Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05/08/2024, 15:41
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://topdownloadcenterlive.com/NLP1/?source=3052_96484_&click=66aeca68d800ae00018cde51&filename=Setup.exe
Resource
win10v2004-20240802-en
General
-
Target
https://topdownloadcenterlive.com/NLP1/?source=3052_96484_&click=66aeca68d800ae00018cde51&filename=Setup.exe
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\fr.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\fur.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\License.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\hy.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\mng.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\az.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\fi.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\gu.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\an.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\kk.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\pt.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\lt.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\sl.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\th.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\eo.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\hr.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\lv.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm msiexec.exe File opened for modification C:\Program Files\7-Zip\descript.ion msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\tt.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\mng2.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\ast.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\bn.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\License.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\mng2.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\descript.ion msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\pt.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\hi.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\ne.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\gl.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\bg.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\ga.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\mk.txt msiexec.exe File created C:\Program Files\7-Zip\History.txt msiexec.exe File created C:\Program Files\7-Zip\License.txt msiexec.exe File created C:\Program Files\7-Zip\Lang\ta.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\be.txt msiexec.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt msiexec.exe -
Drops file in Windows directory 29 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e584457.msi msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zFM.exe msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip32.dll msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip.dll msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip.dll msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zG.exe msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.exe msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zCon.sfx msiexec.exe File opened for modification C:\Windows\Installer\MSIDCCF.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.dll msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\CacheSize.txt msiexec.exe File created C:\Windows\Installer\e5844a5.msi msiexec.exe File created C:\Windows\Installer\e584457.msi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zFM.exe msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI4580.tmp msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.dll msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.sfx msiexec.exe File created C:\Windows\Installer\SourceHash{23170F69-40C1-2702-2201-000001000000} msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zip32.dll msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zG.exe msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.exe msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7z.sfx msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\22.1.0\_7zCon.sfx msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\96F071321C0420722210000010000000\CacheSize.txt msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe -
