hxxp://vingaming1113[.]github[.]io

Analysis

max time kernel
1046s
max time network
908s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://vingaming1113.github.io

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4848	dismhost.exe
516	dismhost.exe

Loads dropped DLL 10 IoCs

pid	Process
4848	dismhost.exe
4848	dismhost.exe
4848	dismhost.exe
4848	dismhost.exe
4848	dismhost.exe
516	dismhost.exe
516	dismhost.exe
516	dismhost.exe
516	dismhost.exe
516	dismhost.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	vds.exe
File opened (read-only)	\??\W:	vds.exe
File opened (read-only)	\??\Z:	vds.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	vds.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagwrn.xml	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagerr.xml	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagerr.xml	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setupact.log	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setuperr.log	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagwrn.xml	cleanmgr.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setupact.log	cleanmgr.exe
File opened for modification	C:\Windows\system32\diskmgmt.msc	mmc.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setuperr.log	cleanmgr.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	cleanmgr.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	vds.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	cleanmgr.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	cleanmgr.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	cleanmgr.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000008000000b58935fa5ed0a6df0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000040ff35000000ffffffff000000000700010000680900b58935fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a000000000020c300000000ffffffff000000000700010000f87f1db58935fa000000000000f0ff3a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010c33b0000000000e03c04000000ffffffff000000000f0000000088e11db58935fa00000000000010c33b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020c33b0000000000800000000000ffffffff000000000700010000080000b58935fa00000000000020c33b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010c33b0000000000000000000000ffffffff000000000000000000000000b58935fa00000000000010c33b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010c33b0000000000000000000000ffffffff000000000000000000000000b58935fa00000000000010c33b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010c33b0000000000000000000000ffffffff000000000000000000000000b58935fa00000000000010c33b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015	cleanmgr.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b58935fa390ec1570000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000040ff35000000ffffffff000000000700010000680900b58935fa000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067\	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Driver	mmc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000008000000b58935fa3ceeaf630000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000040ff35000000ffffffff000000000700010000680900b58935fa000000000000d01200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010c33b0000000000e03c04000000ffffffff000000000f0000000088e11db58935fa00000000000010c33b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020c33b0000000000800000000000ffffffff000000000700010000080000b58935fa00000000000020c33b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010c33b0000000000000000000000ffffffff000000000000000000000000b58935fa00000000000010c33b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010c33b0000000000000000000000ffffffff000000000000000000000000b58935fa00000000000010c33b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010c33b0000000000000000000000ffffffff000000000000000000000000b58935fa00000000000010c33b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015	cleanmgr.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b58935fa3ceeb7630000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000040ff35000000ffffffff000000000700010000680900b58935fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db58935fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000008000000b58935fa5ed0a6df0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000040ff35000000ffffffff000000000700010000680900b58935fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a000000000020c300000000ffffffff000000000700010000f87f1db58935fa000000000000f0ff3a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010c33b0000000000e03c04000000ffffffff000000000f0000000088e11db58935fa00000000000010c33b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010c33b0000000000000000000000ffffffff000000000000000000000000b58935fa00000000000010c33b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010c33b0000000000000000000000ffffffff000000000000000000000000b58935fa00000000000010c33b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010c33b0000000000000000000000ffffffff000000000000000000000000b58935fa00000000000010c33b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010c33b0000000000000000000000ffffffff000000000000000000000000b58935fa00000000000010c33b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	cleanmgr.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b58935fa5bf0b7d30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b58935fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000040ff35000000ffffffff000000000700010000680900b58935fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a000000000020c300000000ffffffff000000000700010000f87f1db58935fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b58935fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	cleanmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION	mmc.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5000	WINWORD.EXE
5000	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1724	msedge.exe
1724	msedge.exe
4184	msedge.exe
4184	msedge.exe
388	identity_helper.exe
388	identity_helper.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4408	mmc.exe
1436	cleanmgr.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1988	vds.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe

Suspicious behavior: SetClipboardViewer 64 IoCs

pid	Process
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	taskmgr.exe
Token: SeSystemProfilePrivilege	2328	taskmgr.exe
Token: SeCreateGlobalPrivilege	2328	taskmgr.exe
Token: 33	2328	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2328	taskmgr.exe
Token: 33	4408	mmc.exe
Token: SeIncBasePriorityPrivilege	4408	mmc.exe
Token: 33	4408	mmc.exe
Token: SeIncBasePriorityPrivilege	4408	mmc.exe
Token: SeSecurityPrivilege	4408	mmc.exe
Token: SeTakeOwnershipPrivilege	4408	mmc.exe
Token: SeRestorePrivilege	540	7zG.exe
Token: 35	540	7zG.exe
Token: SeSecurityPrivilege	540	7zG.exe
Token: SeSecurityPrivilege	540	7zG.exe
Token: SeRestorePrivilege	2872	7zG.exe
Token: 35	2872	7zG.exe
Token: SeSecurityPrivilege	2872	7zG.exe
Token: SeSecurityPrivilege	2872	7zG.exe
Token: SeRestorePrivilege	1408	7zG.exe
Token: 35	1408	7zG.exe
Token: SeSecurityPrivilege	1408	7zG.exe
Token: SeSecurityPrivilege	1408	7zG.exe
Token: SeSecurityPrivilege	4408	mmc.exe
Token: SeTakeOwnershipPrivilege	4408	mmc.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	1436	cleanmgr.exe
Token: SeBackupPrivilege	1436	cleanmgr.exe
Token: SeRestorePrivilege	1436	cleanmgr.exe
Token: SeManageVolumePrivilege	780	cleanmgr.exe
Token: SeManageVolumePrivilege	780	cleanmgr.exe
Token: SeManageVolumePrivilege	780	cleanmgr.exe
Token: SeManageVolumePrivilege	780	cleanmgr.exe
Token: SeManageVolumePrivilege	780	cleanmgr.exe
Token: SeManageVolumePrivilege	780	cleanmgr.exe
Token: SeManageVolumePrivilege	780	cleanmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe
2328	taskmgr.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
4408	mmc.exe
4408	mmc.exe
4408	mmc.exe
4408	mmc.exe
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE
5000	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 4852	4184	msedge.exe	84
PID 4184 wrote to memory of 4852	4184	msedge.exe	84
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 2796	4184	msedge.exe	85
PID 4184 wrote to memory of 1724	4184	msedge.exe	86
PID 4184 wrote to memory of 1724	4184	msedge.exe	86
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87
PID 4184 wrote to memory of 2096	4184	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vingaming1113.github.io
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd70fd46f8,0x7ffd70fd4708,0x7ffd70fd4718
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,15066073424597493947,11858948248403237614,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,15066073424597493947,11858948248403237614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,15066073424597493947,11858948248403237614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15066073424597493947,11858948248403237614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15066073424597493947,11858948248403237614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15066073424597493947,11858948248403237614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,15066073424597493947,11858948248403237614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:8
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,15066073424597493947,11858948248403237614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15066073424597493947,11858948248403237614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15066073424597493947,11858948248403237614,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15066073424597493947,11858948248403237614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15066073424597493947,11858948248403237614,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:2132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2128

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2328

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" C:\Windows\system32\diskmgmt.msc
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4408
- C:\Windows\System32\cleanmgr.exe
  "C:\Windows\System32\cleanmgr.exe" /D C
  2⤵
  - Checks SCSI registry key(s)
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\059D4DC0-8A0C-41B1-B2B5-8DA8FD17F6F6\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\059D4DC0-8A0C-41B1-B2B5-8DA8FD17F6F6\dismhost.exe {71AE1EA8-E473-4DB6-AB3F-5FE92293E99C}
    3⤵
    - Drops file in Windows directory
    PID:4752
- C:\Windows\System32\cleanmgr.exe
  "C:\Windows\System32\cleanmgr.exe" /D C
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- - C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\dismhost.exe {9D0B585F-F0B0-446E-8E62-CCD3BFC59E54}
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:4848
- C:\Windows\System32\cleanmgr.exe
  "C:\Windows\System32\cleanmgr.exe" /D C
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\3B3BD746-A6B7-4C54-98DD-E1CEE0054622\dismhost.exe
    C:\Users\Admin\AppData\Local\Temp\3B3BD746-A6B7-4C54-98DD-E1CEE0054622\dismhost.exe {7D59733B-2DB5-4A41-B10C-3DDF47F1EADD}
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:516

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4864

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: LoadsDriver
PID:1988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1952

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\New folder\New Text Document.txt
1⤵
PID:2796

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\New folder\New Text Document.txt
1⤵
PID:3928

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap5542:74:7zEvent31850 -tzip -sae -- "C:\Users\Admin\Downloads\New folder.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap4574:96:7zEvent3509 -tzip -sae -- "C:\Users\Admin\Downloads\New folder\New folder.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap6809:74:7zEvent3389 -tzip -sae -- "C:\Users\Admin\Downloads\New folder.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Videos\New Microsoft Word Document.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: SetClipboardViewer
- Suspicious use of SetWindowsHookEx
PID:5000
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1580

C:\Windows\System32\BitLockerWizardElev.exe
"C:\Windows\System32\BitLockerWizardElev.exe" C:\ T
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
22d47fde80501801656894bc91506aa6

SHA1
c5550f5450eca9b24416c56d722b7a6d7d63bfb4

SHA256
326410334921c9a003ca819820b2f26e6a31201d54a4b7dec0cf621756e46a94

SHA512
8abc97b035bc4a660184b1fd51ef190fc620d4017821d5e9ced6aee82fdc720be05eb412b606c4dcf2edbe354c370609bfc6ea8b5e14b6a26122f37ea5ffc6d2

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
175B

MD5
f7e7f0035fa81fbb236ac4798a375262

SHA1
c51ca41ff48325bda82504f8e8a31665552d6c3a

SHA256
22d6704d93f3660d5ce770e91bebe88ea51b38a23aeb075ae88bbb34d40c4de7

SHA512
17f42081fcdaec104fde15a69f8f83cd5a764b5b728be51911ae057faa2158ac80f19673fe67443fdbc7d40ba3709a2b9d97fba074eff6bb29c87f3cc46497b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f229d44ce31ef29fdc0e4dc41f8e9ab0

