hxxp://edu[.]mon[.]bg

Resubmissions

24-02-2024 18:47

240224-xfdk8abc77 1

24-02-2024 18:44

240224-xdr1tsca8s 6

24-02-2024 18:39

240224-xas4qabb22 5

Analysis

max time kernel
148s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2024 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://edu.mon.bg

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\devmgmt.msc	mmc.exe
File opened for modification	C:\Windows\system32\devmgmt.msc	mmc.exe

Drops file in Windows directory 57 IoCs

description	ioc	Process
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe

Checks SCSI registry key(s) 3 TTPs 40 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102ab9595167da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1473128013"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8372E813-D344-11EE-AF9B-EE74A7D06AE4} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1473128013"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31090513"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000740ef7389e92bc418120e6d18cb0b20100000000020000000000106600000001000020000000f01daea24cdeb4605c8f8351f1343afb9552fefe39cdf790dd2c3c27316b946c000000000e800000000200002000000053166ef47dc3f9554c49e3828738e6e859fee3de5cf379e3679ebf7d84f25ab62000000036fd8daa807d75e7eab9d20b4203ad51bb26927db613cea98611ef2ac4bb52d94000000021761c3b438239bd45ba448f7c236ec207c9d7cfdb77a0289a45d93a5a4a6dbbb3e1d0e1b9b3bc79e8d65935f53d4fd88911a4a3d667226c3cdfc4a51a857615	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30b4af595167da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31090513"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000740ef7389e92bc418120e6d18cb0b20100000000020000000000106600000001000020000000e2dd019409e39050bf56656b29885301add4867f2a754f78dd46e4bd05f9bc50000000000e8000000002000020000000da25ebcfc04774c0ee5bf42f9150dbb04bddd3df788496a5435abaa3659c5306200000008d3d76478460666c14050aecb7f7f93f14b5f3661a7348623dba64d5b6b7aef14000000019ed824d375cdc2c181d9b8d76adc9a29b3463f9cdfc9e352be3e56dafe3cad2a5a30179a992d21dacd22b8a96181eda4d58b103d9d0fd505be0a338678a2007	iexplore.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1712835645-2080934712-2142796781-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId	CastSrv.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3748	NOTEPAD.EXE
4464	Notepad.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1360	msedge.exe
1360	msedge.exe
1568	msedge.exe
1568	msedge.exe
5004	identity_helper.exe
5004	identity_helper.exe
4236	powershell_ise.exe
4236	powershell_ise.exe
4236	powershell_ise.exe
4036	msedge.exe
4036	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	4236	powershell_ise.exe
Token: SeShutdownPrivilege	4576	control.exe
Token: SeCreatePagefilePrivilege	4576	control.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: 33	3608	mmc.exe
Token: SeIncBasePriorityPrivilege	3608	mmc.exe
Token: SeShutdownPrivilege	1824	control.exe
Token: SeCreatePagefilePrivilege	1824	control.exe
Token: 33	2100	mmc.exe
Token: SeIncBasePriorityPrivilege	2100	mmc.exe
Token: 33	2100	mmc.exe
Token: SeIncBasePriorityPrivilege	2100	mmc.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1764	iexplore.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1764	iexplore.exe
1764	iexplore.exe
5008	IEXPLORE.EXE
5008	IEXPLORE.EXE
5008	IEXPLORE.EXE
3608	mmc.exe
3608	mmc.exe
2100	mmc.exe
2100	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 1964	1568	msedge.exe	62
PID 1568 wrote to memory of 1964	1568	msedge.exe	62
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 4612	1568	msedge.exe	90
PID 1568 wrote to memory of 1360	1568	msedge.exe	89
PID 1568 wrote to memory of 1360	1568	msedge.exe	89
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91
PID 1568 wrote to memory of 2468	1568	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://edu.mon.bg
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc5e346f8,0x7ffcc5e34708,0x7ffcc5e34718
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,3475954003840024266,10074170755023149236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,3475954003840024266,10074170755023149236,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,3475954003840024266,10074170755023149236,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3475954003840024266,10074170755023149236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3475954003840024266,10074170755023149236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3475954003840024266,10074170755023149236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,3475954003840024266,10074170755023149236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,3475954003840024266,10074170755023149236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3475954003840024266,10074170755023149236,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3475954003840024266,10074170755023149236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3475954003840024266,10074170755023149236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3475954003840024266,10074170755023149236,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,3475954003840024266,10074170755023149236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:3644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\Desktop\SetPop.ps1"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SearchRegister.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:3748