Modifies registry class 35 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Directory\shellex\DragDropHandlers\7-Zip msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\Program = "Complete" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0420720000000040000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\ProductName = "7-Zip 22.01 (x64 edition)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Version = "369164288" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\7-Zip msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96F071321C0420720000000040000000\96F071321C0420722210000010000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\PackageName = "7z2201-x64.msi" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\7-Zip msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\7-Zip msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\LanguageFiles = "Complete" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\96F071321C0420722210000010000000\Complete msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\SourceList msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Drive\shellex\DragDropHandlers\7-Zip msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420722210000010000000\PackageCode = "96F071321C0420722210000020000000" msiexec.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 453043.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 960 msedge.exe 960 msedge.exe 3340 msedge.exe 3340 msedge.exe 3020 identity_helper.exe 3020 identity_helper.exe 3232 msedge.exe 3232 msedge.exe 4320 msiexec.exe 4320 msiexec.exe 4320 msiexec.exe 4320 msiexec.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2028 msiexec.exe Token: SeIncreaseQuotaPrivilege 2028 msiexec.exe Token: SeSecurityPrivilege 4320 msiexec.exe Token: SeCreateTokenPrivilege 2028 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2028 msiexec.exe Token: SeLockMemoryPrivilege 2028 msiexec.exe Token: SeIncreaseQuotaPrivilege 2028 msiexec.exe Token: SeMachineAccountPrivilege 2028 msiexec.exe Token: SeTcbPrivilege 2028 msiexec.exe Token: SeSecurityPrivilege 2028 msiexec.exe Token: SeTakeOwnershipPrivilege 2028 msiexec.exe Token: SeLoadDriverPrivilege 2028 msiexec.exe Token: SeSystemProfilePrivilege 2028 msiexec.exe Token: SeSystemtimePrivilege 2028 msiexec.exe Token: SeProfSingleProcessPrivilege 2028 msiexec.exe Token: SeIncBasePriorityPrivilege 2028 msiexec.exe Token: SeCreatePagefilePrivilege 2028 msiexec.exe Token: SeCreatePermanentPrivilege 2028 msiexec.exe Token: SeBackupPrivilege 2028 msiexec.exe Token: SeRestorePrivilege 2028 msiexec.exe Token: SeShutdownPrivilege 2028 msiexec.exe Token: SeDebugPrivilege 2028 msiexec.exe Token: SeAuditPrivilege 2028 msiexec.exe Token: SeSystemEnvironmentPrivilege 2028 msiexec.exe Token: SeChangeNotifyPrivilege 2028 msiexec.exe Token: SeRemoteShutdownPrivilege 2028 msiexec.exe Token: SeUndockPrivilege 2028 msiexec.exe Token: SeSyncAgentPrivilege 2028 msiexec.exe Token: SeEnableDelegationPrivilege 2028 msiexec.exe Token: SeManageVolumePrivilege 2028 msiexec.exe Token: SeImpersonatePrivilege 2028 msiexec.exe Token: SeCreateGlobalPrivilege 2028 msiexec.exe Token: SeBackupPrivilege 1748 vssvc.exe Token: SeRestorePrivilege 1748 vssvc.exe Token: SeAuditPrivilege 1748 vssvc.exe Token: SeBackupPrivilege 4320 msiexec.exe Token: SeRestorePrivilege 4320 msiexec.exe Token: SeRestorePrivilege 4320 msiexec.exe Token: SeTakeOwnershipPrivilege 4320 