Analysis Overview
SHA256
201f5728c8000bfa84fea795c6acbba4d216bb2d75d8e239b10f19efc50b8b90
Threat Level: Known bad
The file zion.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Disables taskbar notifications via registry modification
Possible privilege escalation attempt
Event Triggered Execution: Component Object Model Hijacking
Modifies system executable filetype association
Modifies file permissions
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Checks whether UAC is enabled
Indicator Removal: File Deletion
Hijack Execution Flow: Executable Installer File Permissions Weakness
Power Settings
Drops desktop.ini file(s)
Sets desktop wallpaper using registry
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Checks processor information in registry
Modifies Control Panel
Suspicious use of AdjustPrivilegeToken
System policy modification
Enumerates system info in registry
Modifies registry class
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-16 04:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-16 04:21
Reported
2024-10-16 04:24
Platform
win11-20240802-en
Max time kernel
150s
Max time network
134s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
Disables taskbar notifications via registry modification
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
Indicator Removal: File Deletion
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\Wallpaper = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\MI0311~1.0_X\RESOUR~1\gl-es\Resources.resw | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI369D~1.0_X\APPXMA~1.XML | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID178~1.0_X\Assets\Square44x44Logo.targetsize-24_altform-unplated_contrast-black.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~2\DOUGHB~2.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~2\HxMailAppList.targetsize-30_altform-lightunplated.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICB88~1.0_X\Assets\AppTiles\AppIcon.targetsize-24_altform-lightunplated.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIC0CF~1.0_X\Images\APPPOW~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI91CD~1.0_X\Assets\CONTRA~1\PAINTS~3.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~1.9_X\DASHBO~1\WEBCON~1\NODE_M~1\@FLUEN~1\theme\NODE_M~1\@UIFAB~1\UTILIT~1\lib-amd\rtl.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI16D7~1.0_X\Assets\CONTRA~2\AppList.targetsize-36_altform-unplated_contrast-white.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~2\HX8833~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI91CD~1.0_X\Assets\PaintAppList.targetsize-30.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI91CD~1.0_X\Assets\PaintAppList.targetsize-72_altform-lightunplated.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~1\HX6334~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MICROS~2.SCA\Assets\TIPSLA~3.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~3.0_X\Assets\AppTiles\CONTRA~2\WeatherAppList.targetsize-48_altform-lightunplated_contrast-white.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MID178~1.0_X\Assets\SQUARE~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~2\HxA-Advanced-Dark.scale-100.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIA3B7~1.SCA\Assets\CONTRA~2\FE9DE6~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI7115~1.0_X\Assets\CONTRA~2\FeedbackHubAppList.targetsize-32.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI1864~1.0_X\Assets\CONTRA~2\WIDELO~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIF8B8~1.0_X\Assets\CONTRA~1\WideTile.scale-100_contrast-black.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI8E4F~1.0_X\Win10\MI8272~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0946~1.0_X\Assets\PeopleAppList.targetsize-40.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI3116~1.0_X\models\en-GB.Calendar.ot | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICAAC~1.0_X\Assets\AppTiles\CONTRA~2\MapsAppList.targetsize-20_altform-lightunplated_contrast-white.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MI6273~1.SCA\Assets\CONTRA~1\LARGEL~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~3.SCA\Assets\AppTiles\WE292F~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI9463~1.0_X\Assets\CONTRA~2\WIDETI~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIF169~1.0_X\Assets\PHE122~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI3116~1.0_X\images\HxMailAppList.targetsize-30.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI226D~1.SCA\Assets\Icons\STICKY~2.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI495A~1.0_N\APPXSI~1.P7X | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI2937~1.SCA\Win10\CONTRA~1\MICROS~2.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI7115~1.0_X\Assets\FeedbackHubAppList.targetsize-30.