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\SubmitStop.vbe
1⤵
- Opens file in notepad (likely ransom note)
PID:4464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1764 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultff61d952ha490h4215h8355ha4e028918d1a
1⤵
PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffcc5e346f8,0x7ffcc5e34708,0x7ffcc5e34718
  2⤵
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,16944899771885543242,17314903587894363559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,16944899771885543242,17314903587894363559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,16944899771885543242,17314903587894363559,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:4548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3016

C:\Windows\System32\CastSrv.exe
C:\Windows\System32\CastSrv.exe CCastServerControlInteractiveUser -Embedding
1⤵
- Modifies registry class
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault45f338beh42cah415bhb7dahf4d749df8f57
1⤵
PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcc5e346f8,0x7ffcc5e34708,0x7ffcc5e34718
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,4334050372183045853,1293631808907264676,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,4334050372183045853,1293631808907264676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,4334050372183045853,1293631808907264676,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:3552

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.DeviceManager
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4576
- C:\Windows\system32\mmc.exe
  "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3608

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4836

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.DeviceManager
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1824
- C:\Windows\system32\mmc.exe
  "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
  2⤵
  - Drops file in System32 directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2100

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e189354a800c436e6cec7c07e6c0feea

SHA1
5c84fbda33c9276736ff3cb01d30ff34b032f781

SHA256
826adca1e688de79a3ec5b91c75990927fb2a33ae717f474608c68336053f427

SHA512
ceb069a5e83a634503e253846fa17b8bf7aaa539c3353ce61251633d69068e24c5eadd1b496f43058790d2b513e65d2c0b0213730813d0b58bb82a00596e05e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a2978705748680dfbffcc0dea8f22fd3

SHA1
32544ca5504e49ddc9e2966225fdd028a60df48a

SHA256
4894e234312f66959ab89bce09abb366e4934a1fe7dcb38589618a23a4085a06

SHA512
c34d37a6d759b3ec396f34bfc75bec019659f87c4f0648d4165a44ae6a7769bf5221be17a2631bef1d89fb21786805b2ce5f346a63ceaa1a7b9a0153dc59308c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4ba42c4751cb093bbd7ec09828d5dfcd

SHA1
4ab28f76f6af8380309998a09d8b1a8068a53ac4

SHA256
6056513a2d5a39503577d3d2cbe3409d2b865876b6faf9e4512ae5205a6a29af

SHA512
2e59b6208af14bca7ecbcd575f82a0ed4a84b4d27c8003f4932cd78d0ee8f7c410f3b4f8ad7d94a6781b76673be09eb1a41cf59ec2ae94b9fe6af1ffe67a2615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9e3e150cfe464e9ebf0a6db1aa5e7a2

SHA1
3cb184e2781c07ac000661bf82e3857a83601813

SHA256
2325a6292907263d1fb089a09f22fbcc6bad56f4961d427efdef1abaef097bcc

SHA512
f5eb1e76eb9441cf5000d8d4db9296077b61714ead5012779c084b37f4bba07614055738f5dce69b13b25975d9b7c03eab049b7685eee09b23fd8d4a7d71a039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1fe53988-3384-420b-a8e6-4ddba74f8292.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
3c6c2953d45e50271d33d2eacb9b800f

SHA1
bc231bcf1793e0b3f89d02645cad2a22c82f865b

SHA256
5005a6ce7a6b3ad048d0c7d55713350142d5613c3916d884684866a836625b2c

SHA512
2994519f8abd65b89401272720692766c4a73e6d34da20489be203dc053abe9bac0b86d32ee9f271b59ac40192e0d4850496334b05b0ad7af87ef2e9506503d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
20ecbff81f1cb19e370085aa2d29a891

SHA1
1acaf080eda1545fc175ab58bc011d19bf7237eb

SHA256
9b56aaf88548a86d124acd4ba08fefb42a1cd8dd4304bbbddc8993842c7300c0

SHA512
7863369b5fc719e0b7d3c0519bf11feb0b09b34cb4c40ab159ceaee7754ad099853b0390ffbb78a47988c6b9451057911a7c781762ce328247a708aafb054d38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
24KB