msiexec.exe Token: SeRestorePrivilege 4320 msiexec.exe Token: SeTakeOwnershipPrivilege 4320 msiexec.exe Token: SeRestorePrivilege 4320 msiexec.exe Token: SeTakeOwnershipPrivilege 4320 msiexec.exe Token: SeRestorePrivilege 4320 msiexec.exe Token: SeTakeOwnershipPrivilege 4320 msiexec.exe Token: SeRestorePrivilege 4320 msiexec.exe Token: SeTakeOwnershipPrivilege 4320 msiexec.exe Token: SeRestorePrivilege 4320 msiexec.exe Token: SeTakeOwnershipPrivilege 4320 msiexec.exe Token: SeRestorePrivilege 4320 msiexec.exe Token: SeTakeOwnershipPrivilege 4320 msiexec.exe Token: SeRestorePrivilege 4320 msiexec.exe Token: SeTakeOwnershipPrivilege 4320 msiexec.exe Token: SeRestorePrivilege 4320 msiexec.exe Token: SeTakeOwnershipPrivilege 4320 msiexec.exe Token: SeRestorePrivilege 4320 msiexec.exe Token: SeTakeOwnershipPrivilege 4320 msiexec.exe Token: SeRestorePrivilege 4320 msiexec.exe Token: SeTakeOwnershipPrivilege 4320 msiexec.exe Token: SeRestorePrivilege 4320 msiexec.exe Token: SeTakeOwnershipPrivilege 4320 msiexec.exe Token: SeRestorePrivilege 4320 msiexec.exe Token: SeTakeOwnershipPrivilege 4320 msiexec.exe Token: SeRestorePrivilege 4320 msiexec.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 2028 msiexec.exe 2028 msiexec.exe 2028 msiexec.exe 5024 msiexec.exe 5024 msiexec.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe 3340 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3340 wrote to memory of 1308 3340 msedge.exe 83 PID 3340 wrote to memory of 1308 3340 msedge.exe 83 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 4464 3340 msedge.exe 84 PID 3340 wrote to memory of 960 3340 msedge.exe 85 PID 3340 wrote to memory of 960 3340 msedge.exe 85 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 PID 3340 wrote to memory of 5064 3340 msedge.exe 86 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://topdownloadcenterlive.com/NLP1/?source=3052_96484_&click=66aeca68d800ae00018cde51&filename=Setup.exe1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa62ab46f8,0x7ffa62ab4708,0x7ffa62ab47182⤵PID:1308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,948775312016468358,6404492918165967697,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,948775312016468358,6404492918165967697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,948775312016468358,6404492918165967697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:82⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,948775312016468358,6404492918165967697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:4712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,948775312016468358,6404492918165967697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:1928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,948775312016468358,6404492918165967697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:12⤵PID:636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,948775312016468358,6404492918165967697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:12⤵PID:4920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,948775312016468358,6404492918165967697,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:12⤵PID:3304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,948775312016468358,6404492918165967697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6184 /prefetch:82⤵PID:532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,948775312016468358,6404492918165967697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6184 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,948775312016468358,6404492918165967697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:12⤵PID:2372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,948775312016468358,6404492918165967697,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:12⤵PID:2580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,948775312016468358,6404492918165967697,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5520 /prefetch:82⤵PID:3308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,948775312016468358,6404492918165967697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:12⤵PID:4752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,948775312016468358,6404492918165967697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3232