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~1.9_X\DASHBO~1\WEBCON~1\NODE_M~1\@FLUEN~1\react\LIB-CO~1\Button.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI8E4F~1.0_X\Win10\MicrosoftSolitaireAppList.targetsize-256.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI1C7E~1.SCA\APPXSI~1.P7X | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIC0CF~1.0_X\Images\ILLUST~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~1\LI2B13~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~1.9_X\DASHBO~1\WEBCON~1\NODE_M~1\@FLUEN~1\react\LIB-CO~1\COMPON~1\DOCUME~1\DOEEEC~1.JS | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~1.0_X\Assets\Store\APPICO~4.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~2.0_X\Assets\AppTiles\CONTRA~1\NewsAppList.targetsize-256_altform-unplated_contrast-black.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0946~1.0_X\Assets\PE4697~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0311~1.0_X\RESOUR~1\bg-bg\Resources.resw | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MIF097~1.SCA\Assets\LARGEL~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI686B~1.0_X\Assets\TipsAppList.targetsize-30_altform-lightunplated_contrast-white.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI3116~1.0_X\images\HxA-Generic-Light.scale-300.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI3116~1.0_X\images\HxMailAppList.targetsize-80.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIB7BC~1.SCA\Assets\VOD00F~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI34E2~1.SCA\Assets\VOF131~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~1.9_X\DASHBO~1\WEBCON~1\NODE_M~1\@FLUEN~1\react\LIB-CO~1\common\ISCONF~1.JS | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~1.9_X\DASHBO~1\WEBCON~1\NODE_M~1\@FLUEN~1\theme\lib-amd\types\ISEMAN~2.JS | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI91CD~1.0_X\Assets\CONTRA~2\PA638E~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~2\HX9B59~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI686B~1.0_X\Assets\TipsAppList.targetsize-24.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI8E4F~1.0_X\THIRDP~1.TXT | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI0946~1.0_X\Assets\PeopleAppList.targetsize-36_altform-lightunplated.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIB7BC~1.SCA\Assets\VOICER~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MI1864~1.0_X\Assets\CONTRA~1\APEAA3~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MICROS~1.9_X\DASHBO~1\WEBCON~1\NODE_M~1\@FLUEN~1\theme\lib\types\IEffects.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MI128C~1.SCA\Assets\CONTRA~2\APE116~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DELETE~1\MICROS~1.SCA\Assets\TIPSAP~1.PNG | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\MIF8B8~1.0_X\Assets\CONTRA~1\MedTile.scale-150_contrast-black.png | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\storage\images\clearSessionCookies.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\surfaceHubAccountPage.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeautopilotactivation-vm.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\NarratorHomePage.xbf | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\AppListIcon.targetsize-40.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~1\SearchFilter.svg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~1\windows.properties.svg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\pris\resources.en-US.pri | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\colorPicker\hueColorBar.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\previewTabIcon.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\square44x44logo.scale-400.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\css\inclusiveoobe-desktop.css | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\AppListIcon.targetsize-96_altform-unplated.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MICROS~1.SEC\Assets\Square44x44Logo.scale-150.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~3\Windows.ModernShare.svg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\CONTRA~1\GetStartedAppList.targetsize-60_contrast-black.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\checkmark.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-72_altform-unplated.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobecortana-page.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeenterpriseprovisioning-page.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\unifiedEnrollment\js\unifiedEnrollmentFinishedPage.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\AppxManifest.xml | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MICROS~1.SEC\SchemaActivationEmptyPage.xbf | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-36_altform-unplated.