42eab08e7e4884b9f64fe8dd025fdf89fdde4fde6177610d945819a417fcff3c

Analysis

max time kernel
89s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 11:56

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

coolniga.exe
Size

267KB
MD5

19d91cbed122f79fac01873b49b9204e
SHA1

f3e83e66654fda5f1d3f811c5298533db5a03359
SHA256

42eab08e7e4884b9f64fe8dd025fdf89fdde4fde6177610d945819a417fcff3c
SHA512

fa3f2de2a3a27781a7107b2f9072362afcc9c7bfd04b3f1c3bec67c387d91287afaf998f6697356df386445143285105c2889d4f292beb2f2deac352c0341de1
SSDEEP

6144:/9WkPquna55bH2L3RC/7kxYoSg2TRqwUyG5KZ9wmD/Gn7TWen8GDSlvmyYmQheN:BPqWa55bH2L3RC/7kxYoZ2TRnUyG5KZm

Score

10^/10

persistence privilege_escalation

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/4676-39-0x00000245010E0000-0x0000024501122000-memory.dmp	disable_win_def

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	ms-content.com
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	ms-content.com
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	ms-content.com
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	ms-content.com
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	coolniga.exe

Executes dropped EXE 4 IoCs

pid	Process
2832	ms-content.com
3928	ms-content.com
4580	ms-content.com
4676	ms-content.com

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com
10	raw.githubusercontent.com
11	raw.githubusercontent.com
12	discord.com
13	discord.com
26	discord.com
49	raw.githubusercontent.com
4	raw.githubusercontent.com
24	raw.githubusercontent.com
25	raw.githubusercontent.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5480	control.exe
5640	rundll32.exe
8104	control.exe
7340	rundll32.exe
8256	control.exe
8488	rundll32.exe
7836	control.exe
3952	rundll32.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\mbm.exe	cmd.exe
File opened for modification	C:\Windows\system32\mbm.exe	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Kills process with taskkill 5 IoCs

evasion

pid	Process
3080	taskkill.exe
384	taskkill.exe
4032	taskkill.exe
7744	taskkill.exe
8144	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = ".txt"	cmd.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{CA9A309F-392D-47F7-85F8-F28845BDAD37}	explorer.exe

Runs regedit.exe 4 IoCs

pid	Process
6232	regedit.exe
7536	regedit.exe
9192	regedit.exe
624	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3928	ms-content.com
3928	ms-content.com
4676	ms-content.com
4676	ms-content.com
5088	mspaint.exe
5088	mspaint.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1952	coolniga.exe
Token: SeDebugPrivilege	2832	ms-content.com
Token: SeDebugPrivilege	3928	ms-content.com
Token: SeDebugPrivilege	3080	taskkill.exe
Token: SeDebugPrivilege	4580	ms-content.com
Token: SeDebugPrivilege	4676	ms-content.com
Token: SeDebugPrivilege	384	taskkill.exe
Token: SeDebugPrivilege	4032	taskkill.exe
Token: SeShutdownPrivilege	3660	explorer.exe
Token: SeCreatePagefilePrivilege	3660	explorer.exe
Token: SeShutdownPrivilege	3660	explorer.exe
Token: SeCreatePagefilePrivilege	3660	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3260	mbm.exe
4204	mbm.exe
5088	mspaint.exe
3888	msconfig.exe
3888	msconfig.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2832	1952	coolniga.exe	90
PID 1952 wrote to memory of 2832	1952	coolniga.exe	90
PID 2832 wrote to memory of 3928	2832	ms-content.com	92
PID 2832 wrote to memory of 3928	2832	ms-content.com	92
PID 3928 wrote to memory of 3080	3928	ms-content.com	94
PID 3928 wrote to memory of 3080	3928	ms-content.com	94
PID 1952 wrote to memory of 4580	1952	coolniga.exe	96
PID 1952 wrote to memory of 4580	1952	coolniga.exe	96
PID 4580 wrote to memory of 4676	4580	ms-content.com	99
PID 4580 wrote to memory of 4676	4580	ms-content.com	99
PID 4676 wrote to memory of 384	4676	ms-content.com	104
PID 4676 wrote to memory of 384	4676	ms-content.com	104
PID 4676 wrote to memory of 5044	4676	ms-content.com	112
PID 4676 wrote to memory of 5044	4676	ms-content.com	112
PID 3260 wrote to memory of 848	3260	mbm.exe	127
PID 3260 wrote to memory of 848	3260	mbm.exe	127
PID 848 wrote to memory of 4032	848	cmd.exe	129
PID 848 wrote to memory of 4032	848	cmd.exe	129
PID 848 wrote to memory of 3484	848	cmd.exe	130
PID 848 wrote to memory of 3484	848	cmd.exe	130
PID 848 wrote to memory of 3464	848	cmd.exe	131
PID 848 wrote to memory of 3464	848	cmd.exe	131
PID 848 wrote to memory of 4000	848	cmd.exe	132
PID 848 wrote to memory of 4000	848	cmd.exe	132
PID 848 wrote to memory of 1864	848	cmd.exe	133
PID 848 wrote to memory of 1864	848	cmd.exe	133
PID 848 wrote to memory of 4204	848	cmd.exe	135
PID 848 wrote to memory of 4204	848	cmd.exe	135
PID 848 wrote to memory of 4204	848	cmd.exe	135
PID 848 wrote to memory of 5088	848	cmd.exe	136
PID 848 wrote to memory of 5088	848	cmd.exe	136
PID 848 wrote to memory of 624	848	cmd.exe	137
PID 848 wrote to memory of 624	848	cmd.exe	137
PID 848 wrote to memory of 544	848	cmd.exe	138
PID 848 wrote to memory of 544	848	cmd.exe	138
PID 848 wrote to memory of 3660	848	cmd.exe	139
PID 848 wrote to memory of 3660	848	cmd.exe	139
PID 848 wrote to memory of 3888	848	cmd.exe	140
PID 848 wrote to memory of 3888	848	cmd.exe	140
PID 4204 wrote to memory of 4388	4204	mbm.exe	141
PID 4204 wrote to memory of 4388	4204	mbm.exe	141
PID 848 wrote to memory of 1144	848	cmd.exe	144
PID 848 wrote to memory of 1144	848	cmd.exe	144

C:\Users\Admin\AppData\Local\Temp\coolniga.exe
"C:\Users\Admin\AppData\Local\Temp\coolniga.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Roaming\ms-content.com
  "C:\Users\Admin\AppData\Roaming\ms-content.com"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Users\Admin\AppData\Roaming\ms-content.com
    "C:\Users\Admin\AppData\Roaming\ms-content.com" i
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /pid 2832 /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3080
- C:\Users\Admin\AppData\Roaming\ms-content.com
  "C:\Users\Admin\AppData\Roaming\ms-content.com"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Users\Admin\AppData\Roaming\ms-content.com
    "C:\Users\Admin\AppData\Roaming\ms-content.com" i
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Windows\System32\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /pid 3928 /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/ZC4rEuQuAiZTAw
      4⤵
      PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:8
1⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=1288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=2680 /prefetch:1
1⤵
PID:696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=756,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4756 /prefetch:1
1⤵
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5176,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5276 /prefetch:1
1⤵
PID:1992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5324,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:8
1⤵
PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5332,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:8
1⤵
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5936,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=6016 /prefetch:1
1⤵
PID:896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3952,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4792 /prefetch:8
1⤵
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=5100,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:1
1⤵
PID:4100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=6596,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=6608 /prefetch:8
1⤵
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=4536,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=6756 /prefetch:1
1⤵
PID:3792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7032,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=7080 /prefetch:8
1⤵
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7236,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=7256 /prefetch:8
1⤵
PID:1144

