de62f492724fb6cdd4a965de3a7595436539a97391af3330993f69bee8f2b681e3bfa5ed3d3c6ea696c95e3ad19bf2a9ef23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 72ee872dfbed29e1175117bbab52a487 |
| SHA1 | b7b107b133aa5a9bfe64be38623eb65509d6ffbc |
| SHA256 | 74e567284f2ab4ab4db741b4fd4918f4549366ea1af55e140b436c7f98fc6f38 |
| SHA512 | 0f985ba93342ef11ac3567ec1d385d38074d95599351135e49ad095fc5bbbda5d98d10cf05cfab1a20438364ca3c5b0b29a4f0291b806b0fdf990a3537e4682b |
C:\Windows\Logs\PBR\Panther\diagerr.xml
| MD5 | cfc8402943ee9f1aefc870fede7f41a7 |
| SHA1 | e20517b671c2df0ab537818c38752ad2cc2fd97f |
| SHA256 | b35618e2c04c700b164b9691c059e1e366bb818c81dbf50ff044e1709411b5f4 |
| SHA512 | 554af527b28d103c012d365034cd9cc1e1acc018bb2817bbe3d4bf006573b109b9c8551a3bd3f14ee9a35e4485b1ca5bb6e8e1a07d827adb003e11dbd2454e89 |
C:\$SysReset\Logs\setupact.log
| MD5 | b341ff6de586e8392b0e1b0f2d6eeb95 |
| SHA1 | e345403e3123dd84e32ccb2f67e9a95e0f4cb9e4 |
| SHA256 | 8e2499f9b26dc138647ef03889486c35d4a348cd07e75aab83246bc45220e5b1 |
| SHA512 | 10546576d363f67edac3c368ca9263776580ff8c95c65c1eb915a78ef7053dc49fcf7cb5f655a023e4f9612a794623a7a5d12407c000e48fb3b953a6f0343e77 |
C:\Windows\Logs\PBR\Timestamp.xml
| MD5 | be6b9a9a54831447ec54f011f138168d |
| SHA1 | 4b6df5c50bc67fd86efecb3efa14e7783f9b7827 |
| SHA256 | a7650c104d479abcaac0788f81ef3f483b98c16eec325966c1a2680c169793de |
| SHA512 | 488d18e07c2f2a8101971e58ba462edcc19d45338892045c11dc84f4257e308f06533703f7b868daf6f9a2c83e5cd0da6b608f460f1331adca43d361e2f7c933 |
C:\$SysReset\Logs\setuperr.log
| MD5 | 204e06e530352a7033f975f83af5bcde |
| SHA1 | 809fdecb0000b9069881e8d7fdb763fc626e922b |
| SHA256 | e930cbbb8e930cfc8ec8f1b3e90f02f0c9a3bbf20ef291c2c7933912acf75d03 |
| SHA512 | 66738119fd6d913a0e48f2806bacd75b2a4846c9c85fdbcc15bd60ba4db7a1f06542e3907371e4241fcfa6b2860e56ff6bd4f3c2ca61c8df31724fe4c5ceb717 |
C:\Windows\Logs\PBR\SessionID.xml
| MD5 | 769875efc6aebbf7ad61a64d62b1bf03 |
| SHA1 | 7e08b469ca2de4e8468a0ee76564934ad72f7895 |
| SHA256 | 61ea755649bf119acf7ef04400f306df6426086ce6e70819b7853ec778f8062f |
| SHA512 | 4608bb0217bb32264d7dfc08bd3fbddc1778e31668cb6da09b28b1909246d5afa42a818a03c5f3e7d169e54233c77b70ae8bf30c08820afc8de1051dd11b497d |
C:\Windows\Panther\UnattendGC\diagerr.xml
| MD5 | a9ffad446e25374b3ab222c8aeaa5ccb |
| SHA1 | b9ffd24f33872e2d7c0a30d1cca37fab35ee178d |
| SHA256 | 5bb326ffe12624adbe5241cbded046efabfe5792032e42a11e1baa635e3313fc |
| SHA512 | 4a171c9386130f580781f10b743d145a001edba2fa32f19cf620ca5250fe15888b248c56baaa21912f864d418537fcc97ab1e3231a3cc2ef706bdfceab15cf42 |
C:\Windows\Panther\UnattendGC\diagwrn.xml
| MD5 | d42a8a40a0e52ab47a8cc930e112ddaa |
| SHA1 | c470153c69b4578c919d79c111af2ccf891e4848 |
| SHA256 | f6b87d88cbb3ea0317ac2d7d2cef3a37985a9ed12e5986539a63932d6a064204 |
| SHA512 | 8cdcf3ce549df7d91d2eefc88d6915854cb84d644c4ac489fea6fb78ff990683cb42aac48d09879f2602daeff2443b971c43a7fe1f0b2d04984c108d303d25c0 |