Malware Analysis Report

2025-08-10 22:34

Sample ID 240803-wf4xqsvfkf
Target http://google.com
Tags
discovery persistence privilege_escalation
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

Threat Level: Shows suspicious behavior

The file http://google.com was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence privilege_escalation

Enumerates connected drives

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Event Triggered Execution: Accessibility Features

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-03 17:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-03 17:52

Reported

2024-08-03 18:00

Platform

win10-20240404-en

Max time kernel

381s

Max time network

328s

Command Line

"C:\Windows\system32\LaunchWinApp.exe" "http://google.com"

Signatures

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\explorer.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\explorer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0E5C3C26\11_All_Pictures.wpl C:\Windows\System32\unregmp2.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\~ideos.tmp C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Documents C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools C:\Windows\explorer.exe N/A
File created C:\Windows\system32\config\systemprofile\Searches\Indexed Locations.search-ms C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Favorites C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\Searches\desktop.ini C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db C:\Windows\explorer.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000002.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\ie4uinit-UserConfig.log C:\Windows\System32\ie4uinit.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk C:\Windows\System32\ie4uinit.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000001.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Saved Games C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Low C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Music C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo C:\Windows\System32\fsquirt.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0E5C3C26\10_All_Music.wpl C:\Windows\System32\unregmp2.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\~ictures.tmp C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db C:\Windows\explorer.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0E5C3C26\03_Music_rated_at_4_or_5_stars.wpl C:\Windows\System32\unregmp2.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\index.dat C:\Windows\system32\RunDll32.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db C:\Windows\explorer.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0E5C3C26\08_Video_rated_at_4_or_5_stars.wpl C:\Windows\System32\unregmp2.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low C:\Windows\System32\ie4uinit.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms~RFe5c3f52.TMP C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\AccountPictures C:\Windows\explorer.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low C:\Windows\System32\ie4uinit.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\SendTo\Bluetooth File Transfer.LNK C:\Windows\System32\fsquirt.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0E5C3C26\05_Pictures_taken_in_the_last_month.wpl C:\Windows\System32\unregmp2.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0E5C3C26\09_Music_played_the_most.wpl C:\Windows\System32\unregmp2.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Packages C:\Windows\System32\ie4uinit.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms~RFe5c3f62.TMP C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\cversions.3.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Favorites C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Packages\windows_ie_ac_001\AC C:\Windows\System32\ie4uinit.exe N/A
File created C:\Windows\System32\%LOCALAPPDATA%\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Low C:\Windows\System32\ie4uinit.exe N/A
File created C:\Windows\system32\config\systemprofile\Favorites\Bing.url C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\Videos C:\Windows\explorer.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0E5C3C26\07_TV_recorded_in_the_last_week.wpl C:\Windows\System32\unregmp2.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms~RFe5c3f43.TMP C:\Windows\explorer.exe N/A
File created C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\~usic.tmp C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db C:\Windows\explorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI C:\Windows\System32\ie4uinit.exe N/A
File created C:\Program Files (x86)\Internet Explorer\Signup\TMP4352$.TMP C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.DAT C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.INI C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI C:\Windows\System32\ie4uinit.exe N/A
File opened for modification C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT C:\Windows\System32\ie4uinit.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File opened for modification C:\Windows\AppReadiness\S-1-5-21-873560699-1074803302-2326074425-1000 \??\c:\windows\system32\svchost.exe N/A
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
File created C:\Windows\rescache\_merged\4032412167\4002656488.pri C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\system32\SettingSyncHost.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File opened for modification C:\Windows\AppReadiness\S-1-5-18 \??\c:\windows\system32\svchost.exe N/A
File created C:\Windows\rescache\_merged\2717123927\1590785016.pri C:\Windows\explorer.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Event Triggered Execution: Accessibility Features