C:\Users\Admin\Downloads\mbm.exe
"C:\Users\Admin\Downloads\mbm.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\69BC.tmp\69BD.tmp\69BE.bat C:\Users\Admin\Downloads\mbm.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4032
- - C:\Windows\system32\reg.exe
    REG add
    3⤵
    PID:3484
- - C:\Windows\system32\reg.exe
    reg add "HKCU\SOFTWARE\Microsoft\Command Processor" /v AutoRun /t REG_SZ /d "C:\Windows\system32\mbm.exe" /f
    3⤵
    PID:3464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    msedge https://www.google.com/search?q=82B2BE8F+BCB0828C+B5B1B0BDB088BAB0
    3⤵
    PID:4000
- - C:\Windows\system32\label.exe
    label C:pizda
    3⤵
    PID:1864
- - C:\Users\Admin\Downloads\mbm.exe
    mbm.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6C1E.tmp\6C1F.tmp\6C20.bat C:\Users\Admin\Downloads\mbm.exe"
      4⤵
      PID:4388
    - - C:\Windows\system32\mbm.exe
        
        C:\Windows\system32\mbm.exe
        5⤵
        
        PID:3624
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7006.tmp\7016.tmp\7017.bat C:\Windows\system32\mbm.exe"
        6⤵
        
        PID:1040
        
        C:\Windows\system32\mbm.exe
        
        C:\Windows\system32\mbm.exe
        7⤵
        
        PID:5608
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\75B3.tmp\75B4.tmp\75B5.bat C:\Windows\system32\mbm.exe"
        8⤵
        
        PID:5872
        
        C:\Windows\system32\mbm.exe
        
        C:\Windows\system32\mbm.exe
        9⤵
        
        PID:5272
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7AD3.tmp\7AD4.tmp\7AD5.bat C:\Windows\system32\mbm.exe"
        10⤵
        
        PID:5676
        
        C:\Windows\system32\mbm.exe
        
        C:\Windows\system32\mbm.exe
        11⤵
        
        PID:6448
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\82A3.tmp\82A4.tmp\82A5.bat C:\Windows\system32\mbm.exe"
        12⤵
        
        PID:6680
        
        C:\Windows\system32\mbm.exe
        
        C:\Windows\system32\mbm.exe
        13⤵
        
        PID:7088
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8F46.tmp\8F47.tmp\8F48.bat C:\Windows\system32\mbm.exe"
        14⤵
        
        PID:7652
        
        C:\Windows\system32\mbm.exe
        
        C:\Windows\system32\mbm.exe
        15⤵
        
        PID:7864
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A687.tmp\A688.tmp\A689.bat C:\Windows\system32\mbm.exe"
        16⤵
        
        PID:7980
        
        C:\Windows\system32\mbm.exe
        
        C:\Windows\system32\mbm.exe
        17⤵
        
        PID:5012
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A83C.tmp\A83D.tmp\A83E.bat C:\Windows\system32\mbm.exe"
        18⤵
        
        PID:7448
        
        C:\Windows\system32\mbm.exe
        
        C:\Windows\system32\mbm.exe
        19⤵
        
        PID:7248
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ACA1.tmp\ACA2.tmp\ACA3.bat C:\Windows\system32\mbm.exe"
        20⤵
        
        PID:7932
        
        C:\Windows\system32\mbm.exe
        
        C:\Windows\system32\mbm.exe
        21⤵
        
        PID:8500
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B57B.tmp\B57C.tmp\B57D.bat C:\Windows\system32\mbm.exe"
        22⤵
        
        PID:8628
        
        C:\Windows\system32\mbm.exe
        
        C:\Windows\system32\mbm.exe
        23⤵
        
        PID:8980
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BEA3.tmp\BEA4.tmp\BEA5.bat C:\Windows\system32\mbm.exe"
        24⤵
        
        PID:9204
        
        C:\Windows\system32\mbm.exe
        
        C:\Windows\system32\mbm.exe
        25⤵
        
        PID:8324
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\CA3C.tmp\CA3D.tmp\CA3E.bat C:\Windows\system32\mbm.exe"
        26⤵
        
        PID:8264
        
        C:\Windows\system32\mbm.exe
        
        C:\Windows\system32\mbm.exe
        27⤵
        
        PID:4916
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D0D3.tmp\D0D4.tmp\D0D5.bat C:\Windows\system32\mbm.exe"
        28⤵
        
        PID:7560
        
        C:\Windows\system32\mbm.exe
        
        C:\Windows\system32\mbm.exe
        29⤵
        
        PID:7616
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D893.tmp\D894.tmp\D895.bat C:\Windows\system32\mbm.exe"
        30⤵
        
        PID:8400
        
        C:\Windows\system32\mbm.exe
        
        C:\Windows\system32\mbm.exe
        31⤵
        
        PID:5796
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5088
- - C:\Windows\regedit.exe
    regedit
    3⤵
    - Runs regedit.exe
    PID:624
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:544
- - C:\Windows\explorer.exe
    explorer
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:3660
- - C:\Windows\system32\msconfig.exe
    msconfig
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3888
- - C:\Windows\system32\msinfo32.exe
    msinfo32
    3⤵
    PID:1144
- - C:\Windows\system32\mmc.exe
    mmc
    3⤵
    PID:4264
- - C:\Windows\system32\winver.exe
    winver
    3⤵
    PID:3456
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:3808
- - C:\Windows\system32\charmap.exe
    charmap
    3⤵
    PID:3608
- - C:\Windows\system32\osk.exe
    osk
    3⤵
    PID:5044
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:3844
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:5196
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Windows\system32\appwiz.cpl",
    3⤵
    PID:5336
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\appwiz.cpl",
      4⤵
      PID:5468
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Windows\system32\powercfg.cpl",
    3⤵
    - Power Settings
    PID:5480
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\powercfg.cpl",
      4⤵
      Power Settings
      PID:5640
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\diskmgmt.msc"
    3⤵
    PID:5512
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\devmgmt.msc"
    3⤵
    PID:5808
- - C:\Windows\system32\Netplwiz.exe
    netplwiz
    3⤵
    PID:5984
- - C:\Windows\system32\control.exe
    control folders
    3⤵
    PID:6112
  - - C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Options_RunDLL 0
      4⤵
      PID:5556
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"
    3⤵
    PID:6128
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Windows\system32\ncpa.cpl",
    3⤵
    PID:5424
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\ncpa.cpl",
      4⤵
      PID:5528
- - C:\Windows\system32\mstsc.exe
    mstsc
    3⤵
    PID:5292
- - C:\Windows\system32\cleanmgr.exe
    cleanmgr
    3⤵
    PID:184
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6204
- - C:\Windows\regedit.exe
    regedit
    3⤵
    - Runs regedit.exe
    PID:6232
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6388
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:6476
- - C:\Windows\system32\cttune.exe
    cttune
    3⤵
    PID:6584
- - C:\Program Files\Common Files\microsoft shared\ink\mip.exe
    "C:\Program Files\Common Files\microsoft shared\ink\mip.exe"
    3⤵
    PID:6808
- - C:\Windows\system32\dialer.exe
    dialer
    3⤵
    PID:6844
- - C:\Windows\system32\isoburn.exe
    isoburn
    3⤵
    PID:6864
- - C:\Windows\system32\cliconfg.exe
    cliconfg
    3⤵
    PID:6896
- - C:\Windows\system32\wusa.exe
    wusa
    3⤵
    PID:6936
- - C:\Windows\system32\slui.exe
    slui
    3⤵
    PID:7092
  - - C:\Windows\system32\slui.exe
      "C:\Windows\system32\slui.exe" 0x03
      4⤵
      PID:7592
    - - C:\Windows\system32\ChangePk.exe
        
