Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
30s -
max time network
89s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 20:51
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/LJ9859/Malware-Database/raw/main/Ransomware/Hitler%20Ransomware.zip
Resource
win10v2004-20240802-en
General
-
Target
https://github.com/LJ9859/Malware-Database/raw/main/Ransomware/Hitler%20Ransomware.zip
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hitler Ransomware.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
pid Process 1936 Hitler Ransomware.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3524 icacls.exe -
resource yara_rule behavioral1/files/0x000700000002351b-84.dat upx behavioral1/memory/1936-86-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral1/memory/1936-13364-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral1/memory/1936-16770-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral1/memory/1936-26359-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral1/memory/1936-26360-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral1/memory/1936-30111-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral1/memory/1936-40353-0x0000000000400000-0x000000000085A000-memory.dmp upx behavioral1/memory/1936-45116-0x0000000000400000-0x000000000085A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Adolf Hitler = "C:\\Users\\Admin\\Downloads\\Hitler Ransomware\\Hitler Ransomware.exe" Hitler Ransomware.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hitler Ransomware.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\$Recycle.Bin\S-1-5-21-4182098368-2521458979-3782681353-1000\desktop.ini Hitler Ransomware.exe File created C:\Program Files\desktop.ini Hitler Ransomware.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 15 raw.githubusercontent.com 16 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\×ÀÃæ±³¾°Í¼Æ¬.bmp" Hitler Ransomware.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Drawing.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\mscordbi.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll Hitler Ransomware.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsid.xml Hitler Ransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VC\msdia100.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Principal.Windows.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\System.Windows.Forms.Design.resources.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Printing.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Configuration.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Intrinsics.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\LICENSE.txt Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Globalization.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.StackTrace.dll Hitler Ransomware.exe File created C:\Program Files\Common Files\System\en-US\wab32res.dll.mui Hitler Ransomware.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml Hitler Ransomware.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\netstandard.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.DataAnnotations.dll Hitler Ransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll Hitler Ransomware.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipscht.xml Hitler Ransomware.exe File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\InkObj.dll.mui Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.CoreLib.dll Hitler Ransomware.exe File created C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll Hitler Ransomware.exe File created C:\Program Files\Common Files\System\msadc\msadco.