SHA1
113977c008926eb759497f59d90d412d1db8ff1c

SHA256
bbc1944c4578aba6a4239e22ed7785301e0d90036f34ecac981cb3623be536ea

SHA512
b9022872234d6b3599d6bef0ef6167f4ecaf15ea8b22d71d0e1df6c2e45d58c53ddc46989a6b32ea775149c1fdebead41269e1f23b71c39d06f032f7f7ab0af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9d1d5017bd4847005bfa83f091477c7a

SHA1
539ecb17f34d774f8ca141bc7d5cdedb4fa0ac04

SHA256
529527732d8eeb43791ad640b0b4c573a9f3c4f7fbbed05e985c354b502f29ad

SHA512
c9037c3b68c100ccc9f5163e75b87f4393a6948b1a72c2bcaaf48ccfbe246dba4246b1c05d4b58bf4ad87decd955d71043701f57ec5944b876703243d4a0e433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
70f66026981e172c4751aa4440ff9249

SHA1
6a9c49275a5a7edce15ed4ec0da850db82a7537f

SHA256
5da627b890c41e54a752b0138199be1940b29ba51bce6e91b348d76597f35ddc

SHA512
83586cea4e2f41d6f5ea97c3a1874eee25a715df9fe06258bc5833c33d19ace784096a014f216c9ac15ce61f4e8181db449a639843cae7c99ec06f38d6526283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e1039436e0c583134c755838477bb66f

SHA1
2da74c81d64fc2618e8d4cae15ff237ee0c29ec7

SHA256
daf960fdc1bbee1a483d43f1d5c6acbc3e39e999bb58750cec7c95b24777a486

SHA512
b7ea1cfdacfa44ce0937d5c69bdd629ea01f2ff3de450d227fd343feab375585f799c723108eed3208e9245035e0f400b8ccf48d8a08a99157c78f58e2c684fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b89126be-5fef-4a2f-91ff-94a3301de59b.tmp

Filesize
11KB

MD5
ee446d2022c9f34888895c4eba484332

SHA1
0b817fc0369be5c6e6ba03de24860f8e533d1880

SHA256
b5dd9a806b0891037cde90537bd20fe6565d1bb87716d1bb2ca63771b7290ff2

SHA512
cae768eb7999a27e783479e5485c0b894a866e2f9779c252c7728a9799e15b1ceb85477677b829839c650b9335f8a8a5eb1ed5d121028b95666b127aa30eb9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
bdb1c6a67b4a365e7c956808011add86

SHA1
739fd16e5ff5ad965108d69ce156a7359d8950dd

SHA256
8190ddea9ebada67bc40253c61b53f9ef822589128ca5781983183cbef9b66c0

SHA512
448a17a8af9054bf3fb15e79cd44166b7bb8baed820cb3963e7c950bc046db861f72105b7aec2fa841929136a76217ca678df28af680254322a63517caf37f40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7419.tmp

Filesize
24B

MD5
f732bf1006b6529cffba2b9f50c4b07f

SHA1
d3e8d4af812bbc4f4013c53c4ffab992d1d714e3

SHA256
77739084a27cb320f208ac1927d3d9c3cac42748dbdf6229684ef18352d95067

SHA512
064d56217aeb2980a3bfaa1e252404613624d600c3a08b5cf0adcb259596a1c60ee903fdc2650972785e5ae9b7b51890ded01ec4da7b4de94ebda08aeaf662df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn742A.tmp

Filesize
24B

MD5
db7c049e5e4e336d76d5a744c28c54c8

SHA1
a4db9c8586b9e4fa24416eb0d00f06a9ebd16b02

SHA256
e8830e7ac4088cf3dd464caec33a0035d966a7de5ae4efc3580d59a41916ff7b

SHA512
b614037fb1c7d19d704bf15f355672114d25080223e7ee4424ad2cb7b89782219e7877b373bbc7fa44f3ad8df8a27eef4e8ccc765d44ec02a61e3b7fae88ae69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn742B.tmp

Filesize
24B

MD5
fc94fe7bd3975e75cefad79f5908f7b3

SHA1
78e7da8d08e8898e956521d3b1babbf6524e1dca

SHA256
ee1ed3b49720b22d5fda63d3c46d62a96ca8838c76ab2d2f580b1e7745521aa5

SHA512
4ceaf9021b30734f4ce8b4d4a057539472e68c0add199cf9c3d1c1c95320da3884caf46943fc9f7281607ab7fa6476027860ebed8bbaa9c44b3f4056b5e074d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn742C.tmp

Filesize
24B

MD5
5f243bf7cc0a348b6d31460a91173e71

SHA1
5696b34625f027ec01765fc2be49efcfd882bf8e

SHA256
1b1aed169f2acfae4cf230701bda91229cb582ff2ce29a413c5b8fe3b890d289

SHA512
9e08dfbbf20668b86df696a0d5969e04e6ee4a67e997ff392099bc7ff184b1b8965502215744be7fe423668b69099242bba54df3f0bfe4e70acdc7cad8195b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn742D.tmp

Filesize
24B

MD5
379523b9f5d5b954e719b664846dbf8f

SHA1
930823ec80b85edd22baf555cad21cdf48f066aa

SHA256
3c9002caedf0c007134a7e632c72588945a4892b6d7ad3977224a6a5a7457bf4

SHA512
eca44de86bbc3309fa6eab400154d123dcd97dc1db79554ce58ce2426854197e2365f5eee42bac6e6e9455561b206f592e159ef82faf229212864894e6021e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn742E.tmp