        "C:\Windows\system32\ChangePk.exe"
        5⤵
        
        PID:7828
- - C:\Windows\system32\wscript.exe
    wscript
    3⤵
    PID:7124
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:7164
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\tpm.msc"
    3⤵
    PID:6372
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Windows\system32\intl.cpl",
    3⤵
    PID:3692
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\intl.cpl",
      4⤵
      PID:6476
- - C:\Windows\system32\msinfo32.exe
    msinfo32
    3⤵
    PID:7676
- - C:\Windows\system32\mmc.exe
    mmc
    3⤵
    PID:7688
- - C:\Windows\system32\winver.exe
    winver
    3⤵
    PID:7732
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    PID:7744
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:7884
- - C:\Windows\system32\charmap.exe
    charmap
    3⤵
    PID:7956
- - C:\Windows\system32\osk.exe
    osk
    3⤵
    PID:7968
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:7992
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:8052
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Windows\system32\appwiz.cpl",
    3⤵
    PID:8076
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\appwiz.cpl",
      4⤵
      PID:7296
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Windows\system32\powercfg.cpl",
    3⤵
    - Power Settings
    PID:8104
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\powercfg.cpl",
      4⤵
      Power Settings
      PID:7340
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\diskmgmt.msc"
    3⤵
    PID:8148
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\devmgmt.msc"
    3⤵
    PID:6672
- - C:\Windows\system32\Netplwiz.exe
    netplwiz
    3⤵
    PID:7312
- - C:\Windows\system32\control.exe
    control folders
    3⤵
    PID:7380
  - - C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Options_RunDLL 0
      4⤵
      PID:7624
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"
    3⤵
    PID:7020
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Windows\system32\ncpa.cpl",
    3⤵
    PID:5508
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\ncpa.cpl",
      4⤵
      PID:7584
- - C:\Windows\system32\mstsc.exe
    mstsc
    3⤵
    PID:5736
- - C:\Windows\system32\cleanmgr.exe
    cleanmgr
    3⤵
    PID:1124
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:6436
- - C:\Windows\regedit.exe
    regedit
    3⤵
    - Runs regedit.exe
    PID:7536
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7672
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:7800
- - C:\Windows\system32\msconfig.exe
    msconfig
    3⤵
    PID:6488
- - C:\Windows\system32\msinfo32.exe
    msinfo32
    3⤵
    PID:5956
- - C:\Windows\system32\mmc.exe
    mmc
    3⤵
    PID:7904
- - C:\Windows\system32\winver.exe
    winver
    3⤵
    PID:8136
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8128
- - C:\Windows\system32\charmap.exe
    charmap
    3⤵
    PID:8140
- - C:\Windows\system32\osk.exe
    osk
    3⤵
    PID:8164
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:6952
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:8132
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Windows\system32\appwiz.cpl",
    3⤵
    PID:8052
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\appwiz.cpl",
      4⤵
      PID:6488
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Windows\system32\powercfg.cpl",
    3⤵
    - Power Settings
    PID:8256
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\powercfg.cpl",
      4⤵
      Power Settings
      PID:8488
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\diskmgmt.msc"
    3⤵
    PID:8272
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\devmgmt.msc"
    3⤵
    PID:8604
- - C:\Windows\system32\Netplwiz.exe
    netplwiz
    3⤵
    PID:8672
- - C:\Windows\system32\control.exe
    control folders
    3⤵
    PID:8688
  - - C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Options_RunDLL 0
      4⤵
      PID:8896
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"
    3⤵
    PID:8704
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Windows\system32\ncpa.cpl",
    3⤵
    PID:8784
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\ncpa.cpl",
      4⤵
      PID:8888
- - C:\Windows\system32\mstsc.exe
    mstsc
    3⤵
    PID:8804
- - C:\Windows\system32\cleanmgr.exe
    cleanmgr
    3⤵
    PID:8928
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:9020
- - C:\Windows\regedit.exe
    regedit
    3⤵
    - Runs regedit.exe
    PID:9192
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5664
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:2996
- - C:\Windows\system32\msconfig.exe
    msconfig
    3⤵
    PID:7576
- - C:\Windows\system32\msinfo32.exe
    msinfo32
    3⤵
    PID:8132
- - C:\Windows\system32\mmc.exe
    mmc
    3⤵
    PID:8204
- - C:\Windows\system32\winver.exe
    winver
    3⤵
    PID:6180
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:8352
- - C:\Windows\system32\charmap.exe
    charmap
    3⤵
    PID:8452
- - C:\Windows\system32\osk.exe
    osk
    3⤵
    PID:8516
- - C:\Windows\system32\Taskmgr.exe
    taskmgr
    3⤵
    PID:8488
- - C:\Windows\system32\control.exe
    control
    3⤵
    PID:5796
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Windows\system32\appwiz.cpl",
    3⤵
    PID:9148
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\appwiz.cpl",
      4⤵
      PID:7820
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Windows\system32\powercfg.cpl",
    3⤵
    - Power Settings
    PID:7836
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\powercfg.cpl",
      4⤵
      Power Settings
      PID:3952
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\diskmgmt.msc"
    3⤵
    PID:7468
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\devmgmt.msc"
    3⤵
    PID:8344
- - C:\Windows\system32\Netplwiz.exe
    netplwiz
    3⤵
    PID:8696
- - C:\Windows\system32\control.exe
    control folders
    3⤵
    PID:5216
  - - C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Options_RunDLL 0
      4⤵
      PID:9104
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\services.msc"
    3⤵
    PID:8084
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe" "C:\Windows\system32\ncpa.cpl",
    3⤵
    PID:8008
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Windows\system32\ncpa.cpl",
      4⤵
      PID:8332
- - C:\Windows\system32\mstsc.exe
    mstsc
    3⤵
    PID:7968
- - C:\Windows\system32\cleanmgr.exe
    cleanmgr
    3⤵
    PID:2004
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4492
- - C:\Windows\explorer.exe
    explorer
    3⤵
    PID:3672
- - C:\Windows\system32\msconfig.exe
    msconfig
    3⤵
    PID:5692
- - C:\Windows\system32\msinfo32.exe
    msinfo32
    3⤵
    PID:5996
- - C:\Windows\system32\mmc.exe
    mmc
    3⤵
    PID:6500
- - C:\Windows\system32\winver.exe
    winver
    3⤵
    PID:6876
- - C:\Windows\system32\SnippingTool.exe
    snippingtool
    3⤵
    PID:4912
- - C:\Windows\system32\write.exe
    write
    3⤵
    PID:6712
  - - C:\Program Files\Windows NT\Accessories\wordpad.exe
      "C:\Program Files\Windows NT\Accessories\wordpad.exe"
      4⤵
      PID:8956
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6884
- - C:\Windows\system32\charmap.exe
    charmap
    3⤵
    PID:9176
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im svchost.exe
    3⤵
    - Kills process with taskkill
    PID:8144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=6976,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=7256 /prefetch:1
1⤵
PID:5036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:3736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:5268

