7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0

Analysis

max time kernel
600s
max time network
480s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/01/2023, 03:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IsaacWiper.dll
Size

219KB
MD5

6c10466ad7c153e7f949fa3c6600b6ac
SHA1

5d009f79383a81622eefd8b183efb23fbf96a62f
SHA256

7bcd4ec18fc4a56db30e0aaebd44e2988f98f7b5d8c14f6689f650b4f11e16c0
SHA512

54a7565a2ce2030b4b865835e13e2de6b7b5bb8f171e7d9db28c3fd1de8d98b7072f50effeb5d15a6ca66a2ff309cbe9b7732154f4a2855ad20c79803f0df33e
SSDEEP

6144:pjU6yx1p7lvER8SPD/xzL0ruSSbAOfyVM:Ju1pZvPuDF0ruSSbkVM

Score

8^/10

bootkit persistence ransomware spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\wimmount.sys	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\Tmf4C4D.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\Tmf4C5D.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\pacer.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\pacer.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\qwavedrv.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\Tmf84F9.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\Tmf84F9.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\qwavedrv.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Tmf4C5D.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\Tmf4C9B.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\Tmf4CBA.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Tmf4CE9.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\Tmf4C4D.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\qwavedrv.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\pacer.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\Tmf84F9.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\Tmf4C7C.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\scfilter.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\tcpip.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\scfilter.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\qwavedrv.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\Tmf84EA.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\bfe.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\scfilter.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\Tmf84F9.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\tcpip.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\tcpip.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\bfe.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\qwavedrv.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\scfilter.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\Tmf4C6C.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\Tmf4CAB.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Tmf84F9.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\Tmf84F9.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\pacer.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\scfilter.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\bfe.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\Tmf84EA.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\Tmf4C4D.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Tmf4C6C.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\Tmf4C5D.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\tcpip.sys.mui	rundll32.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Active Setup\Installed Components	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Active Setup\Installed Components	Explorer.EXE