MD5
ab3edf64ebeacd8fab7776ddd181a5d8

SHA1
6b638099d8e01473ca1a31a7bfbaac5e5d908e2f

SHA256
92f7335ae99fe5a940f202f7688501eaa689d720fde6e46e94174a09c8cf7058

SHA512
6f88637a86c8e483d7f6a901546bf8021fa5158ec1a758ef116abbc362e7bde2a93ca7c7e490858cc40725d9cf9e887c9bde2c951020a3c6583bb8fdb51e5d14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
14ab186e2b8afc5e7d6bef1a391a8186

SHA1
0337d6fd65e17a7380e3db376605651065b150ab

SHA256
8cb15ffbfca334e36df4bc0080f6b8744499dba614d927b3a7cb96989eb6cfe4

SHA512
bc25aeae9d5a71bc196f372dc953b974a222c34ffe00cbbdc2e916d665ee0e4d8acfec1a9bb6c6f172a5de3df1558efa42adcde6bf6ea18dbfa7b50923b5103f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
495B

MD5
f58839d3f57f6b2703efd9224a9f7256

SHA1
178ae158160d98a1bcee02fbd3e766e94b5bfaaf

SHA256
5c5bd2aa36b0872f27d89ed50267882b2294237f80d307413c9db29ed85462fb

SHA512
3cbb2cef3ec653d0c07cea891d75759437b3686edc0c236d8511daa5c42818b9ae3f2fb171e5a6d0df8709df0ecd55a04d2e554268aa50150fc3e51229bc8073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
4dd57da895fef9210a8f0c682c5606de

SHA1
ba93e752612383792ac4e182172b47c1742eb287

SHA256
ef00315582ef16fe004245d7f6f253c66230bde9fa72b36cff1eec48cb07774c

SHA512
420dddf33f2ca392b5875156cd7cd41d65fada0289ce7a60e3a09b139fb9bc335abcf3ee006d09469d9a315b9cc7578ee26e987665fbdf40252769cf95799180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
647B

MD5
bd6106bf351858a04725232810449ad2

SHA1
bea6d5eef939ef88e33c010c0bbfc3a17b069255

SHA256
0c6ecaa052bddb1e76e775af086cf4c6c45597b22c427b96533b682e87bc04ee

SHA512
1069bfb888189ee15e844251eead30ff6f29b860dcc671740125606e403037fc3f415ba20f8fc252acc2ab08422935fdb944c37c1429c2c0f5a11e95951978d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0bf8dd4062867343431814ae1b397ba9

SHA1
29efa4f244cf9576ef659fb2ac0b7e217a8b291e

SHA256
3fef37d6537fe8f291c1db5978d15fb74db43ca9842b1175fb2aefd2f12b2af1

SHA512
86ca85cc6249142e7cb3b8c81d3fcdf964a52f50ee3116f17c505c94fc14872239a92d4877e1b313a99618a0bc10750fecabfb2fb7764cef360ea79841eaab9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ea48f5f1b0eef8e4ef9b642f18dcc8e4

SHA1
bacfc9c542ac91dff47bdd15c901d5b02726fbba

SHA256
4a560677760bd91f043011ed651daf0578bf8ed2c174ebea5fff67eba1a6a88e

SHA512
38c968c5363cac75fb95cf77d7cc52d297d77125997e860efc109b30700309e945f1b68953db41624ca99adae7d18805a4f3c06f4206e08d7619c14a4af6093a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de93543aff4da483a1b47eed85112d78

SHA1
c471d31bac4f9a6449e1f3559474d5a08c8a8dc1

SHA256
f8caaa62d0db7222a1b67b2642a52155ac07354fee9a79812445298161ce65b6

SHA512
909a45ee4d4d94de2d23d55cddb05c54eaf18edfc8bfceff0849eeaf6a27ac474c282220197471c35c7dd9c45a5bf46b2590866833b81b98429d6ecab26bc05c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0241676db83942d5dfff88d32618f297

SHA1
bcee7fc733ce2ca73ab669a8fafa54013a9614ba

SHA256
e85333461b66cb47a21117bd33f564c2aba69872f18740c98c3643839b01eea7

SHA512
57e0d73f1bbce718190eeb9c690ed66c7b8be502e66726d77ef887564b7828851c55cc874f9bed2bca22e31ea286587371326dca7e153e0c43ce62d4c1c94114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
f05b044077a8a634906767f1c6eb19a5

