Malware Analysis Report

2024-12-07 14:31

Sample ID 241016-eyn6kasdkd
Target zion.exe
SHA256 201f5728c8000bfa84fea795c6acbba4d216bb2d75d8e239b10f19efc50b8b90
Tags
defense_evasion discovery evasion exploit persistence privilege_escalation ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

201f5728c8000bfa84fea795c6acbba4d216bb2d75d8e239b10f19efc50b8b90

Threat Level: Known bad

The file zion.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion exploit persistence privilege_escalation ransomware trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Disables taskbar notifications via registry modification

Possible privilege escalation attempt

Event Triggered Execution: Component Object Model Hijacking

Modifies system executable filetype association

Modifies file permissions

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Checks whether UAC is enabled

Indicator Removal: File Deletion

Hijack Execution Flow: Executable Installer File Permissions Weakness

Power Settings

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Checks processor information in registry

Modifies Control Panel

Suspicious use of AdjustPrivilegeToken

System policy modification

Enumerates system info in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 04:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 04:21

Reported

2024-10-16 04:24

Platform

win11-20240802-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\zion.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A

Disables taskbar notifications via registry modification

evasion

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Windows\SysWOW64\OneDriveSetup.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Windows\SysWOW64\OneDriveSetup.exe N/A

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A

Indicator Removal: File Deletion

defense_evasion

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\Wallpaper = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\MI0311~1.0_X\RESOUR~1\gl-es\Resources.resw C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI369D~1.0_X\APPXMA~1.XML C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MID178~1.0_X\Assets\Square44x44Logo.targetsize-24_altform-unplated_contrast-black.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~2\DOUGHB~2.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~2\HxMailAppList.targetsize-30_altform-lightunplated.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICB88~1.0_X\Assets\AppTiles\AppIcon.targetsize-24_altform-lightunplated.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIC0CF~1.0_X\Images\APPPOW~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI91CD~1.0_X\Assets\CONTRA~1\PAINTS~3.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.9_X\DASHBO~1\WEBCON~1\NODE_M~1\@FLUEN~1\theme\NODE_M~1\@UIFAB~1\UTILIT~1\lib-amd\rtl.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI16D7~1.0_X\Assets\CONTRA~2\AppList.targetsize-36_altform-unplated_contrast-white.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~2\HX8833~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI91CD~1.0_X\Assets\PaintAppList.targetsize-30.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI91CD~1.0_X\Assets\PaintAppList.targetsize-72_altform-lightunplated.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~1\HX6334~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DELETE~1\MICROS~2.SCA\Assets\TIPSLA~3.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~3.0_X\Assets\AppTiles\CONTRA~2\WeatherAppList.targetsize-48_altform-lightunplated_contrast-white.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MID178~1.0_X\Assets\SQUARE~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~2\HxA-Advanced-Dark.scale-100.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIA3B7~1.SCA\Assets\CONTRA~2\FE9DE6~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI7115~1.0_X\Assets\CONTRA~2\FeedbackHubAppList.targetsize-32.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI1864~1.0_X\Assets\CONTRA~2\WIDELO~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIF8B8~1.0_X\Assets\CONTRA~1\WideTile.scale-100_contrast-black.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI8E4F~1.0_X\Win10\MI8272~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0946~1.0_X\Assets\PeopleAppList.targetsize-40.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\models\en-GB.Calendar.ot C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICAAC~1.0_X\Assets\AppTiles\CONTRA~2\MapsAppList.targetsize-20_altform-lightunplated_contrast-white.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DELETE~1\MI6273~1.SCA\Assets\CONTRA~1\LARGEL~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~3.SCA\Assets\AppTiles\WE292F~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI9463~1.0_X\Assets\CONTRA~2\WIDETI~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIF169~1.0_X\Assets\PHE122~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\HxMailAppList.targetsize-30.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI226D~1.SCA\Assets\Icons\STICKY~2.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI495A~1.0_N\APPXSI~1.P7X C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI2937~1.SCA\Win10\CONTRA~1\MICROS~2.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI7115~1.0_X\Assets\FeedbackHubAppList.targetsize-30.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.9_X\DASHBO~1\WEBCON~1\NODE_M~1\@FLUEN~1\react\LIB-CO~1\Button.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI8E4F~1.0_X\Win10\MicrosoftSolitaireAppList.targetsize-256.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI1C7E~1.SCA\APPXSI~1.P7X C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIC0CF~1.0_X\Images\ILLUST~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~1\LI2B13~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.9_X\DASHBO~1\WEBCON~1\NODE_M~1\@FLUEN~1\react\LIB-CO~1\COMPON~1\DOCUME~1\DOEEEC~1.JS C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.0_X\Assets\Store\APPICO~4.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~2.0_X\Assets\AppTiles\CONTRA~1\NewsAppList.targetsize-256_altform-unplated_contrast-black.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0946~1.0_X\Assets\PE4697~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0311~1.0_X\RESOUR~1\bg-bg\Resources.resw C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DELETE~1\MIF097~1.SCA\Assets\LARGEL~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI686B~1.0_X\Assets\TipsAppList.targetsize-30_altform-lightunplated_contrast-white.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\HxA-Generic-Light.scale-300.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\HxMailAppList.targetsize-80.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB7BC~1.SCA\Assets\VOD00F~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI34E2~1.SCA\Assets\VOF131~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.9_X\DASHBO~1\WEBCON~1\NODE_M~1\@FLUEN~1\react\LIB-CO~1\common\ISCONF~1.JS C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.9_X\DASHBO~1\WEBCON~1\NODE_M~1\@FLUEN~1\theme\lib-amd\types\ISEMAN~2.JS C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI91CD~1.0_X\Assets\CONTRA~2\PA638E~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI3116~1.0_X\images\CONTRA~2\HX9B59~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI686B~1.0_X\Assets\TipsAppList.targetsize-24.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI8E4F~1.0_X\THIRDP~1.TXT C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI0946~1.0_X\Assets\PeopleAppList.targetsize-36_altform-lightunplated.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIB7BC~1.SCA\Assets\VOICER~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MI1864~1.0_X\Assets\CONTRA~1\APEAA3~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MICROS~1.9_X\DASHBO~1\WEBCON~1\NODE_M~1\@FLUEN~1\theme\lib\types\IEffects.