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5648

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
PID:5796

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5216

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:6216

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:7080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:6236

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:7584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:8188

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7420

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:6880

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
PID:6972

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
PID:7532

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:7048

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7152

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7236

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:9212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:9100

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:6568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ms-content.com.log

Filesize
636B

MD5
e8c4b17c6ff538a212ab4f575a1f0b43

SHA1
cb355fcdc762157748113c763ce10793ca9ed368

SHA256
7d822fab4f7728a4718395a2b8c6f3f5d637f5893a5675edc5b246673ea860ad

SHA512
2309259813e96b9f2b682f73d32e58ec741fd27d1608f52c6f57d864d287c4970dfbc086e3d6cda80f64a67e89b5f5ab8fcf5181bbba5e90edfa62a6a467113c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VVOFDIUO\views[3]

Filesize
1KB

MD5
bee1758a485085bb8a121eb74ba7e96f

SHA1
8024492e1126b17f832e36c932d433200180b693

SHA256
edcad5b1ce8a304b70b8c9ea57d4aeab740d979ffa59243b943011cb1ba4d57e

SHA512
bb1fe94a523ef108c49f75da187fcc28bbf80d72233454c329134bee2e12268d3da344a622987b081612aa2a1edac8b91eef27619c7309517ac52e7aebf32f1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\views[1]

Filesize
3KB

MD5
a726593a8261930e4786375106fc6bfe

SHA1
13916b1e1825549e9c36c64e35baca204a83ef95

SHA256
e6bfdfbb9a0649ea9d38de4255c355c581097e6a1035a54943260b22ad45f172

SHA512
b093a2513b2c4f8544093d6e983ec580e14625e1529bc3db22c4011980cdf44a78443c22289b11a6ed0afae2786d480f94b354b71496ee022e439d2bdefbedd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\69BC.tmp\69BD.tmp\69BE.bat

Filesize
2KB

MD5
bba2387d04a06e2ce4d8ed141c05ba69

SHA1
ac06f2366eba283bfddb28faae0ac1bcb8d5c84d

SHA256
88dc602cc9517dcf097382802bf19f2e6295e47602a1b43228d4c91836f8a327

SHA512
8ffd813b02dc751863fa6a3503cece37978880ee2c3dcbb23fa1c1823b43116dd0c533d35d44c4cf96ac0746c042fa05e054136cbf38b55d0dec63b87b9bb1e6

Download Submit
C:\Users\Admin\AppData\Roaming\Sodium.dll

Filesize
59KB

MD5
fa95d735f88e819edc0cef02d3ee4781

SHA1
9e3c03ee4b0efeedf59edaca15ea304d2ec4cec7

SHA256
bf5b02ac516e9b62086649f43a29287c7872bbdb87512e9d5ec1be681c77a94a

SHA512
554cf8906c7e4bc15653685e70e96995bfdf0803fb30ca196d8bc34f9bfb888a7a1de64e8441415155889893ac7769bb643aa87913f5176c80588b1e3a38348b

Download Submit
C:\Users\Admin\AppData\Roaming\ms-content.com

Filesize
2.6MB

MD5
7d35413d43883467a377e9d92f3b61cb

SHA1
486daafbe84da67d84cdd51d38850ef12608654d

SHA256
d2f127ef53ef33f1ae85ce4cac3743d88dff6fbf9ddc45e47a57470208071bd0

SHA512
b691834c0fbb6a34f75817bb4c3c2b480de19e802cd5988a0e4291c84c7bf69435d49b914a865094799d566e3229a09f5f893dbf8d8a6599ae6515abc148454d

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
3KB

MD5
9d3a464488dc63c9af412ed74ee478de

SHA1
e61b0768190c8164eadc5e9c8bd23e8111d8aa3b

SHA256
9bfc2fc1e97a3209dc2172df4fed2893b710cf4f8513bab579bcf3504f762c10

SHA512
deff71799c20d4344f5a13d02fcde54c239634327a09af73ed29cacda48d323f7ec4fca74b68829f806a8c405cb2c260843ae432d562e7be2511985e05506db1

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
4KB

MD5
f9ca1d329b0cd47a9a3931ad46fd46b1

SHA1
b48e5159b32b1902fa92d6168b24c7bfe4d86864

SHA256
96ae873eaa706e95a00494fa41a354bf575d6e33925065ffcf9bc21f5fdc53c1

SHA512
84a7141d53dbaefe8dbc905d329f5145070106f03c8aef624737d19a0edc6c907b3885e5dfb094c3f9d26bf98c0ba0bf50ccdacf9d3f86a55ef9928f84165be2

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
1KB

MD5
ec164d36837bf135b177ca05686a4dce

SHA1
d96f9bbc4d57f35cfde149d1710445509b6f7744

SHA256
ff52360a232340b5d283dc2ad56fc7f7320fa4b2730a0ba0eee8d39ff6ab64b9

SHA512
89a27843002bcb0c4f1a7563d2a08bc0b20cacca2d6a9d361112c532b0a8209028e3bde040c36aff955041703f2c33ba7749b07fa7bb097c8492315eca2deff0

Download Submit
C:\Windows\INF\PerceptionSimulationSixDof.PNF

Filesize
10KB

MD5
4ab13b82289b29dad17da67b2f3855d5

SHA1
9b031c563b44509a25e981122f7d5706f926bb9f

SHA256
b98f2e16fcfb003bccde4eb02419dc59f501cf97d5121a1ea5294b46d0d0c7ad

SHA512
a47a58005aac36cea54c36ea4a1f658a02fbce8030b91e21ba898a64c8d27cad44c1da32d41c5c4597a05e7ab74a63e1bf7e2c3de77d8391db7b511d5da4cdde

Download Submit
C:\Windows\INF\c_apo.PNF

Filesize
6KB

MD5
6b8a13078b9014b827dd12c95e84bc81

SHA1
251706372a7d3cd32644c166d5332b769f3820c4

SHA256
c0ecb5cdfc8c3a92c78eda43f17c47ac70ab40d2a84594e5c616a60c500efa03

SHA512
c0fdc77f9f5c2fcaa4802cc7c217fce7fd59a1b93604216ea6ad1e83041e07759c631721a2da3d5e3b1c4f799a93c7e83a12febc531bac939b14e19ce0f7f7e8