SHA1
b21d39c0c083d7d2b3969bdbc7ec05bc42cb6cab

SHA256
58ba585a2d57ead58bd5b8dba643019c2a419bd8046ccc25bd2314e666ecb67c

SHA512
b1b497e81d60f557f63cff8c4fc2d93d30f1f40d1974c8f2497b210fafb46c8ad2d361900371499e886e5157bd5f0195a02cd9d906de5071027a5bbab12a584b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
48d81444451953f939afad43171994a2

SHA1
1b4e3c3ad12f5f828c7244cf2e8d0155c1e12bfd

SHA256
530351132fd47741b7c6e9706029714e9a8ba11429faa896e2f933ff40ae9cb0

SHA512
7160dc6fc1ff50ee80e74aee2816c173817f61860a5e282882b3efa25c44be0412f07069dac3e436eca912992eece0442950fb9284534ba11db8d034810699d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
0b584097ebe7374114ce518a0359ed7f

SHA1
bba6ce7884245e01940cb963fe009ce927106708

SHA256
2f7780b5b8a6c64856a4f088004edc1c77c46254fbead7d6f47580f00a65fe92

SHA512
0a245f36f3a375fb5d9651fc2ad89db30eb993486bf1191c3b82cf0abca9854e8ea9d7199d71b407321a031f7603a1e6ce558518c3be5436d1b8faf26ac0ae00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
ee1d17275b6c96a6c05e49db687e8424

SHA1
78b79d480a3bd37cb570ec4be5aa1ac0544c8954

SHA256
4f640158f4f2033236acb2840ab92142c3bc72a021bcc43dc8360b4cdaa0e7c0

SHA512
069ad9fa0f75741ed15da2ec4a8060fad2f544b8d91ade1c7ba36583f95bf9b27c4bfdd34702359e2aae743a522208c83ccb5c3fab4bed6c455f91f8887f0a30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
d3fde56aa13b8c93ac5e3d50e006db12

SHA1
880c640d65a6b73c86c3952c46122c40ceab8f2f

SHA256
867d3b4ef83e8140a8bb2052f30b466d4e3df36f5e64b8cfbec048ca5637c71e

SHA512
1a60be27600c99cce9ecbd7d51c91fe93bd94128f894d6e2cd1a4c09f7c80a97bfcc15c947a30d802a894bb473d6d9a8fff5033b0f3b7fbd3bc13514ecb7af66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
1febf0982aed6cfbc96042fd8c3e4c87

SHA1
ff7908572508ae4ec3d89766606adfe9fb43e5d8

SHA256
0ebb61342e18978b5d45700d124b16561b1d55764b43dfffbdae5ae7b6335a5c

SHA512
6a421328a4a250ed984f902bdfd1c210f20152ab6657ccc53a754534065485f9869ced384fe226c91cf82a9f966ea7d2f29322d34d76bbe7a32a8fb312304b13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a74c.TMP

Filesize
371B

MD5
27adfae9eb92d0ff7b0cdae16ed3d338

SHA1
97d2582b3ce3f82efa30e145d9a8e62ff04834ce

SHA256
0a4aae10e308a7dd2c883608f5b8609b9c4d325cd12a946c7f2ca00aabf59fb3

SHA512
0e7703364b1030e9a8694148adc75b100b7afd4b34329c0ef0b12e235a490020f5e6e24c6a492b2a00f29a1fd2c1487833bc59b23441ad87c0098be02dbfe918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
125KB

MD5
f580bf3a9b80cc8871a9b56d698fab3c

SHA1
0e211d51d960eb0882230969a31addd11bd75fd6

SHA256
94dabdfdae510528af5fc864ecd80c8446e18f12df38923cd7034ff0a42b12e8

SHA512
86c1691477053aba2aabb8764f386011e2d75b92994a10c70efb763d652f5fe0bf4ae3bd780722448001e75b5880d62898dbac2056b69f180c9f4c77537d1fbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8bcb467c09234fd9ff39cde794b45849

SHA1
8a8c1c22409c27b645608a87696c867979316ded

SHA256
569dc7ca89e3639e0ecfcbc855972dd04523dc17226f4252d32cc50777dfaab5

SHA512
5c09592d01523ccac27607ba3c4ef3ae86a077621371255a90f61fc80d02b72ed873dacfc7f5becfec8320804ec3ee916cae033f49f47ea5f6908cebae94a506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
090e29295a75c7d25d22f6990ba9e1e0