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\CloseEnter.tiff	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\FormatStop.tiff	rundll32.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\Media\Landscape\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\Media\Quirky\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	rundll32.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	rundll32.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini	Explorer.EXE
File opened for modification	C:\Windows\Globalization\MCT\MCT-ZA\Wallpaper\desktop.ini	rundll32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	rundll32.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\Media\Calligraphy\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	rundll32.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini	rundll32.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1214520366-621468234-4062160515-1000\desktop.ini	rundll32.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\CYEXZCX2\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Public\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\Media\Heritage\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\Web\Wallpaper\Scenes\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	rundll32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	rundll32.exe
File opened for modification	C:\Windows\Media\Sonata\Desktop.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini	rundll32.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	rundll32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\en-US\ssText3d.scr.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\en-US\wpcao.dll.mui	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~en-GB~7.1.7601.16492.cat	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SimpleTCP-Package~31bf3856ad364e35~amd64~~6.1.7600.16385.cat	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\netsstpt.inf_loc	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\avmx64c.inf_loc	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netloop.inf_amd64_neutral_856142fd87f1c21a\netloop.inf	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR2192E3.PPD	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\activeds.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\msimsg.dll.mui	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\netvwifimp.inf_loc	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\Amd64\EP7MDL0O.DLL	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ifsutil.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Licenses\eval\UltimateE\Tmf8538.tmp	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Anytime-Upgrade-Results-Package~31bf3856ad364e35~amd64~fr-FR~6.1.7601.17514.cat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\win32k.sys.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\mprapi.dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\en-US\themecpl.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC10\IMTCCFG.DLL	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\vdswmi.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_History.help.txt	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\C_20423.NLS	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Dism\DismProv.dll	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\prnca00i.inf	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\wbem\es-ES\wbemcntl.dll.mui	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\wiabr008.inf_loc	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\en-US\cscript.exe.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\PerfCenterCPL.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\sessenv.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\_Default\EnterpriseN\Tmf86FC.tmp	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\sisraid4.inf_loc	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\dsquery.dll	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smf4x6.gpd	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Tmf409A.tmp	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiasa002.inf_amd64_neutral_6429a42f1243419a\SA5935.icc	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\en-US\imapi2fs.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\mscandui.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\diskraid.exe.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\EnterpriseN\license.rtf	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnep00b.inf_loc	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr004.inf_amd64_neutral_a78e168d6944619a\Amd64\brio08ae.bcm	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00b.inf_amd64_neutral_2e6b718b2b177506\Amd64\Tmf5736.tmp	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\OptionalFeatures.exe.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Dism\Tmf84EA.tmp	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RasRip-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPZSCWN7.DTD	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky002.inf_amd64_neutral_525d9740c77e325f\Amd64\Tmf5BF6.tmp	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\megasas.inf_loc	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\msports.inf_loc	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\Tmf67E8.tmp	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\prnnr002.cat	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\NR3172E3.PPD	rundll32.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NFS-ClientSKU-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\netmsg.dll.mui	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\prnod002.inf_loc	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\netxfx64.inf_loc	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\averfx2hbtv_x64.inf_amd64_neutral_7216b6fb23536c40\Tmf514C.tmp	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1402E3.PPD	rundll32.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc00a.inf_amd64_neutral_565c5d04cc520c48\prnrc00a.cat	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\qcap.dll.mui	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\jetxbasepdx-DL.man	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\tracerpt.exe	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_methods.help.txt	rundll32.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+8	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099182.WMF	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\npjp2.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PROGRAM.XML	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\TmfDDF1.tmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.JS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGZIP.DPV	rundll32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png	rundll32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page.wmv	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Almaty	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	rundll32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\management.properties	rundll32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Petersburg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS2SWOOS.POC	rundll32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png	rundll32.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Tmf1B6.tmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_fi.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL011.XML	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_h264_plugin.dll	rundll32.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\TmfB19.tmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpn.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00505_.WMF	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\it-IT\Chess.exe.mui	rundll32.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\System.RunTime.Serialization.Resources.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00479_.WMF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR4B.GIF	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Adjacency.eftx	rundll32.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\ReachFramework.resources.dll	rundll32.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml	rundll32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\TmfCBE.tmp	rundll32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\TmfD79.tmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\INDUST.INF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\es-ES\msadcfr.dll.mui	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_10.MID	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar	rundll32.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll	rundll32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Majuro	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\it-IT\msdaorar.dll.mui	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152432.WMF	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_ja_4.4.0.v20140623020002.jar	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_m.png	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml	rundll32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\Tmf3B6C.tmp	rundll32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\fr-FR\FreeCell.exe.mui	rundll32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\TmfD99.tmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\TmfDF1A.tmp	rundll32.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libsubsdelay_plugin.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LOGO98.POC	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js	rundll32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InputPersonalization.exe.mui	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Hermosillo	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152708.WMF	rundll32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD	rundll32.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\PerformancePerftrack.adml	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-hlink.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b39bb2bcd16171bb\TmfB7CC.tmp	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-r..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2cb9f2652ac79e9b\rdrleakdiag.exe.mui	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-taskmgr.resources_31bf3856ad364e35_6.1.7600.16385_it-it_bf7bcd2342ef18a6\taskmgr.exe.mui	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_wd.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_28f48ca4a7ea80b0\wd.sys.mui	rundll32.exe
File opened for modification	C:\Windows\Help\Windows\ja-JP\secpriv.h1s	rundll32.exe
File opened for modification	C:\Windows\Cursors\busy_il.cur	rundll32.exe
File opened for modification	C:\Windows\Help\mui\0411\eventviewer.CHM	rundll32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources\setUpAuthentication.aspx.it.resx	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303\app852.fon	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\scene_button_style_default_Thumbnail.bmp	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx35linq-system.xml.linq_31bf3856ad364e35_6.1.7601.17514_none_fa08851339f04110\Tmf5AD.tmp	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_crcdisk.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_b0cd2293e5f54fde\Tmf8BFB.tmp	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-library.resources_31bf3856ad364e35_6.1.7600.16385_it-it_b72a595fbf4e48e2\TmfB55C.tmp	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_it-it_31f2bea73f8ae0c2\TmfBA2C.tmp	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-onex.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0fc6034f6c4802b1\onexui.dll.mui	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_hcw72b64.inf_31bf3856ad364e35_6.1.7600.16385_none_b2017fc4229ff517\Tmf8D04.tmp	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..lprovider.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_6fe87f3f7efbec00\SmartcardCredentialProvider.dll.mui	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..r-setup-thunking-32_31bf3856ad364e35_6.1.7600.16385_none_731cb4d9e6d30038\ds32gt.dll	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_prnep00a.inf_31bf3856ad364e35_6.1.7600.16385_none_aca456a8af7f0d6c\Amd64\EP0NOE03.DLL	rundll32.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\Tmf3831.tmp	rundll32.exe
File opened for modification	C:\Windows\explorer.exe	rundll32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_perf.ini	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-devicepairingdll_31bf3856ad364e35_6.1.7600.16385_none_c9f831f51cc159db\TmfA46B.tmp	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_wcf-infocard_api_dll_31bf3856ad364e35_6.1.7600.16385_none_ffdbec6fc9513d29\infocardapi.dll	rundll32.exe
File opened for modification	C:\Windows\Fonts\tahoma.ttf	rundll32.exe
File opened for modification	C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~es-ES~7.1.7601.16492.mum	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..on-authui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1641d14c740080f5\authui.dll.mui	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-pwrmgm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_27073ffff95461ef\TmfB730.tmp	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ty-syskey.resources_31bf3856ad364e35_6.1.7600.16385_en-us_18de188fa98ca8e3\syskey.exe.mui	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_netefe3e.inf_31bf3856ad364e35_6.1.7600.16385_none_3efbec6b6d8e1c9d\eFE5b32e.sys	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..structure.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_65c533f1c582e47c\unlodctr.exe.mui	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..baaupdate.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fe605668f6e20f1a\TmfE679.tmp	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wwan-coinstaller_31bf3856ad364e35_6.1.7600.16385_none_f03daa5afd0277e3\TmfDC.tmp	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_prnsa002.inf_31bf3856ad364e35_6.1.7600.16385_none_02a32ac8d56280f6\Amd64\smf583.gpd	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-u..ationcore.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bd860a6e53c83af9\UIAutomationCore.dll.mui	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_6.1.7600.16385_none_3b995fcfc0e586ab\Tmf475.tmp	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_wiaxx002.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8770a4eca4bac0fb\xrWPcoin.dll.mui	rundll32.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_es_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources.dll	rundll32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7601.17514_none_c64bcd78edeebc0a\Tmf11.tmp	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_288b7acec3a75696\WsmTxt.xsl	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_prnep002.inf_31bf3856ad364e35_6.1.7600.16385_none_9379fee912f1f625\Amd64\EP0SLM01.DLL	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_wcf-servicemodelreg_b03f5f7f11d50a3a_6.1.7601.17514_none_40fc6e6d1b4ea992\Tmf1565.tmp	rundll32.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\fr-FR\CL_LocalizationData.psd1	rundll32.exe
File opened for modification	C:\Windows\inf\.NET Data Provider for SqlServer\0411\TmfB397.tmp	rundll32.exe
File opened for modification	C:\Windows\inf\mdmairte.inf	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17932_none_d26a33ec18cb49c4\conhost.exe	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-usermodensi_31bf3856ad364e35_6.1.7600.16385_none_ce571486e124e749\nsi.dll	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-aspnet_webadmin_b03f5f7f11d50a3a_6.1.7600.16385_none_6cb4cb2fec54f7c8\Tmf465.tmp	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ionengine.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9c4c47a945609340\scesrv.dll.mui	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..rk-msimtf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_9802324a8a1458f5\TmfF48D.tmp	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..deviceapi.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f481d1fe1ea802bc\TmfFA09.tmp	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wpfcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_de-de_67492786b811b2a0\PresentationUI.resources.dll	rundll32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\SmtpSettings.aspx.resx	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..-ehkorime.resources_31bf3856ad364e35_6.1.7600.16385_en-us_2ff59b0d75773261\ehkorime.dll.mui	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-bitmap-terminal_31bf3856ad364e35_6.1.7600.16385_none_70644a8bdb0d9303\app950.fon	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..e-diagnostic-module_31bf3856ad364e35_6.1.7600.16385_none_15f0d2a592fd0ac2\memdiag.dll	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_tsprint.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_94fa9583519bc058\Tmf1508.tmp	rundll32.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354#\d8c41b9b493fc289758fc3f7f094df61\System.AddIn.Contract.ni.dll.aux	rundll32.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\RS_Themes.ps1	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-efs-rekeywiz.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_4419988711552355\rekeywiz.exe.mui	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-aclui_31bf3856ad364e35_6.1.7600.16385_none_b0ff4fc4cd57c163\aclui.dll	rundll32.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..unddriver.resources_31bf3856ad364e35_6.1.7600.16385_de-de_210d66fabcd42073\rdpendp.dll.mui	rundll32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1096	1236	WerFault.exe	16
592	652	WerFault.exe	33