persistence privilege_escalation

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\system32\SettingSyncHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\SettingSyncHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\SettingSyncHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\system32\SettingSyncHost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\SettingSyncHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\SettingSyncHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\SettingSyncHost.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\SettingSyncHost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ini\OpenWithList C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\IE.HTTP_http = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0\f45197b394e8e4b0 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c0049006e007400650072006e006500740020004500780070006c006f007200650072005c00420072006f00770073006500720045006d0075006c006100740069006f006e005c004c006f0077004d00690063002c000000 C:\Windows\System32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppXmk63adfvvewttqzmezsgagxtcyyr84tx_.mkv = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Skydrive C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\mswindowsmusic\UserChoice C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Colors\HotTrackingColor = "0 102 204" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel\RegistrationType = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppX5sy1gww9q4g2gt941cdxxd7s07xe5vph_.m4a = "0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" C:\Windows\System32\ie4uinit.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rwl\OpenWithList C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppXqj98qxeaynz6dv4459ayz6bnqxbyaqcs_.flac = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\My Pictures = "C:\\Windows\\system32\\config\\systemprofile\\Pictures" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{A3D53349-6E61-4557-8FC7-0028EDCEEBF6} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.srw C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\VLC.tts_.TTS = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\OpenWithProgids C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Advanced INF Setup\IE UserData NT\RegBackup\0.map\57fd7ae3ca9283bd = ",1,HKCU,SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Content,CacheLimit," C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3gpp\OpenWithProgids C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\XpsRchVw.exe,-102 = "XPS Viewer" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International\Scripts\19 C:\Windows\System32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\TaskbarAnimations = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International\Scripts\30 C:\Windows\System32\ie4uinit.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\zfcnvag.rkr = 00000000020000000300000060ea0000000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bf000080bfffffffff01d9ce74cee5da0100000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\WMP11.AssocFile.3GP_.3gp = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\WMP11.AssocFile.MP3_.MP2 = "0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice\Hash = "XSCJTMk67ss=" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\mswindowsvideo C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International\Scripts\34\IEFixedFontName = "Iskoola Pota" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppXcdh38jxzbcberv50vxg2tg4k84kfnewn_.dib = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\WMP11.AssocFile.TTS_.TTS = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\VLC.wma_.wma = "0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "10,0,15063,0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\AppXcdh38jxzbcberv50vxg2tg4k84kfnewn_.tiff = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\Applications\Notepad.exe_.xml = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\http = "3" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\VLC.adts_.adts = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Advanced INF Setup C:\Windows\System32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\ChromeHTML_.html = "0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\mswindowsvideo\URL Protocol C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International\Scripts\3 C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International\Scripts\6 C:\Windows\System32\ie4uinit.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuInit = "13" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cr2 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts\PBrush_.jpe = "0" C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" C:\Windows\System32\ie4uinit.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithProgids C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xlsx C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International\Scripts\3\IEFixedFontName = "Courier New" C:\Windows\System32\ie4uinit.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" C:\Windows\System32\ie4uinit.