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2201-x64.msi"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2028
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\7z2201-x64.msi"2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:5024
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:228
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1012
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:5000
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD55fa9c5e0ee210ae8093a16051cd3ea95
SHA18a76cac38020a00b90490d3917f489f39fda34b3
SHA256e5980d14702bd496ed18b09ef75d9bb76e9fc5c8ca320a16867696f32b4b58e7
SHA512cb53a9f6e34672f79bd058fe8cf79a8ca2232a7278a285ead58c19c2a7521c39e64b19e165ed6cb968608b7e1ae1bde775306faaa97e2c3a760128c09cd394cc
-
Filesize
5KB
MD5b03edc69c6c18de52c506695cb0635b5
SHA1d007ed14dffd3b6a6703622def4fca03017424cd
SHA25603e396c5882ff4d70d5ce7bcde5f9bd4d8ae1a9edebaa3545b7b2c93362c82f5
SHA512cc0c0eafe6277d1634cefb8525e4210ebfa473a36311d9c4a461a57e7f5f7ca247af66343d8cf50cf8dbba50224c7985480e329046f60191b8c387b594ace3e4
-
Filesize
1.7MB
MD5bbf51226a8670475f283a2d57460d46c
SHA16388883ced0ce14ede20c7798338673ff8d6204a
SHA25673578f14d50f747efa82527a503f1ad542f9db170e2901eddb54d6bce93fc00e
SHA512f68eb9c4ba0d923082107cff2f0e7f78e80be243b9d92cfab7298f59461fcca2c5c944d4577f161f11a2011c0958a3c32896eba4f0e89cd9f8aed97ab5bc74f9
-
Filesize
532KB
MD5fe522d8659618e3a50aafd8ac1518638
SHA17d1b392121da91393f69d124928f9fe50d62f785
SHA256254cf6411d38903b2440819f7e0a847f0cfee7f8096cfad9e90fea62f42b0c23
SHA512fbbcb853b77ac038e4b7f7668e9fefdc7ba3592c6899cddfd72125d68d0b2d6b858baa3987907d58a5333ea9a4d5eb0ab8b7535a6263738f96212a6146c49b81
-
Filesize
211KB
MD51ffec2a95db8f1fa25d3b275261728b4
SHA1123fbcc9e2e35b5782ae19bb18e8f8ebdb2fc29b
SHA256dd9dbe58cd2f798b432d9ba9bbffe13d08bf9dc18c9b6a6ecf4ba71b238677e3
SHA5124bd65e5edf3aa9bd6271b0abc17080bfdfca62e0ac1a927ccb01e358dc21c0f7ad3790c02fc2d2a07fb836ce8af471b035adafa12d4c703c2a1745f35fd1114a
-
Filesize
191KB
MD5e0eb40842ca3a05b93e8fcf19f0bcc16
SHA101f14ac781463066de363e63039b6b5c80e7a2d2
SHA25632decd776fc0020d399adcea54ff1b338110514e598a2788b4d9d7ea82582445
SHA5123981e7c761ec81cb1b18e46b82355cb8b160028fca0f5b7159cd9fcab3824172cf496da57518ce9344351d49d576eea0e1d09b54e1d5fbf2da882ffa8061a7d9
-
Filesize
935KB
MD5d36deceeb4c9645aab2ded86608d090b
SHA1912f4658c4b046fbadd084912f9126cb1ae3737b
SHA256018d74ff917692124dee0a8a7e6302aecd219d79b049ad95f2f4eedea41b4a45
SHA5129752a9e57dd2e6cd454ba6c2d041d884369734c2b62c53d3ec4854731c398cd6e25ac75f7a55cda9d4b4c2efb074cb2e6efcbf3080cd8cc7d9bc8c9a25f62ff2
-
Filesize
668KB
MD55ab26ffd7b3c23a796138640b1737b48
SHA16dab8c3822a0cab5b621fd2b7f16aebb159bcb56
SHA256eb775b0e8cc349032187c2329fefcf64f5feed4d148034c060e227adf6d38500
SHA5122b40489f46e305f7e3455cac25e375711a6a1733861ee7bf1b800b86eaad2f40871c219924ddceb69b9748ae3cf9de59f0edffd7ed7b5e7f35d1239fe0333a78
-
Filesize
92KB
MD5c3af132ea025d289ab4841fc00bb74af
SHA10a9973d5234cc55b8b97bbb82c722b910c71cbaf
SHA25656b1148a7f96f730d7085f90cadda4980d31cad527d776545c5223466f9ffb52
SHA512707097953d876fa8f25bfefb19bfb3af402b8a6a5d5c35a2d84282818df4466feba63b6401b9b9f11468a2189dcc7f504c51e4590a5e32e635eb4f5710fd80b2
-
Filesize
61KB
MD58d46b86e8a60ae61796c6a95b4acbe5f
SHA1f94fd98d504b4654b5dd8cbc244f755f07a4ec99
SHA2566c5de0800ef7a46174ce4f6eb4703a4b69369e8652d43f9337fba72eafdf86b4
SHA51225e4bacd553f2b1844f4a7fb63f17ebf739c4ab1a861f418c1066ec2244f0848695b31fa3a4d8da5aa7eee436045cc94da508b9494a2ffc086e9843b1e648613