Download Submit
C:\Windows\INF\c_barcodescanner.PNF

Filesize
3KB

MD5
4705549566d5f15cccae4d54209a4eed

SHA1
ad3986036ebf800fe196e0ee2a8ec609b57d1f34

SHA256
0c8dda91d03dbc25376b19a14de363158bf6790b0f99638dabba9e5ba26f808c

SHA512
49ecc489bb6ffa4f370011af3f21e6b553bd9b282820165c22148d22631e941827773b0e6b1f8c568334b6b10c40cf204b85d120721f87611ea1a650edc1ebca

Download Submit
C:\Windows\INF\c_camera.PNF

Filesize
8KB

MD5
55c37531cb8d70055e8fa5e74dabf42a

SHA1
fb46341f146c582e63db0e26d2a5da006d6f3424

SHA256
70df4413fa77f63e7783e51b9c90a9f7293ebeaa236be194f788800650f2206b

SHA512
814bca88ab2a8ce33feb288bd8110e7e0698373c7f3c171d9960167f4bed209005d36cf46e7f0c3860a22f86b1fbececb3c83492d34d4b38db418ce429fa14ae

Download Submit
C:\Windows\INF\c_cashdrawer.PNF

Filesize
3KB

MD5
b6121d2c184ba0d9bca12ba36dd6fb8b

SHA1
0af18b2a6322c99f49a1e6ba902238969c25dfff

SHA256
4a45d1d731107dc4cce465ef7c6489092363246eed3d07e1fbdd98b88891f3fe

SHA512
9de2a9cf52b7813c00afda486b59fcadf5f65caa961de9cba43d6b6ff3c11b2e56999f12fc19ccbcac1c94b2d6d4b374193d550c2c29a2fe891325e37c029881

Download Submit
C:\Windows\INF\c_diskdrive.PNF

Filesize
6KB

MD5
15e50442b6acbea9284c03885047643f

SHA1
ea96f2e02252336b86b0e4f9771bf8a14acc1bac

SHA256
53aa243095ec686dcca9ef1f2533ad161f680e27b08b24db19c2d86b645d1689

SHA512
d0ada1b4fbea930d43a1d000df92d46cc51d7e132f1ce54dd5842794c520c1e0090466de4747c0964c2390a1caf1fe13d1132be7e87a1e29d84ec8e5bc38c14c

Download Submit
C:\Windows\INF\c_display.PNF

Filesize
8KB

MD5
716a1b21d16beae0405cc08d35d137cd

SHA1
a013a0d39efd59a831edfe5194dd182af25109aa

SHA256
e3170e44d159d924bd7884c4e0fd6b590ffd93b0ce2c1eebd0d68606039f7df5

SHA512
bf6664be664c1675b1038afe91d108a0d0f487f158cf6d0b183ab5ac5cf10836270c71687b69a220bd7ef8383bd2aa1cc9715edcedd4fde1735c7af50ac103f8

Download Submit
C:\Windows\INF\c_fsactivitymonitor.PNF

Filesize
4KB

MD5
baa42c90569af83dd1778d843e071a97

SHA1
233373f71da8ba2e89d9481b0afb9ce83e0fb762

SHA256
4380cd1d402e5f0236ac4df0fb53119749cd5ab6d998ecd5f1846a10bc0b80d0

SHA512
cdf712288b0932838b0552e0502726771a51e8cc845e1f81491aa1d756bd1c3663f5e7ee7a7e166b2442263fe8112b765d588870f83ecd2262a19f087258d5b7

Download Submit
C:\Windows\INF\c_fsantivirus.PNF

Filesize
4KB

MD5
a0a8d285e2736eb8f36059880acf384f

SHA1
0921cacf9534368867d4e0cba7bd54b448bd38a0

SHA256
0655f8f6500ef42e12fb7eaa8509b57eb7b9a3b1d071d2c2f88be442c49e480c

SHA512
00ae9cec96765f35b88b9f4b482b3ac2d872745bbb76b739571b4c91d79749900fddb1f9e11ca6fdcf31043458316a7406237a5be82d8a0bf036ce6b44ee2628

Download Submit
C:\Windows\INF\c_fscfsmetadataserver.PNF

Filesize
4KB

MD5
9bd72910a73206c43ca3bff5087d290b

SHA1
363c3e1d0c6b2ee80fe7ab6595823fd822dbc48a

SHA256
1077dae349442bd633ba6ac702cf8f140a766249cc08e4b3f79b99f1f4d9a0bc

SHA512
2eb98848b08338206309c7e9c83dd06941b5051e4cab5127b0fa55cac4f2525894b9e57f848adea7c690341c371d7f2f078ab42cda0fb63dc2719066d4a4e83c

Download Submit
C:\Windows\INF\c_fscontentscreener.PNF

Filesize
4KB

MD5
870aa9135448010a2b07cbbb194b1d09

SHA1
6d467114020da3b119b964e1bd266e97fa030692

SHA256
89dc75381a504dd19c92754af2a5b268b52467eaf2c6e821c90df4d32a650f29

SHA512
1d01f8c84c1b9be03c70234b95fdb0a35449eff90f2fd64f285035d37184c2396faed3df0804a66f0eb576cd5271c647b553342e58c71ffa99a6a374800888b1

Download Submit
C:\Windows\INF\c_fscontinuousbackup.PNF

Filesize
4KB

MD5
73f1ab62a0daa4956271ed263c3c42e9

SHA1
6abee2308a99725338e465108798a0ac2343e1af

SHA256
e81c5552b61d18e16f29aee7779d34bdc16f6f3c2b7cd0363c2626a6a0327702

SHA512
a418f385920673acabfdb5df893488537f0cd4d51c27003a171dcf045c60d07845548803f3a2f3b804777850231102344a15e95f72b9834750ce9bf6d05058e6

Download Submit
C:\Windows\INF\c_fscopyprotection.PNF

Filesize
4KB

MD5
efb626c14105d2095cef5efc9980491d

SHA1
d21c921f7f23cde3ed4fd5c3816b3d3980c5c779

SHA256
02ad18c41975f876d48f78569547bc69eabe7c85b2d3480a763b4bbae17f13c3

SHA512
09e999440a51713f87de149383023143d09a21a62d8c94bfac549f4566bf997551412fdb3181afa6c232f5305695783d7346af89ffbca52918e464914c11f2b7

Download Submit
C:\Windows\INF\c_fsencryption.PNF

Filesize
4KB

MD5
d2df781aa1e6c8068cb65ceb3c6afb0d

SHA1
61d8eca05eec42a4ad4f678d916ee8a7dad5191e

SHA256
ba6ec341cc8bced677cc489cedefa67d77238b83980879879475b06338e162a0

SHA512
3038cbe4bda42c5ffa7e6797251687a3f0ced0be3362821f651e5cfea6a2076755477b876f2af53a026188e0b16d1913c204f06dc5f66f7227609fed380d293e

Download Submit
C:\Windows\INF\c_fsphysicalquotamgmt.PNF

Filesize
4KB

MD5
f7715c0142ed35c732d6149b2bd4b6bb

SHA1
f7649975159c5892cbe3dfc16ab2678d71519ed8

SHA256
da5baa21906e92aaa5f6b0947343d4e88de3f1993f2e100adc9d41f4a4fd24be

SHA512
ae3d8beb79ddffab2506672e1feb783275a553e7fa264d6efbe3ffebf0d610288b5f7b8a7642cf5fedf9a7790c432e31e9fefc4b035d07c40d70e1fdf16ea3fb