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DELETE~1\MI128C~1.SCA\Assets\CONTRA~2\APE116~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\DELETE~1\MICROS~1.SCA\Assets\TIPSAP~1.PNG C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files\WindowsApps\MIF8B8~1.0_X\Assets\CONTRA~1\MedTile.scale-150_contrast-black.png C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\storage\images\clearSessionCookies.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\surfaceHubAccountPage.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeautopilotactivation-vm.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\NarratorHomePage.xbf C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\AppListIcon.targetsize-40.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~1\SearchFilter.svg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~1\windows.properties.svg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\pris\resources.en-US.pri C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\colorPicker\hueColorBar.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\previewTabIcon.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\square44x44logo.scale-400.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\css\inclusiveoobe-desktop.css C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\AppListIcon.targetsize-96_altform-unplated.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.SEC\Assets\Square44x44Logo.scale-150.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~3\Windows.ModernShare.svg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\CONTRA~1\GetStartedAppList.targetsize-60_contrast-black.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\images\checkmark.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-72_altform-unplated.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobecortana-page.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeenterpriseprovisioning-page.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\unifiedEnrollment\js\unifiedEnrollmentFinishedPage.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\AppxManifest.xml C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.SEC\SchemaActivationEmptyPage.xbf C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-36_altform-unplated.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\CONTRA~2\AppListIcon.targetsize-24.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~1\windows.compactmode.svg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~2\THEME-~1\windows.searchsendtocomputer.svg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WEBEXP~1\Assets\StoreLogo.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.SEC\Assets\Square44x44Logo.targetsize-48_altform-unplated_contrast-black.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\CONTRA~1\GetStartedAppList.scale-400_contrast-black.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\CONTRA~1\GetStartedAppList.targetsize-64_altform-unplated_contrast-black.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\NcsiUwpApp_8wekyb3d8bbwe\AppxManifest.xml C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\Assets\Splashscreen.scale-100.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\SlickGrid\slick.editors.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CallingShellApp_cw5n1h2txyewy\Assets\Square44x44Logo.targetsize-40_altform-unplated.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\Folder_Small.scale-200.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy\Assets\SquareTile150x150.scale-200.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\MediumTile.scale-125.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~2\THEME-~2\windows.iconsize.list.svg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~3\windows.iconsize.medium.svg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\monaco-editor\min\vs\basic-languages\src\coffee.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\debugger\Breakpoints\images\eventBreakpointConditional.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\GetStartedAppList.targetsize-16.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~1\encrypt-bde-elev.svg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\webapps\GUIDED~1\network\AREA-C~1\nl-NL\area-content.local.json C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-white\WideTile.scale-400.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\header\Images\emulationCombo.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeprovisioningstatus-vm.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Ratings\RatingStars44.contrast-black_scale-200.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorAppList.targetsize-80_altform-unplated_contrast-black.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\microsoft.windows.narratorquickstart_8wekyb3d8bbwe\assets\NarratorBadgeLogo.scale-100.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.OOBENetworkConnectionFlow_cw5n1h2txyewy\speech\0409\tokens_enUS.xml C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\contrast-black\SmallTile.scale-100.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~3\MakeAvailableOffline.svg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\FILEEX~1\Assets\images\CONTRA~3\windows.cut.svg C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\webapps\GUIDED~1\network\AREA-C~1\area-content.loader.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\VisualProfiler\images\i_f12_chartselection_clear.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\autopilotwhitegloveresult-page.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\SquareTile150x150.scale-100.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\resources.pri C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MICROS~1.SEC\Assets\SplashScreen.contrast-black_scale-400.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\Assets\Icons\CONTRA~1\MediumTile.scale-150.png C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Cortana.UI\cache\Local\Desktop\22.js C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchUx.MiniUI.winmd C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\SlateLaunch\LaunchAT = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Mouse\MouseSpeed = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Mouse\MouseThreshold2 = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\SlateLaunch\ATapp C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\SoundSentry\Flags = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\SoundSentry\FSTextEffect = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\StickyKeys\Flags = "506" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Sound\ExtendedSounds = "No" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "1" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\DynamicScrollbars = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\ContactVisualization = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Cursors\GestureVisualization = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\HungAppTimeout = "1000" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Mouse\MouseHoverTime = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\SoundSentry\TextEffect = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\SoundSentry\WindowsEffect = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\ToggleKeys\Flags = "58" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Accessibility\Keyboard Response\Flags = "122" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\LowLevelHooksTimeout = "1000" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Mouse\MouseThreshold1 = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\AutoEndTasks = "1" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\WaitToKillAppTimeout = "1000" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Sound\Beep = "No" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1000" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\ForegroundLockTimeout = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\MenuShowDelay = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Mouse\MouseSensitivity = "10" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{DA82E55E-FA2F-45B3-AEC3-E7294106EF52}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\INTERFACE\{10C9242E-D604-49B5-99E4-BF87945EF86C}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\TYPELIB\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\0\WIN32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\CLSID\{2E7C0A19-0438-41E9-81E3-3AD3D64F55BA}\VERSIONINDEPENDENTPROGID C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\TYPELIB\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}\1.0\FLAGS C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\BackgroundTransferHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6} C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Directory\shellex\ContextMenuHandlers\ FileSyncEx C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\TYPELIB\{C9F3F6BB-3172-4CD8-9EB7-37C9BE601C87}\1.0\HELPDIR C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\ODOPEN\DEFAULTICON C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\FILESYNCCLIENT.FILESYNCCLIENT\CURVER C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{9D613F8A-B30E-4938-8490-CB5677701EBF}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\INTERFACE\{9D613F8A-B30E-4938-8490-CB5677701EBF}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{5D65DD0D-81BF-4FF4-AEEA-6EFFB445CB3F}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\INTERFACE\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState\EdpCleanupState = "0" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\AppID\OneDrive.EXE C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Interface\{ACDB5DB0-C9D5-461C-BAAA-5DCE0B980E40} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\INTERFACE\{31508CC7-9BC7-494B-9D0F-7B1C7F144182}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\TYPELIB\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\FLAGS C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "13383" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\INTERFACE\{EE15BBBB-9E60-4C52-ABCB-7540FF3DF6B3}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\INTERFACE\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\TYPELIB\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\HELPDIR C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Interface\{f0440f4e-4884-4a8F-8a45-ba89c00f96f2} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\INTERFACE\{8B9F14F4-9559-4A3F-B7D0-312E992B6D98}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\TypeLib\{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LOCALSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{B05D37A9-03A2-45CF-8850-F660DF0CBF07}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\INTERFACE\{9E1CD0DF-72E7-4284-9598-342C0A46F96B}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\INPROCSERVER32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\OOBERequestHandler.OOBERequestHandler C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "852" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\INTERFACE\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\PROXYSTUBCLSID32 C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66" C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_CLASSES\WOW6432NODE\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}\TYPELIB C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2} C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "23" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "7065" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zion.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\OneDriveSetup.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3760 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3760 wrote to memory of 4108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3760 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3760 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3760 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1404 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3668 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3668 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3668 wrote to memory of 132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3668 wrote to memory of 132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3668 wrote to memory of 132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1404 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 4600 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4600 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4600 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4600 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4600 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4600 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1404 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2032 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2032 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2032 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2032 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2032 wrote to memory of 328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1404 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 984 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 984 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 984 wrote to memory of 3184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 984 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 984 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 984 wrote to memory of 2372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1404 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 3888 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3888 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3888 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 3888 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3888 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 3888 wrote to memory of 2984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1404 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe
PID 1368 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1368 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1368 wrote to memory of 1480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 1368 wrote to memory of 3116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1368 wrote to memory of 3116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1368 wrote to memory of 3116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 1404 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\zion.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\MaxTelemetryAllowed = "1" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith = "1" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowOnlineTips = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "255" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard = "1" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServices = "1" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAMeetNow = "1" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput\AllowLanguageFeaturesUninstall = "1" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard = "1" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\TextInput\AllowLinguisticDataCollection = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\TurnOffWinCal = "1" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInstrumentation = "1" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffSidebar = "1" C:\Users\Admin\AppData\Local\Temp\zion.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\zion.exe