Filesize
24B

MD5
2d84ad5cfdf57bd4e3656bcfd9a864ea

SHA1
b7b82e72891e16d837a54f94960f9b3c83dc5552

SHA256
d241584a3fd4a91976fafd5ec427e88f6e60998954dec39e388af88316af3552

SHA512
0d9bc1ee51a4fb91b24e37f85afbf88376c88345483d686c6cff84066544287c98534aa701d7d4d52e53f10a3bea73ee8bc38d18425fde6d66352f8b76c0cbb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn742F.tmp

Filesize
24B

MD5
635e15cb045ff4cf0e6a31c827225767

SHA1
f1eaaa628678441481309261fabc9d155c0dd6cb

SHA256
67219e5ad98a31e8fa8593323cd2024c1ca54d65985d895e8830ae356c7bdf1d

SHA512
81172ae72153b24391c19556982a316e16e638f5322b11569d76b28e154250d0d2f31e83e9e832180e34add0d63b24d36dd8a0cee80e8b46d96639bff811fa58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7430.tmp

Filesize
24B

MD5
2dd3f3c33e7100ec0d4dbbca9774b044

SHA1
b254d47f2b9769f13b033cae2b0571d68d42e5eb

SHA256
5a00cc998e0d0285b729964afd20618cbaecfa7791fecdb843b535491a83ae21

SHA512
c719d8c54a3a749a41b8fc430405db7fcde829c150f27c89015793ca06018ad9d6833f20ab7e0cfda99e16322b52a19c080e8c618f996fc8923488819e6e14bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7431.tmp

Filesize
24B

MD5
d192f7c343602d02e3e020807707006e

SHA1
82259c6cb5b1f31cc2079a083bc93c726bfc4fbf

SHA256
bb4d233c90bdbee6ef83e40bff1149ea884efa790b3bef496164df6f90297c48

SHA512
aec90cf52646b5b0ef00ceb2a8d739befe456d08551c031e8dec6e1f549a6535c1870adb62eec0a292787ae6a7876388dd1b2c884cba8cc6e2d7993790102f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7432.tmp

Filesize
24B

MD5
f6b463be7b50f3cc5d911b76002a6b36

SHA1
c94920d1e0207b0f53d623a96f48d635314924d2

SHA256
16e4d1b41517b48ce562349e3895013c6d6a0df4fcffc2da752498e33c4d9078

SHA512
4d155dfedd3d44edfbbe7ac84d3e81141d4bb665399c2a5cf01605c24bd12e6faf87bb5b666ea392e1b246005dfabde2208ed515cd612d34bac7f965fd6cc57e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7433.tmp

Filesize
24B

MD5
2a8875d2af46255db8324aad9687d0b7

SHA1
7a066fa7b69fb5450c26a1718b79ad27a9021ca9

SHA256
54097cccae0cfce5608466ba5a5ca2a3dfeac536964eec532540f3b837f5a7c7

SHA512
2c39f05a4dffd30800bb7fbb3ff2018cf4cc96398460b7492f05ce6afd59079fd6e3eb7c4f8384a35a954a22b4934c162a38534ad76cfb2fd772bcf10e211f7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7434.tmp

Filesize
24B

MD5
ae6fbded57f9f7d048b95468ddee47ca

SHA1
c4473ea845be2fb5d28a61efd72f19d74d5fc82e

SHA256
d3c9d1ff7b54b653c6a1125cac49f52070338a2dd271817bba8853e99c0f33a9

SHA512
f119d5ad9162f0f5d376e03a9ea15e30658780e18dd86e81812dda8ddf59addd1daa0706b2f5486df8f17429c2c60aa05d4f041a2082fd2ec6ea8cc9469fade3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7435.tmp

Filesize
24B

MD5
60476a101249aedff09a43e047040191

SHA1
de5b6a0adc7de7180e19286cf0f13567278cdb64

SHA256
35bc77a06bfdde8c8f3a474c88520262b88c7b8992ee6b2d5cf41dddc77a83fb

SHA512
f1d2dcc562a36434c6c6405ec4eac7ecfa76fc5a940114da6f94495b77584a132d5d82ad3556df749490be096cfd238fa8b484b7c734cbc4d074e963e5d451f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\IconCacheToDelete\icn7436.tmp

Filesize
24B

MD5
419a089e66b9e18ada06c459b000cb4d

SHA1
ed2108a58ba73ac18c3d2bf0d8c1890c2632b05a

SHA256
c48e42e9ab4e25b92c43a7b0416d463b9ff7c69541e4623a39513bc98085f424

SHA512
bbd57bea7159748e1b13b3e459e2c8691a46bdc9323afdb9dbf9d8f09511750d46a1d98c717c7adca07d79edc859e925476dd03231507f37f45775c0a79a593c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
fa4027847cd8a05849abcfa508460073

SHA1
0a2df1607a3579b3f0c0f4146c00efa910f376f6

SHA256
937e41655ad66ea8428ea7e73b99af0215bb6b1959a1a1c503f076535a680d2e

SHA512
94b385666b21eef9f4b6912f76618fb2315590494a6e71d7ed7ff0029042279baacaf5f88b26e5c0f0e9824c843e568397c20f62cc034db3bbbdf541c29ec44d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0002.docx