Download Submit
C:\Windows\INF\c_fsquotamgmt.PNF

Filesize
4KB

MD5
796ee7ba25f19699838044527af81b7b

SHA1
b37df59ce7b7369f6c1f47decef07c540a7c2e44

SHA256
1c4ab981df553cd3a065f3f33342a54da1bf53bf9a1ba24f0219326daf4a9d3d

SHA512
61b21c2b38acca8dfbf535c13afc25fae40da72b8a21dcca31c9e2c11fcf692a766f7c0eeed6f636eab68eea523539b0ce178892a84dc974f02a0f284eb027b9

Download Submit
C:\Windows\INF\c_fsreplication.PNF

Filesize
4KB

MD5
59617852a677b758475079e1037d5f15

SHA1
d0de2dcf4fda3adf00cc92372222f79dd51b99fd

SHA256
c8ce2499470b7827775166a19c69bef5302011c42d63c7c826a63cc47f5e520c

SHA512
77741411410947e555a6ed76511223a61aa3d36b8336056afb49105da7eeca75ab2a74a5ff1218158f06280b53ec41f2b59c792c0e7cd4cba80831098e221fc6

Download Submit
C:\Windows\INF\c_fssecurityenhancer.PNF

Filesize
4KB

MD5
4c7e22a83c0a98ef364d8ece44c679fa

SHA1
bf1b52788df60a2f8b138965b4e9e484f21072f8

SHA256
fe633cec8d9ff782dbfb04037f2b500e09a5879c9aeb3804fc1bdfe0710fce08

SHA512
e3132a5eafdd1853e1fb7de9c9624d06b172e01f3755eb552b1b1672ec07228c99d01a0309a568fde44abae2481a19d1f33fb6e287dd61b30ac57b2ab89e34f1

Download Submit
C:\Windows\INF\c_fssystem.PNF

Filesize
4KB

MD5
2ac38f764eccaf526b9cd0afe32d1d6a

SHA1
68614e768e8cb992d106d8241af4f03028b821f9

SHA256
655fe8302f85fdbcb13ba8714a8d45aca56ecc9ca46ade3ca6eff8e63161513e

SHA512
7740bdaaa69fd525cf564704601e40c7c1b76c6c5696beec38a61f8c0e5304f7dc6ed4cc1eeba0bd2ab56b955d6fac5aced440fa518aa85f010d4ed8568b8f1d

Download Submit
C:\Windows\INF\c_fssystemrecovery.PNF

Filesize
4KB

MD5
739a40d79009af2f128446e73dd03c4a

SHA1
a733ebe5e4ed4f8349a5d3d91a4f7d945484d4bf

SHA256
59ca171fdc0e5dc0d2b1cdced6676eff18794479af52a2163faa5f0fa1065a4c

SHA512
b324a8dd9d9ccaafd6c6ce65e063b7ab3bec252c260b597f59a2df937d8169bc4f0fd19842a373cf802fc5c442eb1d9dd2bfc3fdfc352afaf84818768b23659a

Download Submit
C:\Windows\INF\c_linedisplay.PNF

Filesize
3KB

MD5
e1c7f2f39f5d72f8a9bf176c988e7acd

SHA1
adbb86fbf82f4d0676e11949ee65e25df2a63131

SHA256
ccf334064e49d49a444c6534f182a1ea08087dfc42d6c3241cfe3bfaca5109a0

SHA512
ac13d949ffac013f6cbb5dffb7716c4260cc8c1532750fe87d162d5f137f40fd4bf41372ca0985f3bcc211404119d5643535ee388891e8ef5653e8b8523de462

Download Submit
C:\Windows\INF\c_magneticstripereader.PNF

Filesize
3KB

MD5
b19015e21e1bc2886b0b674d2f450bd1

SHA1
540de50a0d3b98b6abbc084178ba05e4704321be

SHA256
a1bc54e853d96acf8279a0a7f98de870e6d217d281b1119aad865816659b1eff

SHA512
cfe69151364ff1227b2eae37420ae70f34760150ca78b2e5dad9a83cd0538f6e1ce2798b4f31ee6fd9b9e17e020d738c7ec3805796e8d40bad1cbaa3914350b6

Download Submit
C:\Windows\INF\c_mcx.PNF

Filesize
4KB

MD5
1b909c8deb042ba17243934d48b3ee41

SHA1
928e854f9097ac311fc5ce458fd6909d812f7d96

SHA256
20781e9cd4f11ab6dcc3cfd6df92e0c70f55ff043165f1681bea6e48e45eda03

SHA512
088c1db3e9b55fbb46cdfa4ff18040deb5c1a1347b7f6366b8bbcbf6a1d42ec74aa9e167fb021210ddd613a55c8fc223d99ce2f39974dab1eb301d4f3d1ede9f

Download Submit
C:\Windows\INF\c_media.PNF

Filesize
12KB

MD5
1f345503b3506367f94bcfbb1f392f0a

SHA1
a15f52c224dcd7a7ab5532a5f321a3a12e99381b

SHA256
c22f815f98b533809a5ef8e70af5caa547ea7f760c759f09d69e684f7898e8fd

SHA512
f1798653c6ef1bfe2d1f570fc9525ca6f8e1f2c6d903b99725ed6cf4b897b1ad442d2defb5ff68f429a5002364ac06eab950ca7de846d9db236f5d59a1e0984d

Download Submit
C:\Windows\INF\c_monitor.PNF

Filesize
6KB

MD5
33e39877b89646881348fab707016ad8

SHA1
8f009f537816d0e146d00503904dd5594f31e5c0

SHA256
8300d9d992e4ff4a5aeaedf08eb35f29a0b117a80abcbf67cd4107529078bc75

SHA512
ebaae9bdbcf86fb634056ca4cde196f360269d572befbaa37830de27e5f0e6fa738c993d8efc07dc9045193196735f40f9f8aa1331b58a5c86ebb75246069e54

Download Submit
C:\Windows\INF\c_netdriver.PNF

Filesize
4KB

MD5
e7d3d84d9447a587750500aa96107e09

SHA1
057fccbd4278248c6b3cb218b3640fb8a4ce1284

SHA256
6cee2b4bd17b6199744fb1d9b6be96c37f7f4a856c07c1c3f9886668a88dca9f

SHA512
1d14a74d22aab8d42ac4b79993e4497f4c5b4937733d959c75ba6e0f6117d4ab1c56ef1a5974a487700d53578db148d51f8d3347b9c3ce073d67c9914dff4b60

Download Submit
C:\Windows\INF\c_processor.PNF

Filesize
5KB

MD5
f976ae3528a161d7acf2f479ccf2c831

SHA1
e76c3b41bf16fdf7fe48f2735796ce13d7459c7d

SHA256
736db0ec97bea53ee3a4ddf64dd2a10a034edf24495a1c1457b72f5eb41734e1

SHA512
befe37e646aac0bb0415b7445982bc1f0c583660daf9a9cd899fd5db443be14ff25ec15da54c28343bc55538b8120ae5c831ef77b5db26b0c11db6e7790c379d