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\CortanaListenUIApp_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "CortanaListenUIApp_cw5n1h2txyewy-0" C:\Windows\system32\SettingSyncHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy-0" C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packa = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "25" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy-0" C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.windowpicker_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 08bfcdf7cde5da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\EnvironmentsApp_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\e2a4f912-2574-4a75-9bb0-0d023378592b_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AccountsControl_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "Microsoft.AccountsControl_cw5n1h2txyewy-0" C:\Windows\system32\SettingSyncHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "Microsoft.Windows.HolographicFirstRun_cw5n1h2txyewy-0" C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\DesktopView_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "25" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\EnvironmentsApp_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "EnvironmentsApp_cw5n1h2txyewy-0" C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.printdialog_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ad3202f8cde5da01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\HoloCamera_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.CredDialogHost_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy-0" C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.contactsupport_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Windows.PrintDialog_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "Windows.PrintDialog_cw5n1h2txyewy-0" C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.aad.brokerplugin_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.modalsharepickerhost_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.secondarytileexperience_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy-0" C:\Windows\system32\SettingSyncHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ParentalControls_cw5n1h2txyewy\PackageStateRoamingCollectionId\CollectionId = "Microsoft.Windows.ParentalControls_cw5n1h2txyewy-0" C:\Windows\system32\SettingSyncHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\microsoft.windows.oobenetworkcaptiveportal_cw5n1h2txyewy\PackageStateRoamingCollectionId C:\Windows\system32\SettingSyncHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\LogonUI.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\LogonUI.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\SettingSyncHost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\SettingSyncHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 3644 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1976 wrote to memory of 3644 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1976 wrote to memory of 3644 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1976 wrote to memory of 3644 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1976 wrote to memory of 3644 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1976 wrote to memory of 3644 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1976 wrote to memory of 3644 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1976 wrote to memory of 3644 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1976 wrote to memory of 3644 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1976 wrote to memory of 3644 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1976 wrote to memory of 3644 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 1976 wrote to memory of 3644 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 5280 wrote to memory of 5324 N/A C:\Windows\system32\utilman.exe C:\Windows\explorer.exe
PID 5280 wrote to memory of 5324 N/A C:\Windows\system32\utilman.exe C:\Windows\explorer.exe
PID 5324 wrote to memory of 5604 N/A C:\Windows\explorer.exe C:\Windows\System32\unregmp2.exe
PID 5324 wrote to memory of 5604 N/A C:\Windows\explorer.exe C:\Windows\System32\unregmp2.exe
PID 5324 wrote to memory of 4624 N/A C:\Windows\explorer.exe C:\Windows\SysWOW64\rundll32.exe
PID 5324 wrote to memory of 4624 N/A C:\Windows\explorer.exe C:\Windows\SysWOW64\rundll32.exe
PID 5324 wrote to memory of 4624 N/A C:\Windows\explorer.exe C:\Windows\SysWOW64\rundll32.exe
PID 5324 wrote to memory of 5692 N/A C:\Windows\explorer.exe C:\Windows\System32\ie4uinit.exe
PID 5324 wrote to memory of 5692 N/A C:\Windows\explorer.exe C:\Windows\System32\ie4uinit.exe
PID 5692 wrote to memory of 5720 N/A C:\Windows\System32\ie4uinit.exe C:\Windows\System32\ie4uinit.exe
PID 5692 wrote to memory of 5720 N/A C:\Windows\System32\ie4uinit.exe C:\Windows\System32\ie4uinit.exe
PID 5720 wrote to memory of 3492 N/A C:\Windows\System32\ie4uinit.exe C:\Windows\system32\RunDll32.exe
PID 5720 wrote to memory of 3492 N/A C:\Windows\System32\ie4uinit.exe C:\Windows\system32\RunDll32.exe
PID 5720 wrote to memory of 5748 N/A C:\Windows\System32\ie4uinit.exe C:\Windows\system32\RunDll32.exe
PID 5720 wrote to memory of 5748 N/A C:\Windows\System32\ie4uinit.exe C:\Windows\system32\RunDll32.exe
PID 5324 wrote to memory of 1776 N/A C:\Windows\explorer.exe C:\Windows\System32\unregmp2.exe
PID 5324 wrote to memory of 1776 N/A C:\Windows\explorer.exe C:\Windows\System32\unregmp2.exe
PID 5324 wrote to memory of 4676 N/A C:\Windows\explorer.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
PID 5324 wrote to memory of 4676 N/A C:\Windows\explorer.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
PID 4676 wrote to memory of 5888 N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
PID 4676 wrote to memory of 5888 N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
PID 4676 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
PID 4676 wrote to memory of 64 N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
PID 64 wrote to memory of 5940 N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
PID 64 wrote to memory of 5940 N/A C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
PID 5324 wrote to memory of 5652 N/A C:\Windows\explorer.exe C:\Windows\System32\fsquirt.exe
PID 5324 wrote to memory of 5652 N/A C:\Windows\explorer.exe C:\Windows\System32\fsquirt.exe
PID 5324 wrote to memory of 2900 N/A C:\Windows\explorer.exe C:\Windows\System32\p6rbzy.exe
PID 5324 wrote to memory of 2900 N/A C:\Windows\explorer.exe C:\Windows\System32\p6rbzy.exe
PID 5280 wrote to memory of 5996 N/A C:\Windows\system32\utilman.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5280 wrote to memory of 5996 N/A C:\Windows\system32\utilman.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\LaunchWinApp.exe

