Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
12/07/2024, 11:28
240712-nld99s1fpp 112/07/2024, 07:42
240712-jjwz3swhja 112/07/2024, 07:30
240712-jb5x1stfll 112/07/2024, 07:25
240712-h82feswdkg 1Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 07:30
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://d3hwtxj0w1i8v8.cloudfront.net/2024/07/2/116/TA.xlsx
Resource
win10v2004-20240709-en
General
-
Target
https://d3hwtxj0w1i8v8.cloudfront.net/2024/07/2/116/TA.xlsx
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1020 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4752 msedge.exe 4752 msedge.exe 4424 msedge.exe 4424 msedge.exe 4916 identity_helper.exe 4916 identity_helper.exe 872 msedge.exe 872 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe 2560 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE 1020 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4424 wrote to memory of 4508 4424 msedge.exe 83 PID 4424 wrote to memory of 4508 4424 msedge.exe 83 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 768 4424 msedge.exe 84 PID 4424 wrote to memory of 4752 4424 msedge.exe 85 PID 4424 wrote to memory of 4752 4424 msedge.exe 85 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86 PID 4424 wrote to memory of 1624 4424 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://d3hwtxj0w1i8v8.cloudfront.net/2024/07/2/116/TA.xlsx1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83c5346f8,0x7ff83c534708,0x7ff83c5347182⤵PID:4508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,11599298256769932691,13838108550103541733,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:22⤵PID:768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,11599298256769932691,13838108550103541733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,11599298256769932691,13838108550103541733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:82⤵PID:1624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11599298256769932691,13838108550103541733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:12⤵PID:1772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11599298256769932691,13838108550103541733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:12⤵PID:2828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,11599298256769932691,13838108550103541733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:82⤵PID:4228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,11599298256769932691,13838108550103541733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11599298256769932691,13838108550103541733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11599298256769932691,13838108550103541733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:12⤵PID:4812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2232,11599298256769932691,13838108550103541733,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4756 /prefetch:82⤵PID:1228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11599298256769932691,13838108550103541733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:12⤵PID:316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2232,11599298256769932691,13838108550103541733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11599298256769932691,13838108550103541733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:12⤵PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11599298256769932691,13838108550103541733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:12⤵PID:2528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11599298256769932691,13838108550103541733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:12⤵PID:4228
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\TA.xlsx"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,11599298256769932691,13838108550103541733,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6016 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2560