"C:\Users\Admin\AppData\Local\Temp\zion.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\SystemApps" /A & ICACLS "C:\Windows\SystemApps" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\Windows\SystemApps" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\Windows\SystemApps" /GRANT Administrators:(F)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\ProgramData\Packages" /A & ICACLS "C:\ProgramData\Packages" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\ProgramData\Packages" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\ProgramData\Packages" /GRANT Administrators:(F)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Users\Admin\AppData\Local\Packages" /A & ICACLS "C:\Users\Admin\AppData\Local\Packages" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\Users\Admin\AppData\Local\Packages" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\Users\Admin\AppData\Local\Packages" /GRANT Administrators:(F)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Program Files\WindowsApps" /A & ICACLS "C:\Program Files\WindowsApps" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\Program Files\WindowsApps" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\Program Files\WindowsApps" /GRANT Administrators:(F)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Program Files (x86)\Microsoft" /A & ICACLS "C:\Program Files (x86)\Microsoft" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\Program Files (x86)\Microsoft" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\Program Files (x86)\Microsoft" /GRANT Administrators:(F)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /A & ICACLS "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps" /GRANT Administrators:(F)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows" /A & ICACLS "C:\Windows" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\Windows" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\Windows" /GRANT Administrators:(F)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\System32" /A & ICACLS "C:\Windows\System32" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\Windows\System32" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\Windows\System32" /GRANT Administrators:(F)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C TAKEOWN /F "C:\Windows\SysWOW64" /A & ICACLS "C:\Windows\SysWOW64" /GRANT Administrators:(F)