Filesize
11KB

MD5
eb836782c61f7f6d9710e84c1f78f1fc

SHA1
2d97bae9407d90467fe3b87dc66b8ed334bb6a5e

SHA256
153ad2b36caffd91522b8a51c7745f7a027404d9784eb59f834fb70458aeaa6a

SHA512
d17e3d3647555e12f80717fb66995434c9e012b611b684408a02ab054989e4d4150fa033a2e49ee62446c53d359c793c7b6286dfde720647b0de10ed3d51085a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRD0004.docx

Filesize
11KB

MD5
adc632751f685a6cff39a1cc8ea0d7b9

SHA1
e638994261249acdb5a7e545a07d7abdb920b3ff

SHA256
2d448455ddbd4a6f3be87978c9c72897716f72dad60c9c969942e18ed57ab297

SHA512
5622c965e8f5b1488be6f8ffad16bbdad51ae469c00cfebb6a8d85ceea3b85f51d709c654fb08fbf04e92d891206c285b8c691a619e5178081440d984b6eae3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\AppxProvider.dll

Filesize
554KB

MD5
a7927846f2bd5e6ab6159fbe762990b1

SHA1
8e3b40c0783cc88765bbc02ccc781960e4592f3f

SHA256
913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

SHA512
1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\AssocProvider.dll

Filesize
112KB

MD5
94dc379aa020d365ea5a32c4fab7f6a3

SHA1
7270573fd7df3f3c996a772f85915e5982ad30a1

SHA256
dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907

SHA512
998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\DismCore.dll

Filesize
402KB

MD5
b1f793773dc727b4af1648d6d61f5602

SHA1
be7ed4e121c39989f2fb343558171ef8b5f7af68

SHA256
af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e

SHA512
66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\DmiProvider.dll

Filesize
415KB

MD5
ea8488990b95ce4ef6b4e210e0d963b2

SHA1
cd8bf723aa9690b8ca9a0215321e8148626a27d1

SHA256
04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98

SHA512
56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\FfuProvider.dll

Filesize
619KB

MD5
df785c5e4aacaee3bd16642d91492815

SHA1
286330d2ab07512e1f636b90613afcd6529ada1e

SHA256
56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271

SHA512
3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\FolderProvider.dll

Filesize
59KB

MD5
4f3250ecb7a170a5eb18295aa768702d

SHA1
70eb14976ddab023f85bc778621ade1d4b5f4d9d

SHA256
a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461

SHA512
e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\GenericProvider.dll

Filesize
149KB

MD5
ef7e2760c0a24453fc78359aea3d7869

SHA1
0ea67f1fd29df2615da43e023e86046e8e46e2e1

SHA256
d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a

SHA512
be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\IBSProvider.dll

Filesize
59KB

MD5
120f0a2022f423fc9aadb630250f52c4

SHA1
826df2b752c4f1bba60a77e2b2cf908dd01d3cf7

SHA256
5425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0

SHA512
23e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\ImagingProvider.dll

Filesize
218KB

MD5
35e989a1df828378baa340f4e0b2dfcb

SHA1
59ecc73a0b3f55e43dace3b05ff339f24ec2c406

SHA256
874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d

SHA512
c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\IntlProvider.dll

Filesize
296KB

MD5
510e132215cef8d09be40402f355879b

SHA1
cae8659f2d3fd54eb321a8f690267ba93d56c6f1

SHA256
1bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52

SHA512
2f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\MsiProvider.dll

Filesize
207KB

MD5
9a760ddc9fdca758501faf7e6d9ec368

SHA1
5d395ad119ceb41b776690f9085f508eaaddb263

SHA256
7ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f

SHA512
59d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\OfflineSetupProvider.dll

Filesize
182KB

MD5
9cd7292cca75d278387d2bdfb940003c

SHA1
bab579889ed3ac9cb0f124842c3e495cb2ec92ac

SHA256
b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f

SHA512
ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\ProvProvider.dll

Filesize
753KB

MD5
70c34975e700a9d7e120aaecf9d8f14b

SHA1
e24d47f025c0ec0f60ec187bfc664e9347dc2c9c

SHA256
a3e652c0bbe2082f2e0290da73485fb2c6e35c33ac60daa51a65f8c782dbd7a7

SHA512
7f6a24345f5724d710e0b6c23b3b251e96d656fac58ea67b2b84d7d9a38d7723eae2c278e6e218e7f69f79d1cce240d91a8b0fd0d99960cacc65d82eb614a260

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\dismprov.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\AppxProvider.dll.mui

Filesize
22KB

MD5
bd0dd9c5a602cb0ad7eabc16b3c1abfc

SHA1
cede6e6a55d972c22da4bc9e0389759690e6b37f

SHA256
8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3

SHA512
86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\AssocProvider.dll.mui

Filesize
8KB

MD5
8833761572f0964bdc1bea6e1667f458

SHA1
166260a12c3399a9aa298932862569756b4ecc45

SHA256
b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5

SHA512
2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\CbsProvider.dll.mui