Download Submit
C:\Windows\INF\c_proximity.PNF

Filesize
5KB

MD5
557e6c5ee5f30ee177fe90bd396327ce

SHA1
47da2b91f66ed53e2643c8fbed2de2c521849bb7

SHA256
b24cadbdeaa14c68277ca7443b171074c36e2b28f2e2b476d055c4ad317e9c28

SHA512
06f724657a29605805bd8913ed6801cffa42ba7b641212b32be226a530c855166310ae0987f8446c186f252a592b6aab6ebb80c23e16c9bc7532fcc7cf4dad99

Download Submit
C:\Windows\INF\c_receiptprinter.PNF

Filesize
3KB

MD5
af2055471adfab35322ba595086d04d5

SHA1
9a9204809f27e4257f9f087a5cd3e5818b4f133d

SHA256
43370b65cdc7572bf087123a027b8aac67f6ff4ad2f5b776242148f9578e49b3

SHA512
a99e10627537e77f256791ee5c582ce2f523a436301cacf62523f6762be94bfd2fe7f0db959ce739d69c969bec22063b2d71a07cf354657cc4b08bc7588eed00

Download Submit
C:\Windows\INF\c_scmdisk.PNF

Filesize
6KB

MD5
e7b570f07874776e4cef2f9c08191001

SHA1
f85095870f4f1bb349a3daac6bece51b3a5c2031

SHA256
7c0a5430e7ddf37ac601603bff865ffec1db51d745bd4ad18c11ea3ea7711201

SHA512
33d1968d54d9dac5c88e91312a54556be1fec2e192a7d3813e3e0635083b9daf93c51c7acc47596fd8d381015995e04d68fcd4009bab14f77c5ff8eaf57d2935

Download Submit
C:\Windows\INF\c_scmvolume.PNF

Filesize
4KB

MD5
946e35ab7a9d8cf86d5c6cb83dd8636a

SHA1
3455614b00b7de00a3c3d5c2bdb87cbc8c5ebb04

SHA256
4f57bfc496d88106f21875c2304e3a8854cfd02fb93ae106828fc420c5303580

SHA512
c727e7014545520c8a8d4d08662d6cdde8e88fec7dbf5c3a282331f9654c96a5ff67c2cd37eb0a73f6702c077206d02355470a7b8fe157bf192083ec3a7b1a58

Download Submit
C:\Windows\INF\c_smrdisk.PNF

Filesize
6KB

MD5
dc8244026fac1a6996c880218c17e4c0

SHA1
d5bf6d0fe519f821618cdca889c6594f9efa8df4

SHA256
6cb5987ab8ef7e7c00c98f69f74f56b80975f746356d1df9fada52cd04b9483b

SHA512
eccedb097b3e6afd6fbced8877902c4c16f33f91f09b6889f6a3190dc9f4c353201abd4b953e2e6b89ea201706fc083989465d88cd3c1077707dc15ca08bf9ea

Download Submit
C:\Windows\INF\c_smrvolume.PNF

Filesize
4KB

MD5
b5111085825780c9db8bc417678f8149

SHA1
efeb256a99fd73ce0fccb48ac01647f5fff1b277

SHA256
715edaceb7ab7cdd1d7954679c3bd61a35b2fe072717704c58eb84c25d4f9895

SHA512
39167e3fc6e79163a680cc0941ea98c23dd76ec917dcc9bd5259e46d9215977b60454bbcd95f2bbeb53ee2fa203367e706089619e94bfdab8bdff8e66e35ad51

Download Submit
C:\Windows\INF\c_sslaccel.PNF

Filesize
4KB

MD5
a5b60198ed9c83074babfa86f60c1e4b

SHA1
2f3e922d885fec14b965d9138ec90a1571125e8a

SHA256
024d245e7af8409c38f53bd91cf4ede6c11dad6a192a27351ce027db7fdcbb03

SHA512
47571c1995d026e90114bea355d67842e8e77ab003e906f7f5b247c1fe50743609165b944368f7b92759082c78f5b0ef020023c45bb712ede8e408979a7bbd00

Download Submit
C:\Windows\INF\c_swcomponent.PNF

Filesize
7KB

MD5
b097dc99f5d4e4924505d26aad418060

SHA1
56c03dcfd0de0e0248c9087d278736e1c047ee98

SHA256
f46763a9b7072706927e582e3cbae297627738a5031d03b60dfa860888aa6712

SHA512
436d54a5912128459972bcb5cefae0fa9e878f8c0b142df76a4fa7060f2f08f5bc4fcffdee437c355f52450c1354c7128be72d1e32a7bb012aec02b7394cdcfb

Download Submit
C:\Windows\INF\c_volume.PNF

Filesize
4KB

MD5
ef0973fa3399b93ab26b043ebecbf0aa

SHA1
4879f58c6bd27622406bfbdaa93d03aa9f1088ca

SHA256
a00fbfa38aad6a814bdd2f059ae935b3ff21384f15ceadfdff7e6fa69a8a8db1

SHA512
f806b7bb91e6ff419f3f1aa1c7708ef9a0e72321674d917f31968252229b95c3fef5ba952178267d12c5197b7677cae316bb3a12f936600e1c28f697097f8353

Download Submit
C:\Windows\INF\dc1-controller.PNF

Filesize
14KB

MD5
28464b236a4a97c7769ef60f764017ae

SHA1
2cb8a67c749b4119b6988a85ae6328ad59149f36

SHA256
e183a08c81d61cd154e815a990b2dee6d01f317fc4184ed45bfc3397e03c1760

SHA512
73bbce5ff1acfbad42aef87687e4b6459b9e0cca136972e75ba12c4f7ba5fe68362de4bc2227884af73456a5fa304daab58a9885f5b22f88252c4f919dbd24f2

Download Submit
C:\Windows\INF\digitalmediadevice.PNF

Filesize
7KB

MD5
809816b7e03df836bc59d1c76c0106c5

SHA1
b39d1c1db91f352733032d766f5450c6e92858ff

SHA256
91e85175633e3bbe910e1ccea2fae04cde4d75bd536b23cd4e4df449438265b0

SHA512
20a9a109c813ea4d4ef8246814dad50e47ab59cf508c89b502234f0af91f9145ad3c4cd0eb1611d0f0be51745dc0f3daee55d47ce50976f37a98f3cb694313fb

Download Submit
C:\Windows\INF\oposdrv.PNF

Filesize
8KB

MD5
37484f07aedd9b76af126756362055ab

SHA1
1f9cbe0ee9c42de5f42d0845d2e8d68652b88822

SHA256
a3c18fab6d2d36ed36ea1b71bc23054436c53a7534ab36e953f897a3a1453151

SHA512
ee41b4aef957efb8e596c9b204a3074b9dae8930a89d82def09e305ebd33c880d015308abef905c402672dae3abdf410a6bfefa6e206ab30a024fabcbaa6698f

Download Submit
C:\Windows\INF\rawsilo.PNF

Filesize
8KB

MD5
9441fea041e3c2de594934093520b76d

SHA1
4389684a700ab51d36c8edce42f8ff33d1aa2eb4

SHA256
f1055d270c558caea39993ffcf1c476527e960b7761f207be5749b497d01278c

SHA512
965d9259ab98871da202ea666304bdbc51a7c9f3049b95f4bbd6c9e656825b0002f74de25c364950b5fb6164bfe76365435007806b2001355cb6143ffe4a9f45