"C:\Windows\system32\LaunchWinApp.exe" "http://google.com"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0 /state0:0xa3af9855 /state1:0x41c64e6d

C:\Windows\System32\LockAppHost.exe

C:\Windows\System32\LockAppHost.exe -Embedding

C:\Windows\system32\utilman.exe

utilman.exe /debug

C:\Windows\explorer.exe

explorer

\??\c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k appreadiness -s AppReadiness

C:\Windows\System32\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /FirstLogon

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll",CreateReaderUserSettings

C:\Windows\System32\ie4uinit.exe

"C:\Windows\System32\ie4uinit.exe" -UserConfig

C:\Windows\System32\ie4uinit.exe

C:\Windows\System32\ie4uinit.exe -ClearIconCache

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0

C:\Windows\System32\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /FirstLogon

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x7ff75a587688,0x7ff75a587698,0x7ff75a5876a8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff75a587688,0x7ff75a587698,0x7ff75a5876a8

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca

C:\Windows\system32\SettingSyncHost.exe

C:\Windows\system32\SettingSyncHost.exe -Embedding

C:\Windows\System32\fsquirt.exe

"C:\Windows\System32\fsquirt.exe" -Register

C:\Windows\System32\p6rbzy.exe

"C:\Windows\System32\p6rbzy.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell

C:\Windows\system32\wininit.exe

"C:\Windows\system32\wininit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
NL 142.250.102.102:80 google.com tcp
NL 142.250.102.102:80 google.com tcp
US 8.8.8.8:53 www.google.com udp
NL 142.250.27.147:80 www.google.com tcp
NL 142.250.27.147:80 www.google.com tcp
NL 142.250.27.147:443 www.google.com tcp
NL 142.250.27.147:80 www.google.com tcp
NL 142.250.27.147:80 www.google.com tcp
US 8.8.8.8:53 102.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 147.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
NL 142.250.27.94:80 o.pki.goog tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 94.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 94.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/1432-16-0x000001EE0D120000-0x000001EE0D130000-memory.dmp

memory/1432-0-0x000001EE0D020000-0x000001EE0D030000-memory.dmp

memory/1432-35-0x000001EE0C100000-0x000001EE0C102000-memory.dmp

memory/3920-43-0x0000027520000000-0x0000027520100000-memory.dmp

memory/3920-45-0x0000027520000000-0x0000027520100000-memory.dmp

memory/3644-51-0x00000209E3010000-0x00000209E3110000-memory.dmp

memory/3644-64-0x00000209F37E0000-0x00000209F37E2000-memory.dmp

memory/3644-62-0x00000209F37C0000-0x00000209F37C2000-memory.dmp

memory/3644-60-0x00000209F3700000-0x00000209F3702000-memory.dmp

memory/3644-58-0x00000209F35E0000-0x00000209F35E2000-memory.dmp

memory/3644-56-0x00000209F35C0000-0x00000209F35C2000-memory.dmp

memory/3644-54-0x00000209E2D30000-0x00000209E2D32000-memory.dmp

memory/1432-67-0x000001EE13C70000-0x000001EE13C71000-memory.dmp

memory/1432-66-0x000001EE13C60000-0x000001EE13C61000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\TGFYS00V\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

memory/3644-97-0x00000209F4250000-0x00000209F4350000-memory.dmp

memory/3644-105-0x00000209F4250000-0x00000209F4350000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\31H7MM5A\recaptcha__en[1].js

MD5 1d96c92a257d170cba9e96057042088e
SHA1 70c323e5d1fc37d0839b3643c0b3825b1fc554f1
SHA256 e96a5e1e04ee3d7ffd8118f853ec2c0bcbf73b571cfa1c710238557baf5dd896
SHA512 a0fe722f29a7794398b315d9b6bec9e19fc478d54f53a2c14dd0d02e6071d6024d55e62bc7cf8543f2267fb96c352917ef4a2fdc5286f7997c8a5dc97519ee99

memory/3644-141-0x00000209F4C70000-0x00000209F4C72000-memory.dmp

memory/3644-197-0x00000209F6820000-0x00000209F6822000-memory.dmp

memory/3644-333-0x00000209F6B10000-0x00000209F6B30000-memory.dmp

memory/3644-335-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

memory/3644-337-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

memory/3644-338-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

memory/3644-343-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

memory/3644-344-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

memory/3644-342-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

memory/3644-341-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

memory/3644-340-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

memory/3644-339-0x00000209E29D0000-0x00000209E29E0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\N3ETVNPW\styles__ltr[1].css