Filesize
53KB

MD5
6c51a3187d2464c48cc8550b141e25c5

SHA1
a42e5ae0a3090b5ab4376058e506b111405d5508

SHA256
d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199

SHA512
87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\DismCore.dll.mui

Filesize
7KB

MD5
7a15f6e845f0679de593c5896fe171f9

SHA1
0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4

SHA256
f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419

SHA512
5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\DmiProvider.dll.mui

Filesize
17KB

MD5
b7252234aa43b7295bb62336adc1b85c

SHA1
b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f

SHA256
73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c

SHA512
88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\FfuProvider.dll.mui

Filesize
9KB

MD5
dc826a9cb121e2142b670d0b10022e22

SHA1
b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9

SHA256
ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a

SHA512
038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\FolderProvider.dll.mui

Filesize
2KB

MD5
22b4a3a1ec3b6d7aa3bc61d0812dc85f

SHA1
97ae3504a29eb555632d124022d8406fc5b6f662

SHA256
c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105

SHA512
9329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\GenericProvider.dll.mui

Filesize
5KB

MD5
d6b02daf9583f640269b4d8b8496a5dd

SHA1
e3bc2acd8e6a73b6530bc201902ab714e34b3182

SHA256
9102fa05ed98d902bf6e95b74fdbb745399d4ce4536a29607b2156a0edfeddf0

SHA512
189e87fcc2902e2a8e59773783d80a7d4dd5d2991bd291b0976cbd304f78bd225b353703735b84de41b5f59c37402db634c4acc805d73176cde75ca662efff50

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\IBSProvider.dll.mui

Filesize
2KB

MD5
d4b67a347900e29392613b5d86fe4ac2

SHA1
fb84756d11bfd638c4b49268b96d0007b26ba2fb

SHA256
4ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5

SHA512
af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\ImagingProvider.dll.mui

Filesize
18KB

MD5
f2e2ba029f26341158420f3c4db9a68f

SHA1
1dee9d3dddb41460995ad8913ad701546be1e59d

SHA256
32d8c8fb9a746be209db5c3bdad14f361cf2bef8144c32e5af419c28efd35da3

SHA512
3d45d7bcf21d5df56b516fc18f7dc1bf80e44258b0c810b199a7bc06047a547060956c9d79575b82d9b6992fb5fe64f5b0ef1e408363887ae81a64b6ff9fa03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\IntlProvider.dll.mui

Filesize
27KB

MD5
2eb303db5753eb7a6bb3ab773eeabdcb

SHA1
44c6c38e6ae5f9ce9d7ca9d45a3cc3020b1353e4

SHA256
aa43b64db4fdcd89e56ba5309f3ba2ffac2663ba30514e87c160687f4314221f

SHA512
df1c8cefed4b5ef5a47f9bc0c42776611b3af709938a0900db79c6c9f4fae21acbbb6c4b1cad3c5a2051b622fe7e6e01486d34622742a981623fed933f1b1427

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\LogProvider.dll.mui

Filesize
6KB

MD5
8933c8d708e5acf5a458824b19fd97da

SHA1
de55756ddbeebc5ad9d3ce950acba5d2fb312331

SHA256
6e51af7cfda6be5419f89d6705c44587556a4abffd388020d7f19e007e122cd6

SHA512
ead5017d9d024a1d7c53634ae725438ea3a34eed8c9056ebbc4ebe5aab2055c0e67687ce7608724e4f66f55aa486a63024967b76a5638cde3dd88b3d3432ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\MsiProvider.dll.mui

Filesize
15KB

MD5
c5e60ee2d8534f57fddb81ffce297763

SHA1
78e6b0e03c8bf5802b3ef429b105d7ae3092a8f2

SHA256
1ec7b04a8c25812db99abec82c7b7bf915ae3f7594c5d071231cafab9c1fa145

SHA512
ce654295e8b16da7bd004453ae4a422fe8296a8c2343e56d819883b835c391a02537ecf4d155a281a9d38f2291ee0004506b7fd48a99c0f8881ff1e38ae8ebcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\OSProvider.dll.mui

Filesize
3KB

MD5
0633e0fccd477d9b22de4dd5a84abe53

SHA1
e04fb5c3acb35d128c1ea6ee6fb0e9b3fe90d5a9

SHA256
b6758aba17f6cd74923ca0976dd580222851ef6435cd16b3b2b04e85280ce706

SHA512
e95ed1d8069d6f200f0a2ea8dd7688404af9db9ce5e229afcb625a1f9eb46ac9e7a1c2c4c5ce156b190514415679e82e213732e8e890ed1a89af9026e4e73fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\OfflineSetupProvider.dll.mui

Filesize
2KB

MD5
015271d46ab128a854a4e9d214ab8a43

SHA1
2569deff96fb5ad6db924cee2e08a998ddc80b2a

SHA256
692744ce4bba1e82ad1a91ab97eec2bac7146bc995e8e8ed59bc2c7d366af7ec

SHA512
6ba678da0475a6b1872c2e2c151b395a4d97390bed4671d3f918aab5e69cbc9ceafe72c3100ba060ac6586fd37682499fdeef7d7b1ab10f5ec2411c1438ed438