C:\Windows\SysWOW64\takeown.exe

TAKEOWN /F "C:\Windows\SysWOW64" /A

C:\Windows\SysWOW64\icacls.exe

ICACLS "C:\Windows\SysWOW64" /GRANT Administrators:(F)

C:\Windows\SysWOW64\OneDriveSetup.exe

"C:\Windows\SysWOW64\OneDriveSetup.exe" /uninstall

C:\Windows\SysWOW64\OneDriveSetup.exe

"C:\Windows\SysWOW64\OneDriveSetup.exe" C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /permachine /childprocess /silent /renameReplaceOneDriveExe /renameReplaceODSUExe /cusid:S-1-5-21-1287768749-810021449-2672985988-1000

C:\Windows\SysWOW64\OneDriveSetup.exe

C:\Windows\SysWOW64\OneDriveSetup.exe /uninstall /peruser /childprocess /renameReplaceOneDriveExe /renameReplaceODSUExe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe

"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" /uninstall

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\helpPane.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\backgroundtaskhost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\EaseOfAccessDialog.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\RuntimeBroker.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\WSClient.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\WSCollect.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\gamebarpresencewriter.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\gamepanel.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\magnify.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\mblctr.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\sdiagnhost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\mobsync.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\msdt.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\narrator.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\osk.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\System32\smartscreen.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\backgroundtaskhost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\EaseOfAccessDialog.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\WSClient.dll"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\gamebarpresencewriter.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\gamepanel.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\magnify.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\mobsync.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\flashPlayerCPLApp.cpl"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /Q "C:\Windows\SysWOW64\flashPlayerApp.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Windows\SystemApps"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\ProgramData\Packages"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Users\Admin\AppData\Local\Packages"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Program Files\WindowsApps"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Program Files (x86)\Microsoft"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C RD /S /Q "C:\Users\Admin\AppData\Local\Microsoft\WindowsApps"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 MicrosoftWindows.Client.CBS_cw5n1h2txyewy

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\943c8cb6-6f93-4227-ad87-e9a3feec08d1" /v "Attributes" /t REG_DWORD /d "2" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "ACSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\381b4222-f694-41f0-9685-ff5bb260df2e" /v "DCSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\54533251-82be-4824-96c1-47b60b740d00\3b04d4fd-1cc7-4f23-ab1c-d1337819c4bb\DefaultPowerSchemeValues\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c" /v "ACSettingIndex" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "AllowPepPerfStates" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy" /v "fDisablePowerManagement" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\Default\VetoPolicy" /v "EA:EnergySaverEngaged" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PDC\Activators\28\VetoPolicy" /v "EA:PowerStateDischarging" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Misc" /v "DeviceIdlePolicy" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "PerfEnergyPreference" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMinCores1" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPMaxCores1" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark1" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CpLatencyHintUnpark" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance1" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "MaxPerformance" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPDistribution1" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKCU\Control Panel\PowerCfg\GlobalPowerPolicy" /v "Policies" /t REG_BINARY /d "01000000020000000100000000000000020000000000000000000000000000002c0100003232030304000000040000000000000000000000840300002c01000000000000840300000001646464640000" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Cstates" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Processor" /v "Capabilities" /t REG_DWORD /d "516198" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighPerformance" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "HighestPerformance" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MinimumThrottlePercent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumThrottlePercent" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "Class1InitialUnparkCount" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "InitialUnparkCount" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power" /v "MaximumPerformancePercent" /t REG_DWORD /d "100" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerThrottling" /v "PowerThrottlingOff" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPHEADROOM" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\Control\Power\Policy\Settings\Processor" /v "CPCONCURRENCY" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorThrottlingEnabled" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdleThreshold" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuIdle" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuLatencyTimer" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuSlowdown" /t REG_DWORD /d "0" /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "DedicatedSegmentSize" /t REG_DWORD /d "1298" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "Threshold" /t REG_DWORD /d "1" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "CpuDebuggingEnabled" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\ControlSet001\Control\Processor" /v "ProccesorLatencyThrottlingEnabled" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.197.219.23.in-addr.arpa udp
GB 2.18.66.177:443 tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
US 20.189.173.15:443 browser.pipe.aria.microsoft.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
GB 92.123.128.181:443 www.bing.com tcp
AU 13.70.79.200:443 browser.pipe.aria.microsoft.com tcp
GB 92.123.128.175:443 www.bing.com tcp