-
Filesize
3B
MD521438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD550061052293129ae7303505112bc7165
SHA18c25c7a3e5120eea545c4aa99ba587d76adb9136
SHA2561dc8b901e05fe6c294555ffb4a47f687971aa752162846c14c6a84ce9a45940a
SHA5120e48ad92f06c37918d98f3e1706210c239c113c335d6a07cecbbf542ef364de1a04546889a78d748e3ea77e35a5df6de218bae164477eb714993dc3cddf45849
-
Filesize
1KB
MD5408c5370cc70674b14e93f27bf008233
SHA1f1e1cd18b0a4bb44ea048bd19e5926ff2e84a792
SHA256b5665b84c8817c7ec03e71318f3e06a0ab3ab7846e63ee18d9ccb22ae9c488ce
SHA512be5aa7367fcc25d3def9dcf54dec0812040d19b56e1584a5c6c1679a050b97f027c67298e1cc759da7eb3f786c695aa02ec1c44369ddeb87692cfd44be5a08cd
-
Filesize
6KB
MD54092524f109ed853afc26a51075ebab5
SHA198c671786c3321bb1b25670a339d5f07dadaa939
SHA256e8cf9c9144ab77aef7316abe9a1a75dda45ca6677eed99e2d5c5d3874d9797aa
SHA5126e80d7616412c5b16677b719347c62a89fe9dc592185de2ece12bf6d625f435dc92d0797d4e2ca616d9aa6f74a5164f8c0f71ef6f1a1c935093a63d1d7ef4943
-
Filesize
6KB
MD5208f18860cd50bad3680c64410ccead9
SHA102c68ad419a6ee2824376d9072e35bb3be7a2e29
SHA256e3746430a18a1e08a009e4e23ad88b95be4a9fe8214522ec526fb52153e25e4c
SHA5129f474521d159690fd11e3a62566e3505608088b82c8aea699502c9090d7c0316ac2c982e746cc8232d220360d252d5330195a119d55b0e86c671822b930e3cad
-
Filesize
6KB
MD50ebc69100de2baae471ef4f849f628ec
SHA18a953b999187e74ea5f60c6db96cf7dbf8b24938
SHA256fee051f7d4bba695f0ac5ee45d1a88632a99954962046130dbc100025fc6b5ba
SHA512d06bd04760db356dee97d86686eef23d1e28ea7e7e262e371c797ea7da8e5a597e7e8afe9276a9cb186fd669e822c8f42d4caf401e17e9e9c0af3796ae1b5879
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5bf87ef75b1994bfa9d2420ec71346df1
SHA17ad28741cd94a272f3b1f00566c8bdec6f05ee22
SHA25683cd0eb0edb949fb7afb04c3acde192b4fa5d8dd68a96dda2b6307a66df62741
SHA51259a70e42563678180efb86bce87e2c1fefdd7c548ad3050b93583694ad8e3d970baee5e1535c22d38e5b28bae4d4715d83f937d3292b8d248548da24f4e23b36
-
Filesize
11KB
MD554eb162f83251ba8fd0055207cfd91d1
SHA1f0ee3e239c7a54021b7ed7b547cd61136df3d3b3
SHA25636a2aaba71579b0efe62a8f31f27cfbab0aeef838e60ee31206a773758450de7
SHA512f94798c9912d2e644346d5e7c2718c49038a6e515bdbefc752e170a7dea35709e5211be49bdedcd0ce35ddbe5eea2733cf124b681c77fae6cfa41adecc0c98c3
-
Filesize
11KB
MD50eecd2ce67b4ec13755b9033e5a1b4ab
SHA185e91b5ab895bdd4ac65a9cce5e679032d09e4fe
SHA2562621f1167e3770df6a4d66dc03fdf0e41e694c7c33909fcf38abc94aa89b6caa
SHA512538e48e884a949a502eca7aecab80748a157d28b42ce34d2427d4f80697cc5fdd021c578b184a6edb7fd23c3b5ace74b18960bed2a2c0a5bc7d564bbd3281b4a
-
Filesize
10KB
MD573c8cadd54918f47d2145a15306096e5
SHA169511bda19b73d62e7996788c9039fb6dc7cda32
SHA25646534d34bf201438e8eb54f52d1ecf1e7b7f68ed7ee5cc495acada8e79802cd9
SHA5122cd1421f6f770d535ad19ea0bd9c48168389220937d8584ca4a2f1953e9a8e77f6e13b7964bb4427afb45664e7c32d5860213e6f3acbedf1f6460b70122bcb2c
-
Filesize
1.8MB
MD550515f156ae516461e28dd453230d448
SHA13209574e09ec235b2613570e6d7d8d5058a64971
SHA256f4afba646166999d6090b5beddde546450262dc595dddeb62132da70f70d14ca
SHA51214593ca96d416a2fbb6bbbf8adec51978e6c0fb513882d5442ab5876e28dd79be14ca9dd77acff2d3d329cb7733f7e969e784c57e1f414d00f3c7b9d581638e5
-
Filesize
23.7MB
MD5e23ee677c84961e2238bede1d7b623bd
SHA1ed7d2f24f8f040a38d325c03c980b1f425d1c009
SHA256d301c5dcddc2b5c9b558bc063da425bfc06356d422b521c2708185f4b062dc39
SHA512fb4496633e7f2f25b40cdf6fca6d25efbdc9ebd8dd1a60e213278cf780f65738ddab95b87aa71d754f9d0c50878ffff6f8b25e8097a134b91b17569cbf4c4270
-
\??\Volume{fa35ad82-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{41556c63-59d6-49b3-b7f3-edfe95e48c56}_OnDiskSnapshotProp
Filesize6KB
MD54cf0fe2670e89cfb5ba0b8be9347aba6
SHA193613cfae7739111801a0aac3d77c64c0ad9c8c8
SHA2563e69f03ef9714cdeb187247d6abd8570daae7a1eb172a91ccf0874e6562d6574
SHA5129556a1f8ee85124e9f0384d2cf0aa2d3fbd4cb5c3a55c70c2ce16d3d5bb8bd6aa008f93ce9c07bd02aa33b132ebaf7b03ad419ab1f0853b1b447dc5041d6e30a