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\ProvProvider.dll.mui

Filesize
4KB

MD5
b8a8c6c4cd89eeda1e299c212dc9c198

SHA1
f88c8a563b20864e0fc6f3d63fadda507aa2e96e

SHA256
50ad19e21b6425d12aa57cd4656748877db1f147189ec44abb19ba90be8505ea

SHA512
4a6f0dac5b3b18e4942ce5f51b566ce3ba465baa43457384ee785d1c0e7c33f9b9396a143aac0398a34e4e2f7d704ba06d3cc68761fd3cb6f53f4043a906e475

Download Submit
C:\Users\Admin\AppData\Local\Temp\3FE1E5B5-900C-4B08-8AC8-C5FF81770FBD\en-US\dismprov.dll.mui

Filesize
2KB

MD5
7d06108999cc83eb3a23eadcebb547a5

SHA1
200866d87a490d17f6f8b17b26225afeb6d39446

SHA256
cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311

SHA512
9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD3F3B.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
380B

MD5
694eeb54e8757dedcf952c588192b8a1

SHA1
dc5674621b5ac3c19afa756265c7d298e74b3b33

SHA256
f46992e0b861d2715e26f7a1d8e7d0612ea926566202706198b318a849c71ae1

SHA512
34a14e15119c66ca7e89bc4a0e8407f654dc7e55790d3a2eadce4a2f42c3ea693d5ae5c053077c4bcf7aab149690a948c0eb52a3ace8e98856859a9767e91e7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
da69c5916ca081f1572e03215806af49

SHA1
29c2a67c003072c2b05314d6bf0eb7cdf2588b68

SHA256
18abbb22c0ec6b9ec525fc4850b20ec95f3ba659db4405e4a4a03ddc7ca96642

SHA512
0dc461ba160c2de9946b4de71b3e4e08558889de4c7effcd63948914320ab85458be2c096675caf395d8bf3b1aa129d9583c9bfa53535721696feaee5ac09fbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
df0032c7b33276ecb5573aa9b2e94f75

SHA1
818b7bf21ea415d246d396ae147f3482ba605105

SHA256
8092a060a3ebf3b5a56a5f30692494047ecfd9f471b01639364c0fbca70a0ce2

SHA512
70310e0d5363315ef5bfc2716ca0433437378093c5a20830498702f9cfd48ecf024498324a2c3cafa2b7960d04e37af19b60d385d8f58e1c260d0d3746bede8e

Download Submit
C:\Users\Admin\Downloads\New folder.zip

Filesize
8KB

MD5
526dd4e0a056751d17573ad22ebe6ad8

SHA1
648f5f63bf5cd2d9233ef74c8f73e6e7a79d7ed1

SHA256
fb1c4472c4e40d9bd0af43af38d132b5515a680728708ad417a9c0032bdc5db3

SHA512
c39314a3828443542074c01041862d882a6b134f731c8e9d0d8891350d044c7423d0aa7fcae7d03487a65d568528c9f32bbeaedca3562821dd0157135e91e085

Download Submit
C:\Users\Admin\Downloads\New folder\New Text Document.txt

Filesize
7KB

MD5
b10bbd5c280c2b145d7b3d8dbbd89903

SHA1
f184f2c0922052155d50ad5f7616c75c06362ae1

SHA256
c18ea62d8c18459cb62bf2ca3c273e435227677a95e855effb3009e488747916

SHA512
f6e6af2d1e6d836d0ab5579aeefe9a1397572d5a074b4635fa6b1683e1c1d3b8435966077652ef320dc1e5b319026eb1369c0688b178c95619e1857352c84fad

Download Submit
C:\Users\Admin\Downloads\New folder\New folder.zip

Filesize
18KB

MD5
f05588ad6b47c910b0e6f5668256d1bf

SHA1
4711fbc91ae81cf160da904a4545349a2b38b1c7

SHA256
7c17dd05c1a9edfe230bb7dd6ec514e0aae0fefaac82763b1463158dc68f100e

SHA512
a732e10b479b5ff9cf325e5ac375fb2655ac8df382c0f4ce55179b7feaeb17e4c81918b700ca09094921fbd75d7f620ef1b910056a055ff654f1ef8ecd5dc310

Download Submit
C:\Users\Admin\Videos\New Microsoft Word Document.docx

Filesize
19KB

MD5
78354133fb0eff068bfc7a4f26e0df65

SHA1
c02835d14cde67d341677814500b593fca9a4e66

SHA256
95783ff37b16b89b39dd45a1628e0dfa9b0a860363a489f1d6672d9b79739f7a

SHA512
511a328d3ef31ad9489d4c35794dd511aae676cc18c5572cab6b8ce869cba6442943dc6a2652dc982bc746ccbf25cd2d55701fe1a5e30d45d95422433b0290cd

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
244KB

MD5
13cd2257cc082908bf62eb4e87657521

SHA1
6251b88faf0f65cbbf57bcfb345e5c532238c0aa

SHA256
33fd6adaaab3c3a69ecefa05577bc56414a4f4eb124682b2a04cf15160e6810b

SHA512
763b27fb5d64f97b2133b54a3e7197e82384c453c06836184103fa623fce264da43e6fdc8060ab6d2f880d78a8ba42086f672be37953466e229093cf7ec34616

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
248KB

MD5
908ea8bfd7cba88e6ea0efe74b417297

SHA1
3894c0085f646f28d7172da7c338a3afc888ec2d

SHA256
a64fa47e30f6d1e89010d51b565ad068d57453c0e8387cee930306faeb9840ed

SHA512
4dd7fe4725d80a6bfa40d0bf0c51cbf00ee65d1c941aabc7a2a09253c821325223b6a4d508f8442c15d3c8930a49795eca5d6128a302168618f5a980dd168928