Files

memory/1404-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

memory/1404-1-0x0000000000C60000-0x0000000001026000-memory.dmp

memory/1404-2-0x0000000006220000-0x00000000067C6000-memory.dmp

memory/1404-3-0x0000000005B10000-0x0000000005BA2000-memory.dmp

memory/1404-4-0x00000000748C0000-0x0000000075071000-memory.dmp

memory/1404-5-0x0000000005D70000-0x0000000006176000-memory.dmp

memory/1404-6-0x0000000005C40000-0x0000000005C4A000-memory.dmp

memory/1404-7-0x00000000748C0000-0x0000000075071000-memory.dmp

memory/1404-8-0x00000000748C0000-0x0000000075071000-memory.dmp

memory/1404-9-0x00000000748C0000-0x0000000075071000-memory.dmp

memory/1404-10-0x00000000748C0000-0x0000000075071000-memory.dmp

memory/1404-11-0x00000000748CE000-0x00000000748CF000-memory.dmp

memory/1404-12-0x00000000748C0000-0x0000000075071000-memory.dmp

memory/1404-13-0x00000000748C0000-0x0000000075071000-memory.dmp

memory/1404-14-0x00000000748C0000-0x0000000075071000-memory.dmp

memory/1404-15-0x00000000748C0000-0x0000000075071000-memory.dmp

memory/1404-16-0x00000000748C0000-0x0000000075071000-memory.dmp

memory/1404-17-0x00000000748C0000-0x0000000075071000-memory.dmp

memory/1404-18-0x00000000748C0000-0x0000000075071000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\setup\logs\DeviceHealthSummaryConfiguration.ini

MD5 8aa47e5683f95bff9069d18be32dd7bf
SHA1 c4849a64e672d788449e99570459d9cf01479580
SHA256 874522ea4f17cbb735d6c37a7cfb536b95612e221acb812381988f86a221af94
SHA512 3f9438f86de4c6c13b297aaecdcd501e8a254686578ea1dac21dcc25221be469a5942b6230bd5c6aa6851f578c04c0fca669b1498b0842e19110988088f51b5f

C:\Users\Admin\AppData\Local\Temp\aria-debug-4156.log

MD5 fb0a9c5f9f814aeb7792dea6ce48e1b1
SHA1 bbf10f2536bda5f5514b36582942d5daca406d6f
SHA256 752c46dd0063f000460a917abc68dbfdc141bd13e51929da8b50dd896fc956b0
SHA512 369ef702f7b5154be2728d659b3fe7e1d35a821bf011620da8e5bc06b9e6489784768f5cce1bfe487fef77fd14d5df273a0a3e6fb5435d0036c2251192b5506b

C:\Users\Admin\AppData\Local\Temp\aria-debug-1576.log

MD5 4921d917f5303babbe65701dcda03f8d
SHA1 af8777042cb13d8418a379640c8500974422730d
SHA256 e851ee8ab186d6e5249e6c2c84f408b3da956efc49d5f683635e0201acc1a07b
SHA512 7c5fd1324b5eb1a8f77abd6f56c5be84c57ec1338cc529ebc6b693217b3afd75d668d6b81abc4c642c442cd6a01ad35bc14cb062d4ad70f5b989ab4b815fb052