MD5 4adccf70587477c74e2fcd636e4ec895
SHA1 af63034901c98e2d93faa7737f9c8f52e302d88b
SHA256 0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d
SHA512 d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF0628C9E91BD2403E.TMP

MD5 765ae20e7e608aa8e0219eaf7a60fbeb
SHA1 66ed99414da2cb149f7008a50087b352ba137157
SHA256 375b32bc460854b5d4ae9db2563a426d12367e1dd49c248c2cb72e49a6f15f5e
SHA512 0f68891cbf038ccd4cc5b51b326930fa39311b32ae0c7ec1ceb999f8c24983e849eda7ca77f473718299d16619d078694b33954df2a5313a4a95df4d21753477

C:\Windows\Temp\RGI3CC2.tmp

MD5 dd4f5026aa316d4aec4a9d789e63e67b
SHA1 fe41b70acbcba7aa0b8a606fe82bcfde9a7bf153
SHA256 8d7e6cee70d6035c066b93143461d5f636e144373f5c46bc10a8935d306e0737
SHA512 3f18e86d8d5119df6df0d914ebf43c1a6dadb3fdeff8002940a02d0a3d763e779068a682ee6bafe650b6c371d4be2e51e01759ec5b950eef99db5499e3a6c568

C:\Windows\Temp\RGI3D44.tmp

MD5 a828b8c496779bdb61fce06ba0d57c39
SHA1 2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda
SHA256 c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d
SHA512 effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea

C:\Windows\System32\config\systemprofile\Favorites\Bing.url

MD5 5d42dddda9951546c9d43f0062c94d39
SHA1 4af07c23ebb93bad9b96a4279bee29eba46be1ee
SHA256 e0c0a5a360482b5c5ded8fad5706c4c66f215f527851ad87b31380ef6060696e
SHA512 291298b4a42b79c4b7a5a80a1a98a39be9530c17a83960c2cf591b86382448cd32b654a00fc28eab4529df333a634bcdc577aef4a3a0a362e528b08f5221beb1

F:\$RECYCLE.BIN\S-1-5-18\desktop.ini

MD5 a526b9e7c716b3489d8cc062fbce4005
SHA1 2df502a944ff721241be20a9e449d2acd07e0312
SHA256 e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512 d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

C:\Windows\TEMP\wmsetup.log

MD5 991a42a16e7c101fc6104550b99436ad
SHA1 72556dc9f3b0d8d656a3983c15b147fc2e56a476
SHA256 636408917137143371f5221138ce6a58c4be22a2683193f50a1965ee5affd67d
SHA512 91b19f088a71d7991f2491a21204054079e4c165567d3821e5fd7413cceb5ab1ca6b9f55af5f0e59642e151b9e079cc0be605e912911d406f441b4b5f6f7a423

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

MD5 969d2a170304ed57ab03c64c3723af2a
SHA1 d73421f1678157eeb090319ae24c5f9b621d0aa8
SHA256 245303f9f7aafea4ea36e76a49548a06c2ff399d4000a957c041d447b8c4706e
SHA512 770c524284022c9104886aeb7d3f9ddf725118d205831a1429f78f31e156c6ca12ba0d255ea4360ee08ad5f76a0b619a6475f7cc1065870ab92b762d25614a51

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

MD5 ab02383420c3377ae0eb4c946b6349b0
SHA1 f6ad3f0f670510a4750f6b0debb047e9b5534df0
SHA256 016890bdc9c139f1c9809595c3c33fea512b82f2f009b5f506437505a86ca68c
SHA512 1c67b50dd6b47753e701cfa97cd4057247e34e320e5bee5e108a58bb9e34f10830719361891acaf792d099c7bb263e52fa246fe01ab8f4ae7c81fc9c97affceb