SHA1
eb3d638a8540cf949b9e77503e57ecbc3dda0eef

SHA256
73f87ebafb6381c2ee0af9c472d0bda3f3ffd1a4dfad5bc3e4992e259fa46a88

SHA512
73303af71aa6c59e357183eb9fb19d00c5271817fb18e09a7a2661789f6073b03a46af2f50386d88e70b775b21be343fc0854b216a89dcbc7956fcdea830ab18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4e04f116e2748d2f4ecee079135494eb

SHA1
29fff607c15188f81eeb6375ab86e8e09cd2d7d9

SHA256
60f6ffae70455bf77d80bbe819954e3ff24433d495e865bd8d4fa15ab266c174

SHA512
3f3d2946655736cf1adc3c20fa981b4b1807b5f32d1a9c613afbb77565bf59e7a5288ef93be85968905fa053de719ad896981564d5d16abe8c95b5518545b668

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
69739935c77d95c3fb2d12e500f387c9

SHA1
de031e1d23bc3415940bed990c2129ecba512d5a

SHA256
24ce01dce8296294eb4893c196381dc5e3521b70fc88c41cf38791d22685a05f

SHA512
2e46e8e04845c347b3a4b42d7cd4256f6ffd3c0e7f9dd472f8c8149165572088966894db4be45ee8dd980aa9f0c26fe3bbde52d5b08a603b35598cd84c140fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qfgveb2i.hqj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\INF\c_apo.PNF

Filesize
6KB

MD5
d86fe32538e566744be07ef24e10b8e7

SHA1
674b152c247a32ce59414e04cb3a41875eba7069

SHA256
23087bcb7d7bad0ce03e7abdc275fd6e903ec4059afa8161a53ee0796d18c63b

SHA512
b337219c8274e82786bd0c0aefaa7bf0e27444eea7990e5b36e026d0fae095899fdc553aac68f42d1277c74b29b81a05bb7cc50906a69ee03b063239c051cfda

Download Submit
C:\Windows\INF\c_diskdrive.PNF

Filesize
6KB

MD5
f9d440d3707c94f9973d5ec16b0e5c84

SHA1
ce6f191d47311f498f06713ad71e3324774a1ddc

SHA256
4f6d218cb424a54adddb4786ef7ff154e10220ce6373d9975f6bcbd2f7db4d28

SHA512
d44adb81577b64af9d41c47ce1f3fe27c5d144cc4daeb1aec5870377ff0799fdc0e7f8b577555a11112ad5494f6625081b8398d2cdaf959685cff47fc55c045e

Download Submit
C:\Windows\INF\c_display.PNF

Filesize
8KB

MD5
716a1b21d16beae0405cc08d35d137cd

SHA1
a013a0d39efd59a831edfe5194dd182af25109aa

SHA256
e3170e44d159d924bd7884c4e0fd6b590ffd93b0ce2c1eebd0d68606039f7df5

SHA512
bf6664be664c1675b1038afe91d108a0d0f487f158cf6d0b183ab5ac5cf10836270c71687b69a220bd7ef8383bd2aa1cc9715edcedd4fde1735c7af50ac103f8

Download Submit
C:\Windows\INF\c_fscontentscreener.PNF

Filesize
4KB

MD5
f335a6f51d69421a037f630bc9cc7bb2

SHA1
3f0c46fd3d85eda6a698982b1b5e738dba3a13fd

SHA256
ed8d0d206fd867dd4b377b7cf2b912ae1a65a53e28b90983d971572312e56b62

SHA512
4d52b56f53ee8c656c52aa18284da0be404c2c1735044c175f0f5508ef1089c8f335b2bfdea541d92b244397ac0c590ded99e2125736c9b56f829d545db8007c

Download Submit
C:\Windows\INF\c_fsreplication.PNF

Filesize
4KB

MD5
5693b1b7a5344042c5b2ef5c161fedc2

SHA1
47c1f275fce079290316997bd7e806ae5a0e8689

SHA256
4e5fc807d14bcd6cfb8e08a821491921a0563aba7d1ed90211c56809fa95fd43

SHA512
06488bbba92640b76e9833ea89e8e6ee5fcb94b5f562722b1438e8f941fb1140a98f454c8a4ba2bc8a2d98cfc259d77d0c998b82f4f22f55a99a20ed30ab761f