memory/2976-111-0x000002B485150000-0x000002B485160000-memory.dmp

memory/2976-127-0x000002B485250000-0x000002B485260000-memory.dmp

memory/2976-143-0x000002B48D840000-0x000002B48D841000-memory.dmp

memory/2976-144-0x000002B48D860000-0x000002B48D861000-memory.dmp

memory/2976-145-0x000002B48D860000-0x000002B48D861000-memory.dmp

memory/2976-146-0x000002B48D860000-0x000002B48D861000-memory.dmp

memory/2976-147-0x000002B48D860000-0x000002B48D861000-memory.dmp

memory/2976-148-0x000002B48D860000-0x000002B48D861000-memory.dmp

memory/2976-149-0x000002B48D860000-0x000002B48D861000-memory.dmp

memory/2976-150-0x000002B48D860000-0x000002B48D861000-memory.dmp

memory/2976-151-0x000002B48D860000-0x000002B48D861000-memory.dmp

memory/2976-152-0x000002B48D860000-0x000002B48D861000-memory.dmp

memory/2976-153-0x000002B48D860000-0x000002B48D861000-memory.dmp

memory/2976-155-0x000002B48D480000-0x000002B48D481000-memory.dmp

memory/2976-154-0x000002B48D490000-0x000002B48D491000-memory.dmp

memory/2976-157-0x000002B48D490000-0x000002B48D491000-memory.dmp

memory/2976-163-0x000002B48D3C0000-0x000002B48D3C1000-memory.dmp

memory/2976-160-0x000002B48D480000-0x000002B48D481000-memory.dmp

memory/2976-171-0x000002B48D5C0000-0x000002B48D5C1000-memory.dmp

memory/2976-175-0x000002B48D6E0000-0x000002B48D6E1000-memory.dmp

memory/2976-174-0x000002B48D5D0000-0x000002B48D5D1000-memory.dmp

memory/2976-173-0x000002B48D5D0000-0x000002B48D5D1000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133735261577751553.txt

MD5 bdc81799edc9c77b2ecfc38b6435a11e
SHA1 78cdec901434a3200735f1ed87f6c99d80d93400
SHA256 b7cd92bfe9bbbdde14ce6034e4d61aaefd0ad6bcd3611a3ff5035e86ee13717b
SHA512 139785e60f125153387137abd3d262ca56fd96a3ddcbce46d6e1660cd4af07a728470d629fcd67af18a41246c662e3acebed14050ac6e87c0aebbdf7370ac93f

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat

MD5 1db819a57c8f19e97ffb9d8d26b544bb
SHA1 9a5190d22511f2a5154f3f17088ca19594eda359
SHA256 4e0f55e7707c0d44191d20f4f77cf2669bd98f0735d87c5274c2f4ac5dd1dafe
SHA512 a254e934b16e53458ac590ebb8708b6f68711ff02b914f028e0fdd8f5ce84d8282f66be00b5a316a37cb2275c8e84474b0feeea2bed0e71225a9b364eb8470e4

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchUnifiedTileModelCache.dat

MD5 c08086829f791edbd1229b9896c60b7e
SHA1 6ec4cac5a5e7b6a6a527ad9c77fe54d7810f995c
SHA256 4456e9491aeda042d10e271b93d5cd70c9e1984298b5f190bda925c1ad5a70fc
SHA512 c661035b42b50e70983e6d3aa1f6f715f0f303fecf6f5a23ce7c0552a5bd6c1db0bdd7d6fce5f019a87eaecfe02725816dd34f549d4affdb5569615c5f03efab

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt.~tmp

MD5 766f5efd9efca73b6dfd0fb3d648639f
SHA1 71928a29c3affb9715d92542ef4cf3472e7931fe
SHA256 9111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc
SHA512 1d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434

memory/3040-280-0x0000026D57A00000-0x0000026D57B00000-memory.dmp

memory/3040-281-0x0000026D57130000-0x0000026D57230000-memory.dmp

memory/3040-316-0x0000026D57130000-0x0000026D57230000-memory.dmp

memory/3040-343-0x0000026D572D0000-0x0000026D572F0000-memory.dmp

memory/3040-344-0x0000026D5A400000-0x0000026D5A500000-memory.dmp

memory/3040-351-0x0000026D572B0000-0x0000026D572D0000-memory.dmp

memory/3040-350-0x0000026D59390000-0x0000026D593B0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSOPV8U8\www.bing[1].xml