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

MD5 aa77d7db677b355879153f5259a5ace1
SHA1 e043629e450aa3bd5a4df35d07cf4b4c584a432b
SHA256 c68d645453240d999a36195846a56e3f389a382abd82f8f251dab9ea6db2dee1
SHA512 63b2f2a3f80a3b4c6b60695ff5ac97e8eee8d6e8ebaeadbf3a4ef15b774010ec1a59ba8f20f45843baf2f4b7a8a37f928a84cb9f70f66ac2880886efb10b9fc0

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

MD5 0a0e34beca9fee31d0c6358300ca1e1b
SHA1 596debfebbdb2ce9fae7b20ca2c93b0c3d008d96
SHA256 d37ae914d17951da50440f59aa8d6ec26d0c8221a3508ac2740957898b5d0642
SHA512 fab3bcfc7c5ea5a185ba5316f3e867a69e3ad1e235048fa4c62115824e31cacb3283fa4c0c3c117cbf0cd7b4706b4c8b0addf7d5cd9f1b90c16bd7350310889d

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

MD5 020513bd05cf822a696635b8e2177966
SHA1 f83f356d7d1ef8ba3fe1ccecd37eac26c07a25a1
SHA256 976bd478030f5a2cfda905786ae7b506b23ef08ded0f288168d11cd3e18cb220
SHA512 3e570abd6be18650b8ec76590ba13a03e657d6b46a5f523a7ea9d36bab89f5d2e6801281e5e9ac1fe183841bfb02d051950ccc728467272337c6679cfc3acdc5

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

MD5 22f8e34b3cd4c60b355736a5b2fa219c
SHA1 1db6e2362b033c37f740f655901c036f2cf2bf38
SHA256 cd6568900f8ff21bd073c24d43e92df8b600fd9886ac3c0b1f60eb20083f4c1d
SHA512 4f00ec301adcca585868d578f287b25935ecee41641b4ac4e2d7f8cec0f98310cd6263b83d5a82a5a99eaf2397b843bed6321e9fbe1d030581a8a56a2ae8b96a

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

MD5 4c968d6116b5097ede12db505f478631
SHA1 3a7b770160e5e7d89ffcd7a36454a555174d007e
SHA256 3dd4be322ccff5b847cf0c30633cc2f6d48374aeaf2da5dc5530a226ed5e929b
SHA512 0cdb047f40240561a5177046fc6b6bfb07696cfb3c80742e92e50b2a6d2cb1c16cd44a37c5cc8bb04bb8b6f3c3e33bcbe0d1c75f45064bbd7ffc84acb63ee3b4

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

MD5 38a3f52468060eb6cdf8aa8382dde290
SHA1 70886664da05940323ba147d9dbf2bc9728ad8b3
SHA256 26eb31efd3188a8ebc49ca4bb539e188476184940ddc8f698aa21775e27ca9ad
SHA512 842698405580e927723c11aaac2356b3dfa0816424db30ee52f9f631eecbd42717d5ac23af4e3bd30ba1d139d136a1e3ed29315627b61776fe3b457cc0fe26c4

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

MD5 99d72adf4e683fa1e6f1a435ff5be9b3
SHA1 007ac135b547c29a9419eaf5b9c422b562f7cd2f
SHA256 873bcd7fc25e21142bdfcd6c8f2bea3e294a055e3f132d8a2b3407aba45074e1
SHA512 fe623875d8ce38b7533333af24d6331459b7bd4a35df2212d666c8ad2eaf16b7f1101ed778a3114d70c3e3731da947d5ff7e272949ec21db194e2389398444ff

C:\Windows\System32\config\systemprofile\Searches\desktop.ini

MD5 a9154e63d5bf5033d0a6d13939b73a4a
SHA1 109c0bd1f78582696da1851edd854b789f778cde
SHA256 b32f58e7492755a4c50f2d58ba1bb44c23b46ad5a82effcedec7ab8a7f44e1d6
SHA512 8a34771d2ededd70b56c43cac58e33e546479849711ad8754bac9529b995d0989b21f727a186fdf2f0ba370b005be53da701149902594244f820a6f6f12d47ee