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\CONTRA~2\AppListIcon.targetsize-24.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~1\windows.compactmode.svg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~2\THEME-~1\windows.searchsendtocomputer.svg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WEBEXP~1\Assets\StoreLogo.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MICROS~1.SEC\Assets\Square44x44Logo.targetsize-48_altform-unplated_contrast-black.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\CONTRA~1\GetStartedAppList.scale-400_contrast-black.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\CONTRA~1\GetStartedAppList.targetsize-64_altform-unplated_contrast-black.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\AppxManifest.xml | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Assets\Splashscreen.scale-100.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\SlickGrid\slick.editors.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-40_altform-unplated.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\Folder_Small.scale-200.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\SquareTile150x150.scale-200.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\MediumTile.scale-125.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~2\THEME-~2\windows.iconsize.list.svg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~3\windows.iconsize.medium.svg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\monaco-editor\min\vs\basic-languages\src\coffee.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\Breakpoints\images\eventBreakpointConditional.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-16.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~1\encrypt-bde-elev.svg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\webapps\GUIDED~1\network\AREA-C~1\nl-NL\area-content.local.json | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\WideTile.scale-400.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\emulationCombo.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeprovisioningstatus-vm.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars44.contrast-black_scale-200.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-80_altform-unplated_contrast-black.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorBadgeLogo.scale-100.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\0409\tokens_enUS.xml | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\SmallTile.scale-100.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~3\MakeAvailableOffline.svg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~3\windows.cut.svg | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\webapps\GUIDED~1\network\AREA-C~1\area-content.loader.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\images\i_f12_chartselection_clear.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\autopilotwhitegloveresult-page.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\SquareTile150x150.scale-100.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\resources.pri | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MICROS~1.SEC\Assets\SplashScreen.contrast-black_scale-400.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\CONTRA~1\MediumTile.scale-150.png | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\cache\Local\Desktop\22.js | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchUx.MiniUI.winmd | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\takeown.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\icacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\SlateLaunch\LaunchAT = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Mouse\MouseSpeed = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Mouse\MouseThreshold2 = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\SlateLaunch\ATapp | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\SoundSentry\Flags = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\SoundSentry\FSTextEffect = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\StickyKeys\Flags = "506" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Sound\ExtendedSounds = "No" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\DynamicScrollbars = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\ContactVisualization = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\GestureVisualization = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\HungAppTimeout = "1000" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Mouse\MouseHoverTime = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\SoundSentry\TextEffect = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\SoundSentry\WindowsEffect = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\ToggleKeys\Flags = "58" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\Keyboard Response\Flags = "122" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Mouse\MouseThreshold1 = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\AutoEndTasks = "1" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\WaitToKillAppTimeout = "1000" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Sound\Beep = "No" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1000" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\ForegroundLockTimeout = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\MenuShowDelay = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Mouse\MouseSensitivity = "10" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{DA82E55E-FA2F-45B3-AEC3-E7294106EF52}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\INTERFACE\{10C9242E-D604-49B5-99E4-BF87945EF86C}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\TYPELIB\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\0\WIN32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\VERSIONINDEPENDENTPROGID | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\TYPELIB\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\FLAGS | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\INPROCSERVER32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\system32\BackgroundTransferHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LOCALSERVER32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Directory\shellex\ContextMenuHandlers\ FileSyncEx | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\TYPELIB\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\HELPDIR | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\ODOPEN\DEFAULTICON | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\FILESYNCCLIENT.FILESYNCCLIENT\CURVER | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{9D613F8A-B30E-4938-8490-CB5677701EBF}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\INTERFACE\{9D613F8A-B30E-4938-8490-CB5677701EBF}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{5D65DD0D-81BF-4FF4-AEEA-6EFFB445CB3F}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\INTERFACE\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LOCALSERVER32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpCleanupState = "0" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\AppID\OneDrive.EXE | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\INTERFACE\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\TYPELIB\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\FLAGS | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "13383" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\INTERFACE\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\INTERFACE\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\TYPELIB\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\HELPDIR | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\INTERFACE\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LOCALSERVER32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\INTERFACE\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\INPROCSERVER32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\OOBERequestHandler.OOBERequestHandler | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "852" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\PROXYSTUBCLSID32 | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66" | C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\TYPELIB | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2} | C:\Windows\SysWOW64\OneDriveSetup.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "23" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "7065" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\MaxTelemetryAllowed = "1" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith = "1" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowOnlineTips = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "255" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard = "1" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServices = "1" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput\AllowLanguageFeaturesUninstall = "1" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard = "1" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput\AllowLinguisticDataCollection = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\TurnOffWinCal = "1" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInstrumentation = "1" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffSidebar = "1" | C:\Users\Admin\AppData\Local\Temp\zion.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\zion.exe