Download Submit
C:\Windows\INF\c_fssystem.PNF

Filesize
4KB

MD5
dde6fa6a9afa3f776ff9b4efd0e4a2f4

SHA1
8312049793e485d810d1d7d911c3e57e10c7f83a

SHA256
a36bec6b785f32ccc0fc65dd99209ebebade13e04eaefc6002706d20ec4c3df9

SHA512
0289abc2e2cd69977679d9683218d62a4c70c94c0ae1398e9f57df8158544cfa664714b2c61cc318249105f750a9999de915de6be4338a49cb4d2ded58c7ff04

Download Submit
C:\Windows\INF\c_fssystemrecovery.PNF

Filesize
4KB

MD5
4281838792fa08098b7c14d84e4480b1

SHA1
6f720ff8876b8a7d5573540ef604c56a656bdb09

SHA256
9370738c2791a7fa5d7def09b3eb1a708092b08ffe88f8252991096d93885c65

SHA512
20af48d4ffcc5c8d585cc0f3755b95be0e085603f1702307965c1df3aa66f2536b18631c7a5b21c8d2dc9152c8c5418f4b0a45a48b897e5022be682483caa3ad

Download Submit
C:\Windows\INF\c_linedisplay.PNF

Filesize
3KB

MD5
e1c7f2f39f5d72f8a9bf176c988e7acd

SHA1
adbb86fbf82f4d0676e11949ee65e25df2a63131

SHA256
ccf334064e49d49a444c6534f182a1ea08087dfc42d6c3241cfe3bfaca5109a0

SHA512
ac13d949ffac013f6cbb5dffb7716c4260cc8c1532750fe87d162d5f137f40fd4bf41372ca0985f3bcc211404119d5643535ee388891e8ef5653e8b8523de462

Download Submit
C:\Windows\INF\c_magneticstripereader.PNF

Filesize
3KB

MD5
3d90c654c1c16f1896adeb668a8859fd

SHA1
5445b6acdea83263770ee2e0bf9e6a664fd142bb

SHA256
a92e905f36eed31b38dd47ad17811974a3ba31fc29e4947fb91b31b768f1ea38

SHA512
1f93858660099db60124af364e3d568c6271f724a15f1fd4f3b081f080224748f70e0fc053e8bda77e15d5789424d9afc4e27bcfcc1f869d2cc90a590bdbadbd

Download Submit
C:\Windows\INF\c_mcx.PNF

Filesize
4KB

MD5
cdcc9d517090e748e288c2c8e254ed43

SHA1
67c49c8e7afe2d5aa01af3ed9d95ec8d121abb69

SHA256
b19e5e8bc98db2c1a0d37e720a6c37a22586e11d23607e44217befb3e9a26232

SHA512
412a28791b65172ef26550cf1caf7de22f13d8d310dc30d5fb2152eed897044b9b2c27849e7604b86ee036c192d2949f98f73569c448c0a29c64149aa0cbe27f

Download Submit
C:\Windows\INF\c_media.PNF

Filesize
12KB

MD5
d6f787534eea52824abfef940379b071

SHA1
b200fb5e314de41c743ac84fc973584dee668946

SHA256
feedfdacbcff878dd0f877736f880b045941e25cd3c4013357d4e2a293a1e7d8

SHA512
7ba2d3f0858a5aea61486ba8eb96fed621384258b5055e97a314d9cde71081545d881059d9bcd5bce4f5cb2d7cc341090d2cc419cac44302708b8bef17e4beca

Download Submit
C:\Windows\INF\c_monitor.PNF

Filesize
6KB

MD5
e55484adf517c891a3568285a58df614

SHA1
04c231a0fd9905bbc69705cc68aa34de1f5d7fa6

SHA256
6fe79bf95069eabb801dda3a11a6fed20219b4551048c0543519fa29e658854a

SHA512
5f32de576b3985076371ecda630512d345d3408775a1fe9fc83007e37a9da4c8b5243e12875f5026cd1237e8c802069b0d27ddb089eaa4e6e1e72dde382af742

Download Submit
C:\Windows\INF\c_processor.PNF

Filesize
5KB

MD5
b9fc29f586c7a0abdb7f33a173bd4518

SHA1
8a6386314e2b0dac9e57874164e865a6a94a0ba9

SHA256
6040b942d0887f914a296e8ae0cc67300c479d4d0bb24bd07dde54ee142c4161

SHA512
b44ea31a19c30c6b1fa4ee964284bc05e6d373d2c22a5012aec388465eb96b84a071804e49d2be577cf07ed24b535bd19e39c30b9a191a140f0c3875682cbfe3