C:\Windows\TEMP\chrome_installer.log

MD5 f509260d8932619d661f3b94451d9edb
SHA1 079fe88741c3f309f16d497b329526a0f9c13644
SHA256 37077a06b8ac9bbc89b56b4e19ab0e8194c8fe044b18c26b1732fa2f6ca309fc
SHA512 550ad4638c287763aa9a543c60a8e5ec4b86b75abbab363377d75571e7352165de60c9a63007e24e0b8cb4c3463115db72dae49323b990f2a5f13432de45832a

C:\Windows\TEMP\Crashpad\settings.dat

MD5 6b962e677f731152187c97b0f2a5bb1a
SHA1 b39c9f4bd886f0cf00ab1e66df78a5b1273f9ea7
SHA256 8b52a5fee31af1a57ef10f3f01b680e48758c39f5153bf3e591ddc39abae9720
SHA512 c3d3588c25b7a486931e2207d43f4399408bddf2df9d91eadee8c98cdf43d1a9f209ab71b0713eb4367f054ca75ebd7970a0a9a2d53d00c1c2ffab4ff9bc064b

C:\Program Files\Google\Chrome\Application\SetupMetrics\502c51b7-64a9-46e6-ac0b-07945e3a93e3.tmp

MD5 6d971ce11af4a6a93a4311841da1a178
SHA1 cbfdbc9b184f340cbad764abc4d8a31b9c250176
SHA256 338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783
SHA512 c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini

MD5 1c61dc21f9b83172d65be1e94b79026f
SHA1 7324473ddda64b87c299bf6e3b9e9aff53f7fd74
SHA256 8e920d7893b682a049f6a5097f880d915dc2d7bf8bc87ae558cd7f14466d5d1b
SHA512 9660cde4d7606826c2fb6623460a2a286339970256e677c8abf8189fd1d58e0284c024bbf5c0bf539189dafa3e8d5269c1e0f7e3717891f2ae4771634731bbd8

C:\Windows\rescache\_merged\2717123927\1590785016.pri

MD5 d41e13c3ab092e01760faad6db7d73ef
SHA1 2503b4005077df06547b25bd3681f69aee591953
SHA256 29f9d4b3d2caa4012ac5e8d47fdfdb713d2e9e633b4ce3a3a127cd5896913eea
SHA512 35d73f4be9f7ab65e808ad81b22582d42ee5c4f0c90c70987163ab30a1943910d3a3cae8c2e8aaba1ebe6315f4023446b84742c7df4a1cf8e5ff362d85ad5abd

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

MD5 c54cde3ceede65db57e1ef09429038d6
SHA1 d40df43ca2538ba8f23eb8d5e6ba48c6cd1a29a7
SHA256 80a0bcaaf774d79edb86f7cf3793bb8d584f3b74a67112b7b7b651aa762240eb
SHA512 1677ee5d05e7357550bf0b45d5f077557e3835d066ac930692112c69c4719a4f618af33f8531b9b99f202d3e69716e2f53faa7da0c8092ffa22a43b585777f2b

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 53a1264b64e3b5b0d8f3c913e97524e2
SHA1 85a684869f8721cb327cf7f6fb3ce8f2b39e80e9
SHA256 9353985c11ae4085208fcd8527fe754bf3feda7bc1c93efe0ba0bcf98f37594a
SHA512 c50ee6e14cae24769d211e46bebd7bebfc684132baa1f67930434709505acbd1b74885efc28acd8c3c43885f12599e135594dcca89c96ccbd6b7a11689da945a

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 1b73f837420eeaf4f21f295433da8277
SHA1 4ec6c3159b51c68766bedce11f445226de10cfe2
SHA256 8b1ef0f318f0f17bebc44d742fbd679af65786c39d20cf60eae20a6be32567c5
SHA512 f8fcbd78fdb69b416019dd56d411e78038b1ba2c7beed1c5220f28e4b6c64479d97c2cb31a690738bfb77fb8779e6bc54bf9f82d26161b8cd263a66b30329254

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db

MD5 ae6fbded57f9f7d048b95468ddee47ca
SHA1 c4473ea845be2fb5d28a61efd72f19d74d5fc82e
SHA256 d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9
SHA512 f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