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll Hitler Ransomware.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\UIAutomationClient.resources.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Intrinsics.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll Hitler Ransomware.exe File created C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui Hitler Ransomware.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.ReaderWriter.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlDocument.dll Hitler Ransomware.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt Hitler Ransomware.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\UIAutomationTypes.resources.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.Annotations.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ObjectModel.dll Hitler Ransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll Hitler Ransomware.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\mip.exe.mui Hitler Ransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll Hitler Ransomware.exe File created C:\Program Files\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui Hitler Ransomware.exe File created C:\Program Files\Common Files\microsoft shared\ink\en-US\rtscom.dll.mui Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ReachFramework.dll Hitler Ransomware.exe File created C:\Program Files\Common Files\System\ado\msadox.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationClientSideProviders.resources.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Drawing.dll Hitler Ransomware.exe File created C:\Program Files\Common Files\microsoft shared\ink\ja-JP\TabTip.exe.mui Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.dll Hitler Ransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Serialization.Xml.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.dll Hitler Ransomware.exe File opened for modification C:\Program Files\MeasureRemove.zip Hitler Ransomware.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Runtime.InteropServices.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Accessibility.dll Hitler Ransomware.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\PresentationFramework.resources.dll Hitler Ransomware.exe File created C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui Hitler Ransomware.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\×ÀÃæ±³¾°Í¼Æ¬.bmp Hitler Ransomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hitler Ransomware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 6772 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 5080 msedge.exe 5080 msedge.exe 816 msedge.exe 816 msedge.exe 1000 identity_helper.exe 1000 identity_helper.exe 3356 msedge.exe 3356 msedge.exe 1936 Hitler Ransomware.exe 1936 Hitler Ransomware.exe 1936 Hitler Ransomware.exe 1936 Hitler Ransomware.exe 1936 Hitler Ransomware.exe 1936 Hitler Ransomware.exe 1936 Hitler Ransomware.exe 1936 Hitler Ransomware.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeRestorePrivilege 3720 7zG.exe Token: 35 3720 7zG.exe Token: SeSecurityPrivilege 3720 7zG.exe Token: SeSecurityPrivilege 3720 7zG.exe Token: SeDebugPrivilege 1936 Hitler Ransomware.exe Token: 33 5784 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5784 AUDIODG.EXE Token: SeIncreaseQuotaPrivilege 5492 WMIC.exe Token: SeSecurityPrivilege 5492 WMIC.exe Token: SeTakeOwnershipPrivilege 5492 WMIC.exe Token: SeLoadDriverPrivilege 5492 WMIC.exe Token: SeSystemProfilePrivilege 5492 WMIC.exe Token: SeSystemtimePrivilege 5492 WMIC.exe Token: SeProfSingleProcessPrivilege 5492 WMIC.exe Token: SeIncBasePriorityPrivilege 5492 WMIC.exe Token: SeCreatePagefilePrivilege 