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
265KB

MD5
db9bf49d21869ad1b78b3a98d6621829

SHA1
78e47c57c49095d8a38acc5c57938f4a04a64bb9

SHA256
efd1a4ccc3e2dc384aed39cd1d1fe5975cf308e914f371e213fd2a2ab86b9496

SHA512
88a1b17c0792ab81ebfe6fcbe8eb5fede7182114619fff50d6b31de39dd135fdacc97cc70d13f53bb33222e36796a3b39a13496769ca930291d1f9b5e896948d

Download Submit
C:\Windows\System32\LogFiles\setupcln\diagerr.xml

Filesize
16KB

MD5
b9b1723a0dbe69dc24320f6476786f27

SHA1
293d01ad6c80e22e071bfded26a42cae292109de

SHA256
2f7a1e460d6cc565a7f9b68a640eb76665f18890e8df022cfbae42fea008e7a6

SHA512
fb13c5d0b739f5b1bea3b9987a9b665801b5f73aa3e5622821b7846db15965de58a26eee6e45e9b1091d4715c4998451974cf6f263362531261633e05f5df911

Download Submit
C:\Windows\System32\LogFiles\setupcln\diagwrn.xml

Filesize
11KB

MD5
0e359ef178b73aaae2c6d6ac11b4fe15

SHA1
96dc999a49b643c56da6f921270d5203d417e58d

SHA256
18eabea7b83b34964a6af412ddfdb0c3a622fd09e36748a857bf69863fae41dd

SHA512
123d25b189a2f4c43a19d1cec9b0df8c8d588bc34f06aa8ec9508b58db7335038345397c4d9dac65fdb4a67ce9d7bb810352fa5b81dd3dda6c019f7f602c88fe

Download Submit
C:\Windows\System32\LogFiles\setupcln\setupact.log

Filesize
25KB

MD5
1ccfc12fde0627f2d51b50e76a78a33a

SHA1
7bdf287a3f1b89e0b72c4b1c34e35d937a78831c

SHA256
6901e64e2432aa67d982d10ae6c0fadb86868d23fff339d94157c1417dce3f0f

SHA512
dee5d53a05080e4272a3c62c31c5ea74e17ae7ef93c7de319d4abc86a83078658748f40e32805787a2c4327d26815dadbb4c149aa39c9dd5a4640aeccd0db9f4

Download Submit
memory/2328-157-0x000002422B3D0000-0x000002422B3D1000-memory.dmp

Filesize
4KB

Download
memory/2328-165-0x000002422B3D0000-0x000002422B3D1000-memory.dmp

Filesize
4KB

Download
memory/2328-163-0x000002422B3D0000-0x000002422B3D1000-memory.dmp

Filesize
4KB

Download
memory/2328-166-0x000002422B3D0000-0x000002422B3D1000-memory.dmp

Filesize
4KB

Download
memory/2328-167-0x000002422B3D0000-0x000002422B3D1000-memory.dmp

Filesize
4KB

Download
memory/2328-168-0x000002422B3D0000-0x000002422B3D1000-memory.dmp

Filesize
4KB

Download
memory/2328-169-0x000002422B3D0000-0x000002422B3D1000-memory.dmp

Filesize
4KB

Download
memory/2328-164-0x000002422B3D0000-0x000002422B3D1000-memory.dmp

Filesize
4KB

Download
memory/2328-158-0x000002422B3D0000-0x000002422B3D1000-memory.dmp

Filesize
4KB

Download
memory/2328-159-0x000002422B3D0000-0x000002422B3D1000-memory.dmp

Filesize
4KB

Download
memory/5000-197-0x00007FFD3DC60000-0x00007FFD3DC70000-memory.dmp

Filesize
64KB

Download
memory/5000-192-0x00007FFD3FE70000-0x00007FFD3FE80000-memory.dmp

Filesize
64KB

Download
memory/5000-193-0x00007FFD3FE70000-0x00007FFD3FE80000-memory.dmp

Filesize
64KB

Download
memory/5000-441-0x00007FFD3FE70000-0x00007FFD3FE80000-memory.dmp

Filesize
64KB

Download
memory/5000-442-0x00007FFD3FE70000-0x00007FFD3FE80000-memory.dmp

Filesize
64KB

Download
memory/5000-194-0x00007FFD3FE70000-0x00007FFD3FE80000-memory.dmp

Filesize
64KB

Download
memory/5000-440-0x00007FFD3FE70000-0x00007FFD3FE80000-memory.dmp

Filesize
64KB

Download
memory/5000-195-0x00007FFD3FE70000-0x00007FFD3FE80000-memory.dmp

Filesize
64KB

Download
memory/5000-196-0x00007FFD3FE70000-0x00007FFD3FE80000-memory.dmp

Filesize
64KB

Download
memory/5000-439-0x00007FFD3FE70000-0x00007FFD3FE80000-memory.dmp

Filesize
64KB

Download
memory/5000-198-0x00007FFD3DC60000-0x00007FFD3DC70000-memory.dmp

Filesize
64KB

Download