Download Submit
C:\Windows\INF\rdcameradriver.PNF

Filesize
13KB

MD5
e3c4127a7bc51f2e628af8717bfe4a23

SHA1
206b0eb8384b012f7e13c7a9483d1d61fd4911a6

SHA256
b97454557a03e51204a39aa63e1f6715f6c2b61499c91d0763e51182576cab99

SHA512
3244451b6c8b8bfcfd52abf9abe54334c8f1ff1be9c2c6a70a14e14235698c0853b08644b160e4f97dcb0fcb9e7a17801362e9cb8bc762e182f9be4c66f4dcc2

Download Submit
C:\Windows\INF\remoteposdrv.PNF

Filesize
8KB

MD5
3a39f8804e44f31b004d94d307c12869

SHA1
0d3df9b2dce06890e61133220c136ac1dc85ae53

SHA256
2f7f366e71fed5a9e8d3b8d12502d92ff1fab343b7698fa9ea6653ed74ffb050

SHA512
0f95ba3c362b9e3fd57f25263e4eccd49021fd0c1e7bc106092935719bd48f38b684638cd50205b6125452446c8513d25f03686bee58c8efe41c52f832cada95

Download Submit
C:\Windows\INF\ts_generic.PNF

Filesize
8KB

MD5
cfaf9c088d6de50a5d8fd7d4a0f0805a

SHA1
5555984ad4f74dd52257ebd80327aa5b790636f7

SHA256
f3f7878c1928bb216de4d55ebf18b4524dc2d31fd3485eed83d06d73a889e4a8

SHA512
884bae3557d998fe4f2881d2ccd2bfaf016ff50444f3fe6e3dfda7ffa06f9ebd7b06620a2b92fed7300e5e82482894e24cbee7bae1dd9c7ca8fea7fce8b6b2e9

Download Submit
C:\Windows\INF\wsdprint.PNF

Filesize
7KB

MD5
1671a9ea5066b2b30ad0b59fbcd67992

SHA1
eb44dfe3216ded035bdc4b891a06763e2a0584ca

SHA256
2e4a7afab81f605c4b994bb71ddab299e7f1f7ce96140fb930110c3aa5d1167d

SHA512
610c718048e2243f6a46bb02f9921fdf0bff26306cd58114002ca7269b68db27ed37e5c7be45e62dd328dae24f634496d78a08263d708f27868536a98a4d4b38

Download Submit
C:\Windows\System32\mbm.exe

Filesize
90KB

MD5
90c61af59bc4cda6e760cdcb2d096d23

SHA1
78c51b2877df4b05f6c327307ec2147cfe72dfe8

SHA256
dfdb8e8bdf913828d83487d5a9f9f7a29f659900c8369aca22db2c3a3c32e91c

SHA512
c826c42f0c1fcc6f1076de91b3c42c2fd2ea1e1ec0a3e2a6d216479a3d4caec6e243611da2f989326616a3a6dcb3776ca22aa0d1547c6cdc951fbfd977fc4ec0

Download Submit
memory/1952-2-0x00007FF992650000-0x00007FF993111000-memory.dmp

Filesize
10.8MB

Download
memory/1952-1-0x00000000004C0000-0x0000000000508000-memory.dmp

Filesize
288KB

Download
memory/1952-0-0x00007FF992653000-0x00007FF992655000-memory.dmp

Filesize
8KB

Download
memory/1952-31-0x00007FF992650000-0x00007FF993111000-memory.dmp

Filesize
10.8MB

Download
memory/2832-14-0x00007FF992650000-0x00007FF993111000-memory.dmp

Filesize
10.8MB

Download
memory/2832-11-0x00007FF992650000-0x00007FF993111000-memory.dmp

Filesize
10.8MB

Download
memory/2832-8-0x000001D1631C0000-0x000001D163456000-memory.dmp

Filesize
2.6MB

Download
memory/2832-9-0x00007FF992650000-0x00007FF993111000-memory.dmp

Filesize
10.8MB

Download
memory/2832-10-0x000001D163860000-0x000001D16386A000-memory.dmp

Filesize
40KB

Download
memory/3844-71-0x000001D55D6B0000-0x000001D55D6B1000-memory.dmp

Filesize
4KB

Download
memory/3844-69-0x000001D55D6B0000-0x000001D55D6B1000-memory.dmp

Filesize
4KB

Download
memory/3844-66-0x000001D55D6B0000-0x000001D55D6B1000-memory.dmp

Filesize
4KB

Download
memory/3844-70-0x000001D55D6B0000-0x000001D55D6B1000-memory.dmp

Filesize
4KB

Download
memory/3844-59-0x000001D55D6B0000-0x000001D55D6B1000-memory.dmp

Filesize
4KB

Download
memory/3844-60-0x000001D55D6B0000-0x000001D55D6B1000-memory.dmp

Filesize
4KB

Download
memory/3844-68-0x000001D55D6B0000-0x000001D55D6B1000-memory.dmp

Filesize
4KB

Download
memory/3844-67-0x000001D55D6B0000-0x000001D55D6B1000-memory.dmp

Filesize
4KB

Download
memory/3844-65-0x000001D55D6B0000-0x000001D55D6B1000-memory.dmp

Filesize
4KB

Download
memory/3844-58-0x000001D55D6B0000-0x000001D55D6B1000-memory.dmp

Filesize
4KB

Download
memory/3928-23-0x000002B830520000-0x000002B830546000-memory.dmp

Filesize
152KB

Download
memory/3928-24-0x000002B830550000-0x000002B830564000-memory.dmp

Filesize
80KB

Download
memory/3928-18-0x000002B8302A0000-0x000002B8303F2000-memory.dmp

Filesize
1.3MB

Download
memory/3928-17-0x000002B8301A0000-0x000002B83027E000-memory.dmp

Filesize
888KB

Download
memory/3928-16-0x000002B82FE40000-0x000002B82FEF2000-memory.dmp

Filesize
712KB

Download
memory/3928-25-0x000002B830560000-0x000002B83057C000-memory.dmp

Filesize
112KB

Download
memory/3928-27-0x000002B830590000-0x000002B830598000-memory.dmp

Filesize
32KB

Download
memory/3928-26-0x000002B8305E0000-0x000002B830602000-memory.dmp

Filesize
136KB

Download
memory/3928-22-0x000002B8304E0000-0x000002B830522000-memory.dmp

Filesize
264KB

Download
memory/3928-21-0x000002B8304D0000-0x000002B8304DA000-memory.dmp

Filesize
40KB

Download
memory/3928-19-0x000002B8303F0000-0x000002B8304C0000-memory.dmp

Filesize
832KB

Download
memory/3928-20-0x000002B8304C0000-0x000002B8304CA000-memory.dmp

Filesize
40KB

Download
memory/4676-33-0x000002457E2C0000-0x000002457E372000-memory.dmp

Filesize
712KB

Download
memory/4676-36-0x0000024500000000-0x000002450000C000-memory.dmp

Filesize
48KB

Download
memory/4676-39-0x00000245010E0000-0x0000024501122000-memory.dmp

Filesize
264KB

Download
memory/6372-143-0x0000000004BB0000-0x0000000004BE4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads