Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
21/10/2024, 00:09
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 5188 WinNuke.98.exe 5900 WinNuke.98 (1).exe 3108 000.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 000.exe File opened (read-only) \??\M: 000.exe File opened (read-only) \??\N: 000.exe File opened (read-only) \??\Y: 000.exe File opened (read-only) \??\E: 000.exe File opened (read-only) \??\J: 000.exe File opened (read-only) \??\L: 000.exe File opened (read-only) \??\X: 000.exe File opened (read-only) \??\B: 000.exe File opened (read-only) \??\G: 000.exe File opened (read-only) \??\R: 000.exe File opened (read-only) \??\Z: 000.exe File opened (read-only) \??\I: 000.exe File opened (read-only) \??\O: 000.exe File opened (read-only) \??\P: 000.exe File opened (read-only) \??\Q: 000.exe File opened (read-only) \??\S: 000.exe File opened (read-only) \??\T: 000.exe File opened (read-only) \??\A: 000.exe File opened (read-only) \??\H: 000.exe File opened (read-only) \??\W: 000.exe File opened (read-only) \??\U: 000.exe File opened (read-only) \??\V: 000.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 55 raw.githubusercontent.com 56 raw.githubusercontent.com -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" 000.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper 000.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 5852 3108 WerFault.exe 162 3952 3108 WerFault.exe 162 -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinNuke.98.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinNuke.98 (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 000.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE -
Kills process with taskkill 2 IoCs
pid Process 2684 taskkill.exe 6124 taskkill.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" 000.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{964146E5-8793-43AF-B20A-0761868670B8} 000.exe -
NTFS ADS 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 319874.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 236359.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 194766.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 76395.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 562094.crdownload:SmartScreen msedge.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 5956 WINWORD.EXE 5956 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 3148 msedge.exe 3148 msedge.exe 4868 msedge.exe 4868 msedge.exe 2420 identity_helper.exe 2420 identity_helper.exe 4292 msedge.exe 4292 msedge.exe 5748 msedge.exe 5748 msedge.exe 5276 msedge.exe 5276 msedge.exe 5796 msedge.exe 5796 msedge.exe 5344 msedge.exe 5344 msedge.exe 5320 msedge.exe 5320 msedge.exe 5320 msedge.exe 5320 msedge.exe 3584 msedge.exe 3584 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4868 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 6124 taskkill.exe Token: SeShutdownPrivilege 3108 000.exe Token: SeCreatePagefilePrivilege 3108 000.exe Token: SeDebugPrivilege 2684 taskkill.exe Token: SeIncreaseQuotaPrivilege 5380 WMIC.exe Token: SeSecurityPrivilege 5380 WMIC.exe Token: SeTakeOwnershipPrivilege 5380 WMIC.exe Token: SeLoadDriverPrivilege 5380 WMIC.exe Token: SeSystemProfilePrivilege 5380 WMIC.exe Token: SeSystemtimePrivilege 5380 WMIC.exe Token: SeProfSingleProcessPrivilege 5380 WMIC.exe Token: SeIncBasePriorityPrivilege 5380 WMIC.exe Token: SeCreatePagefilePrivilege 5380 WMIC.exe Token: SeBackupPrivilege 5380 WMIC.exe Token: SeRestorePrivilege 5380 WMIC.exe Token: SeShutdownPrivilege 5380 WMIC.exe Token: SeDebugPrivilege 5380 WMIC.exe Token: SeSystemEnvironmentPrivilege 5380 WMIC.exe Token: SeRemoteShutdownPrivilege 5380 WMIC.exe Token: SeUndockPrivilege 5380 WMIC.exe Token: SeManageVolumePrivilege 5380 WMIC.exe Token: 33 5380 WMIC.exe Token: 34 5380 WMIC.exe Token: 35 5380 WMIC.exe Token: 36 5380 WMIC.exe Token: SeIncreaseQuotaPrivilege 5380 WMIC.exe Token: SeSecurityPrivilege 5380 WMIC.exe Token: SeTakeOwnershipPrivilege 5380 WMIC.exe Token: SeLoadDriverPrivilege 5380 WMIC.exe Token: SeSystemProfilePrivilege 5380 WMIC.exe Token: SeSystemtimePrivilege 5380 WMIC.exe Token: SeProfSingleProcessPrivilege 5380 WMIC.exe Token: SeIncBasePriorityPrivilege 5380 WMIC.exe Token: SeCreatePagefilePrivilege 5380 WMIC.exe Token: SeBackupPrivilege 5380 WMIC.exe Token: SeRestorePrivilege 5380 WMIC.exe Token: SeShutdownPrivilege 5380 WMIC.exe Token: SeDebugPrivilege 5380 WMIC.exe Token: SeSystemEnvironmentPrivilege 5380 WMIC.exe Token: SeRemoteShutdownPrivilege 5380 WMIC.exe Token: SeUndockPrivilege 5380 WMIC.exe Token: SeManageVolumePrivilege 5380 WMIC.exe Token: 33 5380 WMIC.exe Token: 34 5380 WMIC.exe Token: 35 5380 WMIC.exe Token: 36 5380 WMIC.exe Token: SeShutdownPrivilege 3108 000.exe Token: SeCreatePagefilePrivilege 3108 000.exe Token: SeIncreaseQuotaPrivilege 6024 WMIC.exe Token: SeSecurityPrivilege 6024 WMIC.exe Token: SeTakeOwnershipPrivilege 6024 WMIC.exe Token: SeLoadDriverPrivilege 6024 WMIC.exe Token: SeSystemProfilePrivilege 6024 WMIC.exe Token: SeSystemtimePrivilege 6024 WMIC.exe Token: SeProfSingleProcessPrivilege 6024 WMIC.exe Token: SeIncBasePriorityPrivilege 6024 WMIC.exe Token: SeCreatePagefilePrivilege 6024 WMIC.exe Token: SeBackupPrivilege 6024 WMIC.exe Token: SeRestorePrivilege 6024 WMIC.exe Token: SeShutdownPrivilege 6024 WMIC.exe Token: SeDebugPrivilege 6024 WMIC.exe Token: SeSystemEnvironmentPrivilege 6024 WMIC.exe Token: SeRemoteShutdownPrivilege 6024 WMIC.exe Token: SeUndockPrivilege 6024 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe 4868 msedge.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 4868 msedge.exe 5956 WINWORD.EXE 5956 WINWORD.EXE 5956 WINWORD.EXE 5956 WINWORD.EXE 5956 WINWORD.EXE 5956 WINWORD.EXE 5956 WINWORD.EXE 5956 WINWORD.EXE 5956 WINWORD.EXE 5956 WINWORD.EXE 5956 WINWORD.EXE 5956 WINWORD.EXE 5956 WINWORD.EXE 5956 WINWORD.EXE 4868 msedge.exe 3108 000.exe 3108 000.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4868 wrote to memory of 5052 4868 msedge.exe 83 PID 4868 wrote to memory of 5052 4868 msedge.exe 83 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 2536 4868 msedge.exe 85 PID 4868 wrote to memory of 3148 4868 msedge.exe 86 PID 4868 wrote to memory of 3148 4868 msedge.exe 86 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87 PID 4868 wrote to memory of 3512 4868 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Virus/WinNuke.98.exe1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffa380546f8,0x7ffa38054708,0x7ffa380547182⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:22⤵PID:2536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:82⤵PID:3512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:1000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:82⤵PID:1092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:12⤵PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵PID:2232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3464 /prefetch:82⤵PID:1092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:4292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6220 /prefetch:82⤵PID:3184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:12⤵PID:3180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:12⤵PID:4156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4292
-
-
C:\Users\Admin\Downloads\WinNuke.98.exe"C:\Users\Admin\Downloads\WinNuke.98.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵PID:5460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=188 /prefetch:82⤵PID:5552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3140 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5748
-
-
C:\Users\Admin\Downloads\WinNuke.98 (1).exe"C:\Users\Admin\Downloads\WinNuke.98 (1).exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:12⤵PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵PID:5760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6584 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5796
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Melissa.doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵PID:2892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6968 /prefetch:82⤵PID:5936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6568 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1872 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:12⤵PID:5156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5968 /prefetch:82⤵PID:1576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,18163064674574294353,5084401092965281312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3584
-
-
C:\Users\Admin\Downloads\000.exe"C:\Users\Admin\Downloads\000.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""3⤵
- System Location Discovery: System Language Discovery
PID:5868 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6124
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5380
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6024
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /f /r /t 04⤵PID:4592
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 43363⤵
- Program crash
PID:5852
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 42363⤵
- Program crash
PID:3952
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3460
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4960
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3877055 /state1:0x41c64e6d1⤵PID:2276
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3108 -ip 31081⤵PID:5688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3108 -ip 31081⤵PID:4328
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e55832d7cd7e868a2c087c4c73678018
SHA1ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f
-
Filesize
152B
MD5c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA14d16a7e82190f8490a00008bd53d85fb92e379b0
SHA2561e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5cb32d9d7a5ffb8fc64dba73fee3d97c9
SHA14cebcec2f463219f73b96b04a6e3741c57824f8b
SHA2566bcdb2225097ad9f981fc9c8929c24b725b1866f847e8cc18d3ffa9c093d9cd5
SHA512af9f877d220c6259f1a1dd5a20ce19e2b518d92aeff69aaa06fec13febbc3298cb19eed51975215b087a90a1d6003648290e39722b7411ccc13f687dc1df3ed3
-
Filesize
579B
MD5ed5f4213c17629776cd75510648fc019
SHA1ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9
SHA256e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87
SHA51271bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627
-
Filesize
5KB
MD5b8428fd27ee9617841e86174778ab89f
SHA1a1a8a474d269b8b3efc6c5d55bbb2800fac5abea
SHA256f37a96c52a7e0d8793d8c0eb72f7543424a741c681b22e2692812f91afabcb25
SHA512781499f4461e63199e09040a7ea90b575a3ad02ae9518708724843ee84b70e7b0adc5d814ec541493238910fe23a14c6ed5c9c1a054e9ed79fbd9de10718a49a
-
Filesize
6KB
MD59e8bdad0dd21de2da478521fea9fd202
SHA16afe47e03cd09655046e8b171f5554f411d3d67f
SHA2569bc46ce8e208dad479ec47914c32b7926d597421d97dc08aa766471302331766
SHA5120dbb951aafa8a6b5c012801dc9fc4db62c9f3f7dd8c08fda3e63672f970df3fcb5c940a088a46b5fd602e992731180d768e1ddc575f6f276a0349ae073e4e506
-
Filesize
1KB
MD53a92d3aff5732b273184c31de5d2c260
SHA1f886e9fa2db00842720361198c9a6f0e761e71b9
SHA2565f0e5487865d2c66b173dac5fbabc50939d9e1916379dea23b05443bd9b83cb9
SHA512b8624923552d7d2c053c3c913c7e2aa2c091992ed402c6395baa52886fade4b3c7df6ab5e51548a786dd0fe1fea6c442c9d84f5b543e710cce47da9b5994a003
-
Filesize
1KB
MD58b691d9c8eb7fadbe1be9d313a58fe6f
SHA18c0a29037acdeb8113a7beb8d5a4bc215b16374b
SHA25679e3ab4f552428322c919567060dcbcf88a8edfa72e6430ef2c1ab977de21642
SHA512dde9e9797cdf35653a87020ec7c687dbd8c6e1ed3c1c6f882d7d9a312d23ecbd6deb4bb17cce30a80d6b751dc1f5e4c7192190fed2d1396886dfdbaf38a737c9
-
Filesize
1KB
MD584a3ea8458bd234bff232b5fce318fc0
SHA1d0797facf51f3e6204a899ac2456cf9b97e272e6
SHA2569c33f504429007538b709700a1027e4b6e94b903606f606d15bdfe51a0155440
SHA512fb02f011250d6b07767fec1085a8471f676f23aa21ba9800583ff87dfb1e946b3db8e9869249e5743d28c9268cdf51d5962c0ee53cff63cbb0ae9f8b5e15e826
-
Filesize
1KB
MD5e173803ab15e3f7703f5d7a3f532b290
SHA1bfbbf51bb491efda8fab234bf961ed8017a382a1
SHA256ba4bab2b6b2c0792606672d126b0214d16fb4f829997d008f8f21a9828ef3ee8
SHA51242cddbea5f8be2c246806e823f556b14d0a63102aedf86503889e48d49c049c59b49b2aacb3936592fef682e9e6a431549fb8aa57f21c88a04aa326f9c152bca
-
Filesize
1KB
MD57ef36a45f52837b10b97647542bd4117
SHA1d0184581258187d5cb7e319df72e6aacd2d8dc26
SHA2567f34cbabd6c71a8d43710ae6e9c3ee863dda30109f7a683a85bec7dbd45040b6
SHA51221497f1b129c7b6a315ab39db6a18046d9f239b2021dc394b8b6c634b4af7b31ec276b1ad766c1f15ab6e08e8055fae17cb850a4836cf5feb307b140e22b4254
-
Filesize
1KB
MD50b7c8cd7847483b864b84245e1edc463
SHA17b1e33b2bc1586d18a1d619d111aee634c8eb8a9
SHA256b64a62aa8b5e495b7f8902995c586233819019a85ea1ceba6d471e3ea476af09
SHA5123d4a28defe600502cd0709c1678bd278bee0cf13b548420e5e4a4e98798e65ef7c2e868eb044a207304b612fcf80ba36f16e3c649f18605355e2656d37145f06
-
Filesize
1KB
MD53b078f34b34f26ca359b0bd1a4b08812
SHA126624e656f6d3cd0e5afb0a05d8279bc3b0adc87
SHA2564f939e91c2b6afce6961176c5e88118c57ffcd7b5b659a4b096e6646ae2aae5d
SHA5124837c2cf7e75d0066803e2363ef1eb3e07011ab9b1c2d6848e12da2563c17be12095a053f0287311ef936199a7e49dbb54c68721d18ac7c43f15d6aea313be12
-
Filesize
1KB
MD5e50bbdb16562b2fb7bc63d8e2c04b44c
SHA109f2003d81d8cea6d7321e8e48ae1f3cbfe0bc57
SHA2563114e7bcc85f4b730a756329e0f3f549bdd8139333ac8ebf1688643e66e77372
SHA512f795bceedd45f754363f87c1a2cebf7e506e2d6728577739c85859841652080368a0ddc6c3465d272e769f6b1f7ffa12421a7a47bf7f40c9f4dad6204147b996
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5e59b3c9cbdc95da27cdec808a9c9aff2
SHA12380aba25896cddc5a2e6e1626ef2a23768ed2d1
SHA2564c95dd23c6c8d5ab42c9051d96d70c7eb2c02fdd51b7a4d248282e0bccc19591
SHA512af52f7cdebf4f466a9231315440ca8b346558680635817b4d37fc918a0a11b9f2640b0c456557d0745f9f46c1527588ba7ef9f41d79642e3394cddcc71771590
-
Filesize
12KB
MD5aee7b0a86ff7664bb230503cff270b89
SHA1196ba27234fe43175e649a236c6e505f28ba4dab
SHA256900d1c2244a40626232eddad4a609ae0de5c5ee2ee4db4dd5d833193d69159f0
SHA512220e600a28a315aaaff492e665491f129269d4522a00c7e27d03366cd1ed759347a20026858868137a166cea2895e82ecc859a75834bff895feaacbd368ca4d9
-
Filesize
11KB
MD5d46fd8b08f0213a8e0e2998148c3910c
SHA14b024cb66a37b41ecd85eea5099370d6186bcbad
SHA256609d66a89790c081f31a51e252dbf7c86969dbad87d089b552c8df5229dc43e2
SHA512a9e0ce31ed3a753f4d288606418b19089d726a4caa5f0f10c25c0157b112fec1ee37398fa497fd2263ae22d1f44623c261b96b0a0c29f8fa5d1a44f4f3ddc5d5
-
Filesize
896KB
MD581e9275c8e33d0471ee894497e870a15
SHA1c0027859fe85f9b8c01addd6e48e75ffb7945d26
SHA2567bf72a634b5d874bd3629c95357064b0591477b5a6df08d15ed5dabe7a008e4d
SHA512283c751985d3c3bc1670872cf55b164af64ebca18f85b64cff7fe364d9e498fa7299def8b68d4272901b8301d9c76ec826684bf28f66db713c715733c5b7003f
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize4KB
MD5bd39af9eaabac57c9fc406ca230ed187
SHA1be1fcc4e214556c0008d2ea650ded196fe35ae2d
SHA256ca2cb9aa45f8271340af50632ce7d3471c5f940fd5b4f46f8c8191cf68648e30
SHA512c76c7b1e86fbbd7cd8245cc1575f8d1a955b48916860fbfc36ba226050302a4e641240bea0b3048ae0f850ec13a021eb5864289d9febf75d87e4b35e6457df43
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
403B
MD56fbd6ce25307749d6e0a66ebbc0264e7
SHA1faee71e2eac4c03b96aabecde91336a6510fff60
SHA256e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690
SHA51235a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064
-
Filesize
76KB
MD59232120b6ff11d48a90069b25aa30abc
SHA197bb45f4076083fca037eee15d001fd284e53e47
SHA25670faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be
SHA512b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877
-
Filesize
396B
MD59037ebf0a18a1c17537832bc73739109
SHA11d951dedfa4c172a1aa1aae096cfb576c1fb1d60
SHA25638c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48
SHA5124fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f
-
Filesize
81KB
MD5d2774b188ab5dde3e2df5033a676a0b4
SHA16e8f668cba211f1c3303e4947676f2fc9e4a1bcc
SHA25695374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443
SHA5123047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131
-
Filesize
771B
MD5a9401e260d9856d1134692759d636e92
SHA14141d3c60173741e14f36dfe41588bb2716d2867
SHA256b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7
SHA5125cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6
-
Filesize
408B
MD528ddd2db8f3e641631429aa590effa4a
SHA14c660d8d6c80955814c7c160a8efce572f4b28d2
SHA2568aa6b026004fafa75e9f1013e3546d1442583c3926532b8bbdf427f058197ce8
SHA512b9f89fed65c6c2204de592d928d1b543fc810dbdd8062cfadf18bf3b140450e3e1f61e28aad476932822bfeaa0defa535eceb7506be45e4a4d641d96e43d0048
-
Filesize
31KB
MD5a5bd91f921ba46ff0e5486a06c8c2844
SHA127e9786791c9ea96725195d0f1c4eadc46c25315
SHA2561de047d70a8bd05288888dc915e7b6016c652001db511aefa07833c1411c24d5
SHA5123718e8bcb88d51ad10fe472d451f24dba7ab1ddf2637295f61768440e4cdd9e06180c0a5f0840b0836ea9be80c22fa3c7485adbf8e62c0ce6f46c9f4b1addfc3
-
Filesize
40KB
MD54b68fdec8e89b3983ceb5190a2924003
SHA145588547dc335d87ea5768512b9f3fc72ffd84a3
SHA256554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca
SHA512b2205ad850301f179a078219c6ce29da82f8259f4ec05d980c210718551de916df52c314cb3963f3dd99dcfb9de188bd1c7c9ee310662ece426706493500036f
-
Filesize
4KB
MD593ceffafe7bb69ec3f9b4a90908ece46
SHA114c85fa8930f8bfbe1f9102a10f4b03d24a16d02
SHA256b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07
SHA512c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144
-
Filesize
32KB
MD5eb9324121994e5e41f1738b5af8944b1
SHA1aa63c521b64602fa9c3a73dadd412fdaf181b690
SHA2562f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a
SHA5127f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2
-
Filesize
6.7MB
MD5f2b7074e1543720a9a98fda660e02688
SHA11029492c1a12789d8af78d54adcb921e24b9e5ca
SHA2564ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966
SHA51273f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a