Download Submit
C:\Windows\INF\c_proximity.PNF

Filesize
5KB

MD5
557e6c5ee5f30ee177fe90bd396327ce

SHA1
47da2b91f66ed53e2643c8fbed2de2c521849bb7

SHA256
b24cadbdeaa14c68277ca7443b171074c36e2b28f2e2b476d055c4ad317e9c28

SHA512
06f724657a29605805bd8913ed6801cffa42ba7b641212b32be226a530c855166310ae0987f8446c186f252a592b6aab6ebb80c23e16c9bc7532fcc7cf4dad99

Download Submit
C:\Windows\INF\c_scmdisk.PNF

Filesize
6KB

MD5
e7b570f07874776e4cef2f9c08191001

SHA1
f85095870f4f1bb349a3daac6bece51b3a5c2031

SHA256
7c0a5430e7ddf37ac601603bff865ffec1db51d745bd4ad18c11ea3ea7711201

SHA512
33d1968d54d9dac5c88e91312a54556be1fec2e192a7d3813e3e0635083b9daf93c51c7acc47596fd8d381015995e04d68fcd4009bab14f77c5ff8eaf57d2935

Download Submit
C:\Windows\INF\c_scmvolume.PNF

Filesize
4KB

MD5
946e35ab7a9d8cf86d5c6cb83dd8636a

SHA1
3455614b00b7de00a3c3d5c2bdb87cbc8c5ebb04

SHA256
4f57bfc496d88106f21875c2304e3a8854cfd02fb93ae106828fc420c5303580

SHA512
c727e7014545520c8a8d4d08662d6cdde8e88fec7dbf5c3a282331f9654c96a5ff67c2cd37eb0a73f6702c077206d02355470a7b8fe157bf192083ec3a7b1a58

Download Submit
C:\Windows\INF\c_smrdisk.PNF

Filesize
6KB

MD5
9aa930e8b6cec0e029b1ee1ce6d9f023

SHA1
a802515320cbaa662a04dce6d81747b2d4229c23

SHA256
0486b472f51384279ddd03725ba694a44e1d2b6a4aaed5fdd08162c24eee8c84

SHA512
116a467fb586f6265afb0bea1cb0de316d484292dd8517bfd377e4ec5080a9a5c54633113fddc711ec0ab75d20b31a3d3378f298b93313dbea0b2af336d80ece

Download Submit
C:\Windows\INF\c_smrvolume.PNF

Filesize
4KB

MD5
b5111085825780c9db8bc417678f8149

SHA1
efeb256a99fd73ce0fccb48ac01647f5fff1b277

SHA256
715edaceb7ab7cdd1d7954679c3bd61a35b2fe072717704c58eb84c25d4f9895

SHA512
39167e3fc6e79163a680cc0941ea98c23dd76ec917dcc9bd5259e46d9215977b60454bbcd95f2bbeb53ee2fa203367e706089619e94bfdab8bdff8e66e35ad51

Download Submit
C:\Windows\INF\c_sslaccel.PNF

Filesize
4KB

MD5
70af2600a0d71bc84b3899bfedce310f

SHA1
6257311bb37c59e9e9d093809f7fab37a6b00ec6

SHA256
dd432f0ab73389634cf878bf722606fa591eff889b5e6221b42b882fad5ce021

SHA512
dcb7b9129d7c8c667ec7f1a8dee5328add3a884808f18b960ca72553edb985d567b875fdc5bdb77ba19df4937f9669c118b2a2ec8a8b452e10ca50976fa3015d

Download Submit
C:\Windows\INF\c_swcomponent.PNF

Filesize
7KB

MD5
d30ee9567927629cc6742cf3e76f9bea

SHA1
a702126e76142f9e2bddadc8221d325c5138f484

SHA256
2d3ee79ce284e7016c296d90d0683ffbe41024effbc734eda3e867e72595fd6d

SHA512
d3f5dea133f65469d3650fd569ef6a072ef035e4c5baf9fa01ba10f8b5bd188bb1187a55c7f5142e41ca05c4cc0833898494cdcd4c5e3a77c8fb5772a4d2d81d