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3556
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2412
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58dc45b70cbe29a357e2c376a0c2b751b
SHA125d623cea817f86b8427db53b82340410c1489b2
SHA256511cfb6bedbad2530b5cc5538b6ec2184fc4f85947ba4c8166d0bb9f5fe2703a
SHA5123ce0f52675feb16d6e62aae1c50767da178b93bdae28bacf6df3a2f72b8cc75b09c5092d9065e0872e5d09fd9ffe0c6931d6ae1943ddb1927b85d60659ef866e
-
Filesize
152B
MD51790c766c15938258a4f9b984cf68312
SHA115c9827d278d28b23a8ea0389d42fa87e404359f
SHA2562e3978bb58c701f3c6b05de9349b7334a194591bec7bcf73f53527dc0991dc63
SHA5122682d9c60c9d67608cf140b6ca4958d890bcbc3c8a8e95fcc639d2a11bb0ec348ca55ae99a5840e1f50e5c5bcf3e27c97fc877582d869d98cc4ea3448315aafb
-
Filesize
6KB
MD5dc6b005c23efe7d631f8f8019a704fe9
SHA15b3a880f07cba399065d563724a54a70154926ca
SHA25677f2b304bdda106f3cc2d61e389c3ee38e48b46a98edf9641ab1345330768387
SHA51282eab1a3ed3fff1fe7bb507872913e0fde940d09a2d95dbfa6ff2c6978c90c188fed809d219151e12d2514ab2f9f85924962dd6949658cf89207c40ba56af36a
-
Filesize
6KB
MD57e1f2618ff947bd15adf86096ce6a27d
SHA16de00d273e028df4c69c578d9fcc306e5dead35e
SHA2561586effde37dbb8ffef8ed4bc6398aab730d14e537b8643253b75a497c736c8d
SHA512e45ffda9a79d417fb8edd68bd77d9fab94c48a5584e4306fbffae498a0691cf2fd17dbd738c09fa2f92942c3dc8b75fa0b1986faafe816373fdfcac733c93a09
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD533fadb2f08c48d6128ef3b8bd7496bdd
SHA14c17d36b192d6cc347300f316faa856a7406adef
SHA25642c721c2e58d17c75b8b5aabb2506b55cbd877855b8c7e5a44959e67575d411f
SHA5125c419fcce73adaf139fdfa15a923c083ad31d7e55f8e93b90daf3de07a55da32c80e9fd1a36ef472b17a6404e2329930825a2290c7d14fd38c6994e981c4a795
-
Filesize
11KB
MD5c4d289b128e6584cf3fb2d4fcd1f0209
SHA19eb5319a4de0308c52e97ceae0f102f539082d3c
SHA2569d4573869f6256ff5333575265519f1ef26ab1939f93a5f3a04637e38ff55b80
SHA512b0aa7e89754604f90891ced72b000564b040095b4e4018f151803c016f0a051b56f4c1699f71a48ea239a625a163a4191324f63acffe6698d98e3a1bc5925c7e
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize4KB
MD506f1d88a260207a5acd9edee6047e7d7
SHA13978e162a789376f220e54d4e2d56dc854a307d2
SHA2561d5262aaf130c97fed7c2f0a8cacae2914b04de84d5cc16b32c54898908fb235
SHA5124aa49f1012c82778e028e10f86b22e93ac4007d25fb819a2dd25aba1eb18935846a365c046b9bdd4e2085eddc9e27484b6b1fd4f9c33db7bda5ea14f38e8759c
-
Filesize
349B
MD58d89cfea1285131bdac5ad1ef8430c21
SHA124b42f02b6ed584d54218e0a3cde084a1774523d
SHA25658887d09a92e08cc958ab33ad16a9f8956e73887c0bbd38ea835c9a0e87b4326
SHA512dfe5293ab68c5daa3227d900b0b2650b5398fe425461465ff3fba890c049574c17975d105e0a6533a9a5172305a5a3aa171b56311fd6b9ab0f834b226259562d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD5530730605986aa0f2447de4e65350821
SHA14bd6b249adfdcd32bef17733e06dbd4050718d15
SHA2564526a508afd7072adc559faadd06f338869d1e60cd8352f7b1f73d4d39cca808
SHA51226539435af7a65d08538dc6166ccea613635609c6747e7b330a99082b1130ae3aea61d424dc039fdfea83a0249a4b5b6ba4de8e0cf0ca254e147dbc52ad3b3d3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize3KB
MD58e274882da75f1072a757f9bd08531a1
SHA1f35bd7bb0adc49c9ff16846a13c9c32c077a0f9e
SHA256956bd94a45caf0a0a701cb5b234579bf557c3bf4e1d8f936653f419da6634085
SHA512de5820a78a6406e0184f7d4533a0ca550518077c56bc23423bf73b66a2fc9cbb54446202a4562d4c2cc37aa068515be68630c8cb16a5e60bc537adca0b5b9ef9
-
Filesize
272KB
MD595bd674471a1dde0b7ce34673a1b640e
SHA19ff7ed92bab683abe58ce6796d0ca7cd840ef6db
SHA256c27950ac4d525c834ace8c52a3d2abbba6e3122a0ef177d82feadb2c38014066
SHA512718072bb08d14644c29522500af328bb1e82affcbd1ed8a14083c6391992187ea3cc08c77fe2623de08acfaeab78f20e16f2b8cbc7639079035b2d51792a4aab