MD5 d0787134c4293f1ea470c4a72ac38c17
SHA1 ce125bcbefa74cd1eae95a08ff0a5589ee429f45
SHA256 3e9abcf9c8071e2b8632af1958d469a21a74525523f70cdabfcf3e5058155408
SHA512 3902d0d19759d186b2eef5a4bb8dc839181893c3c6a0b62770ce67574a134c1ee7ccc53ff06a3d6c33015578717530d7898e6daf1bedd13c73e7f36857ec49d1

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSOPV8U8\www.bing[1].xml

MD5 dc72a200ca131bd52ae91894e0f5dcf6
SHA1 4a97a1b43d0ac314067c74adceb21fdb47e5ed5d
SHA256 31d4951a5f9b2925302225ef3744945a4fac7a77983d2b9b3819b05eeebd758f
SHA512 f85e522cd293b0f30f19e09b20010faab85364bb1a962345310ed76756ed8ccd181f31e6515698b1c0fc922ed31b4fbe33c6b3f5e15cbed7c02aab05bb3025f4

memory/3040-445-0x0000026D6E320000-0x0000026D6E420000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSOPV8U8\www.bing[1].xml

MD5 112728e24578fafc1d6fb9b68675f92c
SHA1 a4fbbecc14968dde8ef9c08f4072bc4fced774d7
SHA256 e05393d9aa03d5d8f6e02e7a13a774601381648feab3aa6247511e0161a61060
SHA512 020f3712b4ef00468ec28442d3911590b1c8d42ae1ad1935635d0f84f34352ecbf6015ed03032eec33925b080c151c0e228f1f46d49f8283f4f16637fd7a7b19

memory/3040-549-0x0000026D70CF0000-0x0000026D70DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\GSOPV8U8\www.bing[1].xml

MD5 ca669931be81bc47829a4720d0e30a3c
SHA1 3166d55f17f8128641aafadeca3be6958d4b6dba
SHA256 82be4af098f877fbc8077041cb9287975574b46a26276de342f0b2b859d6db37
SHA512 64423cb252904500c2d69f913d8df1ba19c6edf9624c7fc64eab9fe756c0f1220961292cd1b2b954a477cdc697e1bc4275efd87fdef7ed60b94eb5517ec8b27d

memory/3040-1714-0x0000026D57EB0000-0x0000026D57ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\BackgroundTransferApi\1d6a48e3-66ed-4fcb-8f74-15d48ade4b4d.up_meta_secure

MD5 e6b8728abce713ea25a45b14f1208df8
SHA1 be2e59aa781006d87d8df087e888a10938e9c04d
SHA256 37f308201eb15edc49f8bd1e8e7911c54f075e3b3e3382a2dd67d2c0f03e2aea
SHA512 025b2d8e158adb7701c933952a833a3d5bdad96688ddca43fbc990d3a661bd480b6fc2da143e3b81fd3607c3fafedb9fbb08e1b245d8949537b3063590c5259a

memory/3040-1808-0x0000026543EC0000-0x0000026543FC0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D

MD5 14303f56f374092f7bd9c122382b4b4a
SHA1 1964ef2d8f43042835707a891e1ac0ee97f7f204
SHA256 d324246976a38223ddca2f56dc2351a955cc49012d63f2969703441ffe93e303
SHA512 4c4fddd22c85a1b665694705cdb3b52b6b033725787e6b89629b15252e579ff328c781c646822423ee4a7f01fd4037320001f2ea4f232fcffc89135fbc7eb422

C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D

MD5 9e367f47ec46959c62cf9189500b2709
SHA1 b891255c46f71483cbc197ecd4fd2c248b29d0f1
SHA256 19269a6963505acdda6b1c16b328205c52c3b0117db6cdf3adfa440f79fdff20
SHA512 994bbaaef152f7c916cd035245719b4e03e1646912a2ff901bd6e362edcc958a0a0e5f5b3aed8351dfe65d0bfd2a092ce467422d3a7027f1537338fdf557d5d2

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\1d6a48e3-66ed-4fcb-8f74-15d48ade4b4d.down_data

MD5 5683c0028832cae4ef93ca39c8ac5029
SHA1 248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256 855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512 aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3