Download Submit
C:\Windows\INF\dc1-controller.PNF

Filesize
14KB

MD5
1fb296ca51785eb27dd289ceb90e8082

SHA1
0024d66ce2c3bd8d215e2a75c78bac3b5bb6fb5e

SHA256
45a627584acd8f55ac0f185b736d4fe8b1b8448bc43429a6d5eb3dfc6e0619a7

SHA512
4180b4bdf466f19ee52067cbddf4097cfe4898bc7bce044e986564ea6ba583c89e50869f33af65e2df565012f451ea2ae3b7be04c3d0c2c42de2a1ee98b34e15

Download Submit
C:\Windows\INF\digitalmediadevice.PNF

Filesize
7KB

MD5
e2924bc8fc3e5c988f750e1a022df3f1

SHA1
8febb2d3d24df3f027241cdacb578e4c1286bc0f

SHA256
6f536efebaa3a83edacbb2c5d6215f0e7d739443c52110c9c66eb0334d1ff131

SHA512
9e8daa84e7cc25652d31f5452bc32b03b9de1a5613b89a37e0e3f28f6753eb5c43e3e98907363b7a4aa867d48c7dd3c3d9bdce74153e6cca03c5191753ef511e

Download Submit
C:\Windows\INF\oposdrv.PNF

Filesize
8KB

MD5
637471f3297a199939cfb7c3c8f387d5

SHA1
4774a64e040d175e50829713144b2640287f67ce

SHA256
4fa9056bfbb43a8afaf13c8f3dd1185a6b53fcf0c04ea4eab75c432d2a993e3a

SHA512
80a1efe2dc9f2d3c6b90389a1d624ad38e6c6c25fe593ab68498fa814d0b2139d29fa7babe1b33dd54613675e6311c1a050bf821c7d2082f46a0090acbd2842d

Download Submit
C:\Windows\INF\remoteposdrv.PNF

Filesize
8KB

MD5
e0929f560069a49f80fc0827fa352f36

SHA1
585a6aea064b46b2ca659bb60f6313d0a8190f63

SHA256
8f45c4147c9c1bfd660a9e95e0033ee9d754d0afbc3aaa3275352ab546d1d3aa

SHA512
859614532e4d3808ace9a2b8de0f3d610babb9a29b8604408c104e49621b7142bb83ce3a6a093b6a3624dc3dd27ec0fe1484ca4c5e3bcc7e11955e790ec425f3

Download Submit
memory/4236-284-0x0000022A2F220000-0x0000022A2F228000-memory.dmp

Filesize
32KB

Download
memory/4236-271-0x0000022A13C10000-0x0000022A13C18000-memory.dmp

Filesize
32KB

Download
memory/4236-287-0x0000022A2E7B0000-0x0000022A2E7D6000-memory.dmp

Filesize
152KB

Download
memory/4236-286-0x0000022A2E740000-0x0000022A2E748000-memory.dmp

Filesize
32KB

Download
memory/4236-285-0x0000022A2F230000-0x0000022A2F238000-memory.dmp

Filesize
32KB

Download
memory/4236-289-0x00007FFCB6AE0000-0x00007FFCB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/4236-283-0x0000022A13C00000-0x0000022A13C10000-memory.dmp

Filesize
64KB

Download
memory/4236-282-0x0000022A13C00000-0x0000022A13C10000-memory.dmp

Filesize
64KB

Download
memory/4236-281-0x0000022A2F2B0000-0x0000022A2F2D2000-memory.dmp

Filesize
136KB

Download
memory/4236-288-0x0000022A13C00000-0x0000022A13C10000-memory.dmp

Filesize
64KB

Download
memory/4236-266-0x0000022A2EFC0000-0x0000022A2EFF8000-memory.dmp

Filesize
224KB

Download
memory/4236-265-0x0000022A13BC0000-0x0000022A13BCE000-memory.dmp

Filesize
56KB

Download
memory/4236-264-0x0000022A2EF70000-0x0000022A2EFBA000-memory.dmp

Filesize
296KB

Download
memory/4236-263-0x0000022A13C00000-0x0000022A13C10000-memory.dmp

Filesize
64KB

Download
memory/4236-262-0x0000022A13C00000-0x0000022A13C10000-memory.dmp

Filesize
64KB

Download
memory/4236-261-0x00007FFCB6AE0000-0x00007FFCB75A1000-memory.dmp

Filesize
10.8MB

Download
memory/4236-260-0x0000022A11DD0000-0x0000022A11E08000-memory.dmp

Filesize
224KB

Download
memory/4236-295-0x00007FFCB6AE0000-0x00007FFCB75A1000-memory.dmp

Filesize
10.8MB

Download