C:\Windows\system32\config\systemprofile\Favorites\Links\desktop.ini

MD5 3c106f431417240da12fd827323b7724
SHA1 2345cc77576f666b812b55ea7420b8d2c4d2a0b5
SHA256 e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57
SHA512 c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

C:\Users\Admin\AppData\Local\Microsoft\Windows\SettingSync\metastore\meta.jfm

MD5 9526ca2dc6159205575ead40341f1f99
SHA1 4da04163a251e4a97cb11a7c2715fab6834ca7e8
SHA256 455bdec9d92d1732dc53b88a453a82005a944bfb60484591fcde7088749e0409
SHA512 55ca53ae1a39720f3cee4b72e17120586688008b8460d92c8e3c2cc6da423e2f6d489605681fa26d6bb5d6b7a39622d1d656c071f9ad664f413196a64eff4309

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk

MD5 3f484849e156c22686ee4f0e119c2cb4
SHA1 b820474e505bd6fa3f35f847c090e2f801366474
SHA256 e5e1b5f8a69442b3fbdf8c3b87286081e66282d6bdb6013fa3964f4634c2423d
SHA512 767c3d8fb9831cb4289e4a6be22ad29757aaac4daa46329b02305deef045704427fd7d12674b050ba026ae6e0f9fc2b74df687889de3fde793fd6e27cf017369

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

MD5 ba624422b3bf6681c2caf63cfe3e7eca
SHA1 bd5ffb9249be63f14600a882098ddba9b5fa1299
SHA256 f40ad577c8891b44f22344eb970fbb858fdf030b8c8a46e1faca48b843b9a7bd
SHA512 75429cabab080bb203cba840526c1a94182cf619b1293ab40751280024fc9536c0045876ae676a77ec11e8202de7d5b538c600e43a3071c0b9fd6a11b14058ba

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 8af0f8fa98245f35212df5527845c733
SHA1 91c0f6f736a67bec77c1b9ac4ace3782615d6431
SHA256 3da2719fbd19fbbfa0f13caedf1fec57ea757f27bcffcb8a919bcdc5643f4a3a
SHA512 fbd28784d2f8352df56cce3f2345331f55eb13a85e96bc22760e7473787309ea5bc0e6b5e32a76e289eefa0d26e365bae941d31fe856d71f2a597e3c93ac2a24

memory/5996-1362-0x00000191313E0000-0x0000019131402000-memory.dmp

C:\Windows\Temp\__PSScriptPolicyTest_yb0crys3.wbv.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5996-1389-0x0000019131670000-0x00000191316AC000-memory.dmp

memory/5996-1400-0x0000019131AE0000-0x0000019131B56000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

MD5 cbc53eb850533b51f852377445973831
SHA1 c7924ce38f58fac52dc3259486d8669f9e4dddbc
SHA256 b8eb5d43ccc63d7dc0b2ce3164a51c2992a0cf8069fa821ba18ac3900f6e07c3
SHA512 0cc9bd77633cc48beaa9c4bce36ed29afc2a0bcce6566febd4b0498beb9888979cb9f474f4d377af3b32261d657bb6eb04412870c2798e3e6702bd2f4b27f2dc

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

MD5 79b10ba530903536e6bb7f7745dca23d
SHA1 389b9bb5c6b99eaf6c0f91bcb779d73fb21422c2
SHA256 a8c8f4de365db739d168d587af06c7e538d3b556b105da4b0e0acd0102af8540
SHA512 c640e89fe3b555b587adb812a8d0393c92348805ffef2b6a38b54eebd10a9ea22e03001a0cd480a7953d285f77b620bc09c1b223ae3ca5c4b3087b7a59be9462

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

MD5 8bbff90331624af9a08d36b27d50f088
SHA1 dea9fab8317a2e6237b7867fb572e1764a3c3f9e
SHA256 85a76b9acd12e40db1653180bd1353ce3cdae8c8f0c4f2387382c56f2477ec64
SHA512 99ef38f9d76499133349a3e6957b5b6da82de29f223474c08c6d5693ecfac442ed4c8d919981fe1d242cff27fd1f743ee13e695f1a567991c6af5cf39ce3389f