5492 WMIC.exe Token: SeBackupPrivilege 5492 WMIC.exe Token: SeRestorePrivilege 5492 WMIC.exe Token: SeShutdownPrivilege 5492 WMIC.exe Token: SeDebugPrivilege 5492 WMIC.exe Token: SeSystemEnvironmentPrivilege 5492 WMIC.exe Token: SeRemoteShutdownPrivilege 5492 WMIC.exe Token: SeUndockPrivilege 5492 WMIC.exe Token: SeManageVolumePrivilege 5492 WMIC.exe Token: 33 5492 WMIC.exe Token: 34 5492 WMIC.exe Token: 35 5492 WMIC.exe Token: 36 5492 WMIC.exe Token: SeIncreaseQuotaPrivilege 5492 WMIC.exe Token: SeSecurityPrivilege 5492 WMIC.exe Token: SeTakeOwnershipPrivilege 5492 WMIC.exe Token: SeLoadDriverPrivilege 5492 WMIC.exe Token: SeSystemProfilePrivilege 5492 WMIC.exe Token: SeSystemtimePrivilege 5492 WMIC.exe Token: SeProfSingleProcessPrivilege 5492 WMIC.exe Token: SeIncBasePriorityPrivilege 5492 WMIC.exe Token: SeCreatePagefilePrivilege 5492 WMIC.exe Token: SeBackupPrivilege 5492 WMIC.exe Token: SeRestorePrivilege 5492 WMIC.exe Token: SeShutdownPrivilege 5492 WMIC.exe Token: SeDebugPrivilege 5492 WMIC.exe Token: SeSystemEnvironmentPrivilege 5492 WMIC.exe Token: SeRemoteShutdownPrivilege 5492 WMIC.exe Token: SeUndockPrivilege 5492 WMIC.exe Token: SeManageVolumePrivilege 5492 WMIC.exe Token: 33 5492 WMIC.exe Token: 34 5492 WMIC.exe Token: 35 5492 WMIC.exe Token: 36 5492 WMIC.exe Token: SeBackupPrivilege 6920 vssvc.exe Token: SeRestorePrivilege 6920 vssvc.exe Token: SeAuditPrivilege 6920 vssvc.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
pid Process 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 3720 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe 816 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1936 Hitler Ransomware.exe 1936 Hitler Ransomware.exe 1936 Hitler Ransomware.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 816 wrote to memory of 1372 816 msedge.exe 81 PID 816 wrote to memory of 1372 816 msedge.exe 81 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 1180 816 msedge.exe 83 PID 816 wrote to memory of 5080 816 msedge.exe 84 PID 816 wrote to memory of 5080 816 msedge.exe 84 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 PID 816 wrote to memory of 1948 816 msedge.exe 85 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Hitler Ransomware.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/LJ9859/Malware-Database/raw/main/Ransomware/Hitler%20Ransomware.zip1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ff8157746f8,0x7ff815774708,0x7ff8157747182⤵PID:1372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,16827795348311698994,6404072363376976666,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:22⤵PID:1180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,16827795348311698994,6404072363376976666,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,16827795348311698994,6404072363376976666,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:82⤵PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,16827795348311698994,6404072363376976666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:1564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,16827795348311698994,6404072363376976666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:60