"C:\Users\Admin\AppData\Local\Temp\zion.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\SystemApps" /A & ICACLS "C:\Windows\SystemApps" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows\SystemApps" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows\SystemApps" /GRANT Administrators:(F)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\ProgramData\Packages" /A & ICACLS "C:\ProgramData\Packages" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\ProgramData\Packages" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\ProgramData\Packages" /GRANT Administrators:(F)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Users\Admin\AppData\Local\Packages" /A & ICACLS "C:\Users\Admin\AppData\Local\Packages" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Users\Admin\AppData\Local\Packages" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Users\Admin\AppData\Local\Packages" /GRANT Administrators:(F)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Program Files\WindowsApps" /A & ICACLS "C:\Program Files\WindowsApps" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Program Files\WindowsApps" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Program Files\WindowsApps" /GRANT Administrators:(F)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Program Files (x86)\Microsoft" /A & ICACLS "C:\Program Files (x86)\Microsoft" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Program Files (x86)\Microsoft" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Program Files (x86)\Microsoft" /GRANT Administrators:(F)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /A & ICACLS "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /GRANT Administrators:(F)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows" /A & ICACLS "C:\Windows" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows" /GRANT Administrators:(F)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\System32" /A & ICACLS "C:\Windows\System32" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows\System32" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows\System32" /GRANT Administrators:(F)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\SysWOW64" /A & ICACLS "C:\Windows\SysWOW64" /GRANT Administrators:(F)
C:\Windows\SysWOW64\takeown.exe
TAKEOWN /F "C:\Windows\SysWOW64" /A
C:\Windows\SysWOW64\icacls.exe
ICACLS "C:\Windows\SysWOW64" /GRANT Administrators:(F)
C:\Windows\SysWOW64\OneDriveSetup.exe
"C:\Windows\SysWOW64\OneDriveSetup.exe" /uninstall
C:\Windows\SysWOW64\OneDriveSetup.exe
"C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /renameReplaceOneDriveExe /renameReplaceODSUExe /cusid:S-1-5-21-1287768749-810021449-2672985988-1000
C:\Windows\SysWOW64\OneDriveSetup.exe
C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess /renameReplaceOneDriveExe /renameReplaceODSUExe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\helpPane.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\backgroundtaskhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\EaseOfAccessDialog.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\RuntimeBroker.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\WSClient.dll"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\WSCollect.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\gamebarpresencewriter.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\gamepanel.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\magnify.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\mblctr.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\sdiagnhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\mobsync.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\msdt.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\narrator.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\osk.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\smartscreen.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\backgroundtaskhost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\EaseOfAccessDialog.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\WSClient.dll"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\gamebarpresencewriter.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\gamepanel.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\magnify.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\mobsync.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\flashPlayerCPLApp.cpl"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\flashPlayerApp.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Windows\SystemApps"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\ProgramData\Packages"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Users\Admin\AppData\Local\Packages"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Program Files\WindowsApps"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Program Files (x86)\Microsoft"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 MicrosoftWindows.Client.CBS_cw5n1h2txyewy