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,16827795348311698994,6404072363376976666,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵PID:748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,16827795348311698994,6404072363376976666,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,16827795348311698994,6404072363376976666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:12⤵PID:1900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,16827795348311698994,6404072363376976666,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:12⤵PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,16827795348311698994,6404072363376976666,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5688 /prefetch:82⤵PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,16827795348311698994,6404072363376976666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵PID:3004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,16827795348311698994,6404072363376976666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:12⤵PID:1932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,16827795348311698994,6404072363376976666,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:12⤵PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,16827795348311698994,6404072363376976666,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3356
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3272
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1584
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1896
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Hitler Ransomware\" -spe -an -ai#7zMap10930:96:7zEvent247591⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3720
-
C:\Users\Admin\Downloads\Hitler Ransomware\Hitler Ransomware.exe"C:\Users\Admin\Downloads\Hitler Ransomware\Hitler Ransomware.exe"1⤵
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1936 -
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3524
-
-
C:\Windows\SysWOW64\cmd.execmd /c vssadmin delete shadow /all /quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet2⤵
- System Location Discovery: System Language Discovery
PID:3316 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5492
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x31c 0x3041⤵
- Suspicious use of AdjustPrivilegeToken
PID:5784
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6920
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:3820
-
C:\Windows\system32\dashost.exedashost.exe {f67e0a95-d693-4bb6-90be0e6f8b9cf773}2⤵PID:6116
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:7752
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\TraceCompare.AdolfHitler2⤵
- Opens file in notepad (likely ransom note)
PID:6772
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
44B
MD54d7e954c13be6a4c86cbd5c7e5e11449
SHA1d1a55bcc1baaa445e93da159334c2df083f7ae68
SHA2568070c87f0f0e1e8560c14be5d8c6017e6a455375dada421ee782a98e96dc7b92
SHA5122ed8ddbdc6db5392fc96169bfd47e9911d8001a4681073673621039b29238315438f58ce991071c617734aaa61f0fc6137958f79d5147c1c36f087e56a9365b0
-
Filesize
152B
MD5111c361619c017b5d09a13a56938bd54
SHA1e02b363a8ceb95751623f25025a9299a2c931e07
SHA256d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc
SHA512fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2
-
Filesize
75B
MD581cc09cb0d0c20f6672660b457fe150e
SHA196babff5bd3fc6321306f23370de8450dae40199
SHA256fa2c86b2c526f42dcac8239980a8860922763adee65ab4d8ddddc961b44d2157
SHA5124fb4c30b0a9feebff937d56a89d883fe78e667e00ca3b04eca2b253c7f0cfa7742a451da0fc212a6163d452146240f3fdb2f537cccbace38018d91dbcf10fcdf
-
Filesize
152B
MD5983cbc1f706a155d63496ebc4d66515e
SHA1223d0071718b80cad9239e58c5e8e64df6e2a2fe
SHA256cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c
SHA512d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd
-
Filesize
44KB
MD54cf133f75d6e8af487a313973045205b
SHA1774f8b55d3edf1466025eae0f641519db2a21699
SHA2568f722ff4ff4e3ef854177036ee4cb5863e75dbb002fcc96ac326a96525a01fb0
SHA51235d872156798f1e1484befd83406b1b2f148e030800523f71ea92162435f91a73c42979c3371061bb4b395c9b280f3470777417a3631b9daf942be0abafae78c
-
Filesize
264KB
MD54e160185d098034f1500139ce45acbd3
SHA1c6ba6b26975b4c7efbcb046a8f904ef4109d6a7f
SHA2564694377f3bc2d11b5db6ea5742177f1e90673245eee7d35b4e9ff265e0c0e664
SHA5126871492f4151bf8c3bc780a1c157ac02c7ec146d05604c0780191fc05a9e611fe74f58e21ad6efafa1af43a49afd807043407b6c171f3c3d31ca0db39ee83122
-
Filesize
4.0MB
MD550cbcccca8f39c0c6b046aefb3d3b7a9
SHA185e4a1964dd3c3d37820a1f9a0fa3bfb856b9b1d
SHA256615ae2fc5f048adfb2e18fd6d916d3adddcf7690e6e23e85cc8f0a1c14bb6ea7
SHA5122553cebf32273ef48d9dee8c22143d72f314f8aaf7d8aa40322bb62a8cb6436cf2d2971f1c3a561b7f17c8fdbcb8b04a7f06e0df9ff0bfc71d8b613a909f31ed
-
Filesize
76B
MD5f8ebcec3ea093f5196e9762e53eecec2
SHA1b89f736fb48b9bbae25a17f26b7328cfa3a6a0fa
SHA256b911399bfef4962d70cfda8b4db1af590a8fc9ba4affe2c091921f4d715cb89d
SHA5126d162a7d7b40d589c88bbd35c928adc95b9c8080c5b3ee78d017662227fa3340709345a5e101e9fd95dbdbd344341651584ccdf9656c18624ae8cf922165a01c
-
Filesize
86B
MD517c2dab975e2ef49a611bb350d2e3133
SHA12ca07cc67b39be900c179f7067c6324c5190283a
SHA256da86b77b8b9f851b5eb5bfa83cea99b55a14725e23d866157974e6e2c5b8efb7
SHA5123e49baec85c1fffcf78b5eaee54d4be971da13c5af823a1a4f63b1c7619162ce18ab3fb7c6dd16d3a20a54e82ded433040c9933a177bc2dba395354b4af51e48
-
Filesize
261B
MD52c2e6472d05e3832905f0ad4a04d21c3
SHA1007edbf35759af62a5b847ab09055e7d9b86ffcc
SHA256283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03
SHA5128c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37
-
Filesize
6KB
MD5f1a693b9dd0f177ae16c4e89a8db3cf2
SHA1eb03f39f23db016dab1cd7c04bb831e286ca8572
SHA256da006ca99968916b25c42544f87806916f3f2176212638300425a9b2bca41709
SHA5128275c99f7c4cfcda180f471b701dd334d31e3c8371e660e94ef8816d6391e230bc83de1c52bf8219826e5248ef553f9a30957e42ac54d5135cf77e0d41e31ed9
-
Filesize
73B
MD5ac4fa8cfdea11ab64bdc844881898838
SHA13107b4eade3c60c19f7d9750201af694ae80a4d7
SHA256c5c87efedb767dd03525c56bd3dc4f11949d3e3980302671c0882eaf1ca28f42
SHA5122dc3642d32e73afc7c348f1082aff406da0168abe4ca065d54fd043091f7b7e3b861a4d75efd7dc7ee66811d8f8b0d2e6a94ff9abf81b72f317ee0dfa894586c
-
Filesize
6KB
MD5fe246fca0746484bc268356209de6843
SHA137deb049400916bdfbc7352254bb1ade90459884
SHA25676b08c3eda2d0455a1d1f1128ca5c34f246913c3334ad55db94899bdbc17c6de
SHA5127a2631b953076fa6195ea124c17a9a32d454566d2d1496ea69f2d9599b16b918c0a6f23faf663b0496ed32df4bb3150b424159595c7a154730e7759021ef2d8c
-
Filesize
75B
MD53265e4a8801b7c1b0ca7548e9cc806f3
SHA1758a910c8d7fa38d566e4f2dd3ceadaa04e4b8a1
SHA25667715a80a77a968fff5ca4734ceb2c2372508d7a6a6eb445e1a07c92e8a25c35
SHA512e2013303804bf61f9cd894188bec79b2716b76807fc8db9534b7b8cf2b522f8e28d5eef8b177cbbfe9d4819853232f5e83f7cd61b707b032521bf4560a4e8cb7
-
Filesize
79B
MD54a44859213d72a4b3397dbed0bfce122
SHA1d7234b4b7ea2e8b3a9ccb861182e8a4e7f51c471
SHA2560206f70aedeecceb2b6d5ce856445e2eb9fcf8477f89249ebb996da6f1aa1fed
SHA512c24f9f9de6c7ebaa748ea3a589e0a45f9de178c320d3b590b914b2ae676f9c87955fa126a231b05d63a0a175443a55960d736a3d1835cc6e887ea550f3b4ee90
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
98B
MD5164f3a2e9075b5025de918014a99d9f1
SHA1d61cd4dcee16318862113cc38734855b59597ac6
SHA25659d4440dbe7830e442afe2d3f65c47fae1b3049374e83d2326527d7c7d269cfe
SHA5121e95a72d5bc1578ffb5497ce346c1d848469098daa5822fa0fb013d7d5ee0d169a5638d83d9bb4bb49fe13f83510423294c076583a6d349fbb0875e476dfda18
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
44KB
MD5086659c5ec7768e784387dd99d5d5085
SHA12a7d14a862b36290b14e4b31030104bfb7f1b9c0
SHA2560f55667258676c496e7ce4553edb754d147d76ec68e8436ae1d9eb6d732e8e2f
SHA5125a048a03ce83a05ffcf62ecf0ab51a0b1c47c2a4ccd92704e20788a54ea951fc43acfb0608cba002367ebb4c84700c985e1a6b1fe32d7829b7fef7951c055b11
-
Filesize
264KB