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorThrottlingEnabled" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleThreshold" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdle" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuLatencyTimer" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuSlowdown" /t REG_DWORD /d "0" /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "Threshold" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuDebuggingEnabled" /t REG_DWORD /d "0" /f
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorLatencyThrottlingEnabled" /t REG_DWORD /d "0" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.197.219.23.in-addr.arpa | udp |
| GB | 2.18.66.177:443 | tcp | |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| US | 20.189.173.15:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| GB | 92.123.128.181:443 | www.bing.com | tcp |
| AU | 13.70.79.200:443 | browser.pipe.aria.microsoft.com | tcp |
| GB | 92.123.128.175:443 | www.bing.com | tcp |
Files
memory/1404-0-0x00000000748CE000-0x00000000748CF000-memory.dmp
memory/1404-1-0x0000000000C60000-0x0000000001026000-memory.dmp
memory/1404-2-0x0000000006220000-0x00000000067C6000-memory.dmp
memory/1404-3-0x0000000005B10000-0x0000000005BA2000-memory.dmp
memory/1404-4-0x00000000748C0000-0x0000000075071000-memory.dmp
memory/1404-5-0x0000000005D70000-0x0000000006176000-memory.dmp
memory/1404-6-0x0000000005C40000-0x0000000005C4A000-memory.dmp
memory/1404-7-0x00000000748C0000-0x0000000075071000-memory.dmp
memory/1404-8-0x00000000748C0000-0x0000000075071000-memory.dmp
memory/1404-9-0x00000000748C0000-0x0000000075071000-memory.dmp
memory/1404-10-0x00000000748C0000-0x0000000075071000-memory.dmp
memory/1404-11-0x00000000748CE000-0x00000000748CF000-memory.dmp
memory/1404-12-0x00000000748C0000-0x0000000075071000-memory.dmp
memory/1404-13-0x00000000748C0000-0x0000000075071000-memory.dmp
memory/1404-14-0x00000000748C0000-0x0000000075071000-memory.dmp
memory/1404-15-0x00000000748C0000-0x0000000075071000-memory.dmp
memory/1404-16-0x00000000748C0000-0x0000000075071000-memory.dmp
memory/1404-17-0x00000000748C0000-0x0000000075071000-memory.dmp
memory/1404-18-0x00000000748C0000-0x0000000075071000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini
| MD5 | 8aa47e5683f95bff9069d18be32dd7bf |
| SHA1 | c4849a64e672d788449e99570459d9cf01479580 |
| SHA256 | 874522ea4f17cbb735d6c37a7cfb536b95612e221acb812381988f86a221af94 |
| SHA512 | 3f9438f86de4c6c13b297aaecdcd501e8a254686578ea1dac21dcc25221be469a5942b6230bd5c6aa6851f578c04c0fca669b1498b0842e19110988088f51b5f |
C:\Users\Admin\AppData\Local\Temp\aria-debug-4156.log
| MD5 | fb0a9c5f9f814aeb7792dea6ce48e1b1 |
| SHA1 | bbf10f2536bda5f5514b36582942d5daca406d6f |
| SHA256 | 752c46dd0063f000460a917abc68dbfdc141bd13e51929da8b50dd896fc956b0 |
| SHA512 | 369ef702f7b5154be2728d659b3fe7e1d35a821bf011620da8e5bc06b9e6489784768f5cce1bfe487fef77fd14d5df273a0a3e6fb5435d0036c2251192b5506b |
C:\Users\Admin\AppData\Local\Temp\aria-debug-1576.log
| MD5 | 4921d917f5303babbe65701dcda03f8d |
| SHA1 | af8777042cb13d8418a379640c8500974422730d |
| SHA256 | e851ee8ab186d6e5249e6c2c84f408b3da956efc49d5f683635e0201acc1a07b |
| SHA512 | 7c5fd1324b5eb1a8f77abd6f56c5be84c57ec1338cc529ebc6b693217b3afd75d668d6b81abc4c642c442cd6a01ad35bc14cb062d4ad70f5b989ab4b815fb052 |
memory/2976-111-0x000002B485150000-0x000002B485160000-memory.dmp
memory/2976-127-0x000002B485250000-0x000002B485260000-memory.dmp
memory/2976-143-0x000002B48D840000-0x000002B48D841000-memory.dmp
memory/2976-144-0x000002B48D860000-0x000002B48D861000-memory.dmp
memory/2976-145-0x000002B48D860000-0x000002B48D861000-memory.dmp
memory/2976-146-0x000002B48D860000-0x000002B48D861000-memory.dmp
memory/2976-147-0x000002B48D860000-0x000002B48D861000-memory.dmp
memory/2976-148-0x000002B48D860000-0x000002B48D861000-memory.dmp
memory/2976-149-0x000002B48D860000-0x000002B48D861000-memory.dmp
memory/2976-150-0x000002B48D860000-0x000002B48D861000-memory.dmp
memory/2976-151-0x000002B48D860000-0x000002B48D861000-memory.dmp
memory/2976-152-0x000002B48D860000-0x000002B48D861000-memory.dmp
memory/2976-153-0x000002B48D860000-0x000002B48D861000-memory.dmp
memory/2976-155-0x000002B48D480000-0x000002B48D481000-memory.dmp
memory/2976-154-0x000002B48D490000-0x000002B48D491000-memory.dmp
memory/2976-157-0x000002B48D490000-0x000002B48D491000-memory.dmp
memory/2976-163-0x000002B48D3C0000-0x000002B48D3C1000-memory.dmp
memory/2976-160-0x000002B48D480000-0x000002B48D481000-memory.dmp
memory/2976-171-0x000002B48D5C0000-0x000002B48D5C1000-memory.dmp
memory/2976-175-0x000002B48D6E0000-0x000002B48D6E1000-memory.dmp
memory/2976-174-0x000002B48D5D0000-0x000002B48D5D1000-memory.dmp
memory/2976-173-0x000002B48D5D0000-0x000002B48D5D1000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133735261577751553.txt
| MD5 | bdc81799edc9c77b2ecfc38b6435a11e |
| SHA1 | 78cdec901434a3200735f1ed87f6c99d80d93400 |
| SHA256 | b7cd92bfe9bbbdde14ce6034e4d61aaefd0ad6bcd3611a3ff5035e86ee13717b |
| SHA512 | 139785e60f125153387137abd3d262ca56fd96a3ddcbce46d6e1660cd4af07a728470d629fcd67af18a41246c662e3acebed14050ac6e87c0aebbdf7370ac93f |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat
| MD5 | 1db819a57c8f19e97ffb9d8d26b544bb |
| SHA1 | 9a5190d22511f2a5154f3f17088ca19594eda359 |
| SHA256 | 4e0f55e7707c0d44191d20f4f77cf2669bd98f0735d87c5274c2f4ac5dd1dafe |
| SHA512 | a254e934b16e53458ac590ebb8708b6f68711ff02b914f028e0fdd8f5ce84d8282f66be00b5a316a37cb2275c8e84474b0feeea2bed0e71225a9b364eb8470e4 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat
| MD5 | c08086829f791edbd1229b9896c60b7e |
| SHA1 | 6ec4cac5a5e7b6a6a527ad9c77fe54d7810f995c |
| SHA256 | 4456e9491aeda042d10e271b93d5cd70c9e1984298b5f190bda925c1ad5a70fc |
| SHA512 | c661035b42b50e70983e6d3aa1f6f715f0f303fecf6f5a23ce7c0552a5bd6c1db0bdd7d6fce5f019a87eaecfe02725816dd34f549d4affdb5569615c5f03efab |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt.~tmp
| MD5 | 766f5efd9efca73b6dfd0fb3d648639f |
| SHA1 | 71928a29c3affb9715d92542ef4cf3472e7931fe |
| SHA256 | 9111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc |
| SHA512 | 1d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434 |
memory/3040-280-0x0000026D57A00000-0x0000026D57B00000-memory.dmp
memory/3040-281-0x0000026D57130000-0x0000026D57230000-memory.dmp
memory/3040-316-0x0000026D57130000-0x0000026D57230000-memory.dmp
memory/3040-343-0x0000026D572D0000-0x0000026D572F0000-memory.dmp
memory/3040-344-0x0000026D5A400000-0x0000026D5A500000-memory.dmp
memory/3040-351-0x0000026D572B0000-0x0000026D572D0000-memory.dmp
memory/3040-350-0x0000026D59390000-0x0000026D593B0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSOPV8U8\www.bing[1].xml
| MD5 | d0787134c4293f1ea470c4a72ac38c17 |
| SHA1 | ce125bcbefa74cd1eae95a08ff0a5589ee429f45 |
| SHA256 | 3e9abcf9c8071e2b8632af1958d469a21a74525523f70cdabfcf3e5058155408 |
| SHA512 | 3902d0d19759d186b2eef5a4bb8dc839181893c3c6a0b62770ce67574a134c1ee7ccc53ff06a3d6c33015578717530d7898e6daf1bedd13c73e7f36857ec49d1 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSOPV8U8\www.bing[1].xml
| MD5 | dc72a200ca131bd52ae91894e0f5dcf6 |
| SHA1 | 4a97a1b43d0ac314067c74adceb21fdb47e5ed5d |
| SHA256 | 31d4951a5f9b2925302225ef3744945a4fac7a77983d2b9b3819b05eeebd758f |
| SHA512 | f85e522cd293b0f30f19e09b20010faab85364bb1a962345310ed76756ed8ccd181f31e6515698b1c0fc922ed31b4fbe33c6b3f5e15cbed7c02aab05bb3025f4 |
memory/3040-445-0x0000026D6E320000-0x0000026D6E420000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSOPV8U8\www.bing[1].xml
| MD5 | 112728e24578fafc1d6fb9b68675f92c |
| SHA1 | a4fbbecc14968dde8ef9c08f4072bc4fced774d7 |
| SHA256 | e05393d9aa03d5d8f6e02e7a13a774601381648feab3aa6247511e0161a61060 |
| SHA512 | 020f3712b4ef00468ec28442d3911590b1c8d42ae1ad1935635d0f84f34352ecbf6015ed03032eec33925b080c151c0e228f1f46d49f8283f4f16637fd7a7b19 |
memory/3040-549-0x0000026D70CF0000-0x0000026D70DF0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSOPV8U8\www.bing[1].xml
| MD5 | ca669931be81bc47829a4720d0e30a3c |
| SHA1 | 3166d55f17f8128641aafadeca3be6958d4b6dba |
| SHA256 | 82be4af098f877fbc8077041cb9287975574b46a26276de342f0b2b859d6db37 |
| SHA512 | 64423cb252904500c2d69f913d8df1ba19c6edf9624c7fc64eab9fe756c0f1220961292cd1b2b954a477cdc697e1bc4275efd87fdef7ed60b94eb5517ec8b27d |
memory/3040-1714-0x0000026D57EB0000-0x0000026D57ED0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\BackgroundTransferApi\1d6a48e3-66ed-4fcb-8f74-15d48ade4b4d.up_meta_secure
| MD5 | e6b8728abce713ea25a45b14f1208df8 |
| SHA1 | be2e59aa781006d87d8df087e888a10938e9c04d |
| SHA256 | 37f308201eb15edc49f8bd1e8e7911c54f075e3b3e3382a2dd67d2c0f03e2aea |
| SHA512 | 025b2d8e158adb7701c933952a833a3d5bdad96688ddca43fbc990d3a661bd480b6fc2da143e3b81fd3607c3fafedb9fbb08e1b245d8949537b3063590c5259a |
memory/3040-1808-0x0000026543EC0000-0x0000026543FC0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D
| MD5 | 14303f56f374092f7bd9c122382b4b4a |
| SHA1 | 1964ef2d8f43042835707a891e1ac0ee97f7f204 |
| SHA256 | d324246976a38223ddca2f56dc2351a955cc49012d63f2969703441ffe93e303 |
| SHA512 | 4c4fddd22c85a1b665694705cdb3b52b6b033725787e6b89629b15252e579ff328c781c646822423ee4a7f01fd4037320001f2ea4f232fcffc89135fbc7eb422 |
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D
| MD5 | 9e367f47ec46959c62cf9189500b2709 |
| SHA1 | b891255c46f71483cbc197ecd4fd2c248b29d0f1 |
| SHA256 | 19269a6963505acdda6b1c16b328205c52c3b0117db6cdf3adfa440f79fdff20 |
| SHA512 | 994bbaaef152f7c916cd035245719b4e03e1646912a2ff901bd6e362edcc958a0a0e5f5b3aed8351dfe65d0bfd2a092ce467422d3a7027f1537338fdf557d5d2 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\1d6a48e3-66ed-4fcb-8f74-15d48ade4b4d.down_data
| MD5 | 5683c0028832cae4ef93ca39c8ac5029 |
| SHA1 | 248755e4e1db552e0b6f8651b04ca6d1b31a86fb |
| SHA256 | 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e |
| SHA512 | aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3 |