MD55dbebb933415052782ce1c75abdcb62d
SHA1c188ef9cc3ec13d8d68fd6ae7fbdd569f7b87d15
SHA25620471deb7811970725e98d7bb4c29372e73296daf5b8c69bf8de8ce1f244d288
SHA5121f84e72cc6f4e0e2ad23467e162692f0ba67c28a3d62aead2cfb6c22561ae08fbc6ef8fa533d0ea5b7806a5a47db45025b4291c2cf0aaf525a972c6e1919af0a
-
Filesize
4.0MB
MD581bdeed517e81e39227e2db39aa5e8e9
SHA1c0f412ebfd03f05da447f8be1fc35cb7ab8fc405
SHA256e808f8a284e31bcaccfbe89d464368a6966cbf8000c65a719210cd261c5967c8
SHA5129b6ab63cf0100225e509c5db474cc811b3326ee160263b5bbabbb30ed3908b72897fd6e303564b9f7c4dbf72101755658a543b479599261212fe0e6d9c03330f
-
Filesize
66B
MD5b5ef682d0e0c3092c4e17147a97abe09
SHA1070cc2dae12740caf572e7dce734efdd1ba09a4b
SHA25693c58e5610fc1a28cfb3753f75f8abc2e5993b330cf895c04ccc945c03294705
SHA512430389cadd9ee95d3195177d9a11e3a864ea3fe7e09272a8d7c11b14c322893caa67040673e2b3a886a6c0179645b711609944a0a73acbb9955fe7c464cb21be
-
Filesize
66B
MD56c8ce62d08b1beeca54b55c3e0fcd881
SHA19d68dcb0bfeee36d775fbf776e644f3876bd2e0e
SHA25604df97ddbc7320921a8b8f82ac519c55823a8481f3cc6a22212e4f59d06d8a8e
SHA5126f7a8f23db2d7c6097951412c395017101f649c7811819f9af202c392e1538953b5c6880ec9d9c51a5301c97386f0f6212a9ddbe4b37dd2b56028affd35bab14
-
Filesize
10KB
MD55099f95289bb8cc074f760795682544d
SHA1c38d35ade989e3b6aa2b22dc81b88b54c7fdb130
SHA25696b48fc25deb9b0cf3ec19413948199cdbfa6546d522a4bee902688b97ee3492
SHA5126bdffabc5859a5971700c0dd540c258eb06b0a258ddae0167804e49765b27619c45b316152cde1115a4521c17b7d26ca9058576e8d9ccfae59e7630746ebd49b
-
Filesize
65B
MD5e7b0fd003818ff1d09f357260d8348bd
SHA157e839387cc7cd5052aa35c5fcfd08fe9116e7c6
SHA256766a292cd3104feb5ac39eae03b2c63cee0f4fc728e9e2854a9dd48e9d6a0688
SHA512f12dda25d903f12b66cfa96a3c5d20390bac036ba6002b364f5cffb4e1ba5743722da8ffeaa48ff31851444f6895596e0e5df365963b372633e7406e71431cfd
-
Filesize
10KB
MD50cc67210eb1e5c1827751694f3cacac5
SHA1e8c2ef9c33c042311df98f7543430faa982244ab
SHA256df84f0682cbc34978231e218f1549fcda5ca6abf54fa37a356f0872b8655661b
SHA512c8b5daa7dc67f8764c5c0d2b09fd21c1e808787d25dafe9be9fdea980995f14f0799422b78b3725f91174f59e8a27bb12dbe470e81816c06531745d96ca955f3
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize4KB
MD5d13df6d6cafeea7bd73b5a8d63c30529
SHA1d9be24129a1619eb1dda0b67d1b322c9101711ca
SHA25698dffe5fba7a6fb63b85258815c78c41c16da68e5e1e2f02504327409b6d07d4
SHA512038ab7a23b97011f6a5030aa0f8b38a92bf4bfaa2558ab69ee6418b96ed4c937e442d8fdf4846e7f04aa1c38a11a37ba2f7a3dc81ac5b809c8c80530419855fd
-
Filesize
3.4MB
MD5e64dbe09fc1805177d9058a40807e128
SHA1fc15f43be27987315c8bcf61ff392ff8ac3e394c
SHA2569ae7d51b7c3e729d9fd0eb7b99811de3270e7b37931fff1f136efeb50d276a4c
SHA512806a78516ac5f08852fb80b702f5bfb891bb874542609641cc83bca13330554f1e670bf1544189eed15fe43facbee6765651d2ce7a6971ef57473696bb3cdccd
-
Filesize
41B
MD54971d4d76e0fa148dfcdcf62a50fb362
SHA15cccb0d4201ed33894c8f4c33107586e00c2ce06
SHA2564335d0458063bf5fb97dc67cea94ac132959994afd61205276e5ce68760f87e1
SHA512a9e9902e1fe8f4f612b712aec281ab3eeb9ac21d466b9595774ce3e39136d0c570c74a815c96aa79c760315b00ed7399c0ecb99fe63f76b4c2f1555562741321
-
Filesize
2.9MB
MD5ae052a3e0678ed368e7839322858ecc6
SHA1b51bee64bf34c304ad6341d9783d266c0a306be4
SHA25636e36f1435a1fcce0bc8ae6b08764d2b3595df0ba47cdd536354a292167fe73d
SHA5127933b5941ca3eb95e805bc98dd19ac5a39bb0df05d26862fd4e4fca6de709423a431f644016ff418507f0284f681c58ab00f1ed4268d0e15e92be05ab81fd0db
-
Filesize
66B
MD534df837827adf32b7bc9db0a262b743b
SHA1dbb84144a7b84a8c98f70b8055f6f5854e4208ca
SHA2560fb7c882f634f26b0ba07ea836d7247eec3c42ea12cdca2e52dba2ad41625e13
SHA5123e69029ad5b4da042da65ae0fbc6cb4db6a28801eccc805b01ff23d795dcef0f716dac0e9e036cdb53bb6687a84ad307a53d9f139a5ecdbfb361e4283902632e