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
652	Explorer.EXE
1032	Explorer.EXE

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1212	rundll32.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: 33	1484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1484	AUDIODG.EXE
Token: 33	1484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1484	AUDIODG.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	652	Explorer.EXE
Token: SeShutdownPrivilege	1032	Explorer.EXE
Token: SeShutdownPrivilege	1032	Explorer.EXE
Token: SeShutdownPrivilege	1032	Explorer.EXE
Token: SeShutdownPrivilege	1032	Explorer.EXE
Token: SeShutdownPrivilege	1032	Explorer.EXE
Token: SeShutdownPrivilege	1032	Explorer.EXE
Token: SeShutdownPrivilege	1032	Explorer.EXE
Token: SeShutdownPrivilege	1032	Explorer.EXE
Token: SeShutdownPrivilege	1032	Explorer.EXE
Token: SeShutdownPrivilege	1032	Explorer.EXE
Token: SeShutdownPrivilege	1032	Explorer.EXE
Token: SeShutdownPrivilege	1032	Explorer.EXE

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE

Suspicious use of SendNotifyMessage 38 IoCs

pid	Process
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
652	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE
1032	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1212	832	rundll32.exe	28
PID 832 wrote to memory of 1212	832	rundll32.exe	28
PID 832 wrote to memory of 1212	832	rundll32.exe	28
PID 832 wrote to memory of 1212	832	rundll32.exe	28
PID 832 wrote to memory of 1212	832	rundll32.exe	28
PID 832 wrote to memory of 1212	832	rundll32.exe	28
PID 832 wrote to memory of 1212	832	rundll32.exe	28
PID 652 wrote to memory of 592	652	Explorer.EXE	36
PID 652 wrote to memory of 592	652	Explorer.EXE	36
PID 652 wrote to memory of 592	652	Explorer.EXE	36

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\IsaacWiper.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\IsaacWiper.dll,#1
  2⤵
  - Drops file in Drivers directory
  - Modifies extensions of user files
  - Drops startup file
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: RenamesItself
  PID:1212

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1400

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1236 -s 1948
1⤵
- Program crash
PID:1096
- C:\Windows\Explorer.EXE
  "C:\Windows\Explorer.EXE"
  2⤵
  - Modifies Installed Components in the registry
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 652 -s 1052
    3⤵
    - Program crash
    PID:592
  - - C:\Windows\Explorer.EXE
      "C:\Windows\Explorer.EXE"
      4⤵
      Modifies Installed Components in the registry
      Drops desktop.ini file(s)
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\Office14\Custom.propdesc

Filesize
1KB

MD5
ff79e1f0014d014be32491981cd9d381

SHA1
0b26775c84f85358b4f1e3aa76bc77bfb4e3afcc

SHA256
d92cabbac03f4f0d596439c00544f553934cd71a7ccf48918ada0ac6da0d3c72

SHA512
887a7d7e1f8ed0d3645c95358d46ad59445b38d2b37c44b5f112e8544ceb868db8130700ff30c98d1aed7308c7c7d5037d3439b26ff16110a2fcf6535a1e827b

Download Submit
C:\Program Files\Microsoft Office\Office14\VisioCustom.propdesc

Filesize
1KB

MD5
e29fb6d9fe11962a71a65e66dae1cd34

SHA1
a83d934d07f06507cf0d80df587d68ba1a6ed7c5

SHA256
fe6a4468af9b06917dc3a25d235bc4c79b5530247c44511648bfadc4fec8fdcb

SHA512
ade846eb3a7275b10a8c94bbc320b769e4c6aceb3943243c7be13133341b78772b6be79d40fde35e66f045c95dca7aaf35445fc1304b111fedd398d6b15332d0

Download Submit
C:\Program Files\desktop.ini

Filesize
174B

MD5
5fd12742cce08cba65d625188d75841a

SHA1
3dc725047f6a2530c5a1b92c7d818452c61ad31e

SHA256
51c6e88e92c1d957e7f50f2477695adadaf2545092b4c07f124426cfd3f777bf

SHA512
8742116dffb81dc91794c1add92d8d04ccc52fbfe62e3799a461d1321201f92d87d9967faafaa1f138744a30368ef5fdc5dacae916f70f9d3ee532c60661def2

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp

Filesize
48KB

MD5
0c55059b5947b176e126062661c7259e

SHA1
dd2841e0a5e9f85414b7e8165768634be7a201de

SHA256
04de22b213a2e76a6f2c9282ad6320e5947e03792858f393cbb45549f7135454

SHA512
a5fecf02143a70fa15fb26cc460c02b2fbf4e8da2573de4d8bb5f401c4b62e64303e1ac1557fc517cdefed237fc3aff3c5ddb4abd85e1fb8fca532e40ea42668

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db

Filesize
16KB

MD5
59881c56de005aee52f2ad899952f022

SHA1
20e74b777bfc1d9f380d9cbdce02c818a8cb0fac

SHA256
26fbffd543c241d2b78b85946e467b1c142d44c85d7cade38f64aade227d897d

SHA512
0d6e3a5a16aa9ab590d3dd8486ace67ae03ab755eaebb88f164a4fd7686b5d425292f88a52aa404377315201bfdcc619f1a35ce904670f5dd1ad3630ab55e7a1

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{61F873D4-6A4D-4056-9964-0F866C4412BB}.2.ver0x0000000000000001.db

Filesize
2KB

MD5
6a7272f00e65a36d220e65f466e18204

SHA1
0ad20c9d74e1e642b4bc81581b3d019a5fcbb82f

SHA256
8ca05bab984897b5356bdf78acc00776f0a9e2d48d4dfd75efd2ca123ca32db4

SHA512
1e2f9c32e0e4a07964482d8c6980911514beda989fc3c570c059de5d3ea466fbd8edb2fe05c970ccb34f0e31876beebdf567bf4b5739a1ad917075dd9f0fee32

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db

Filesize
405KB

MD5
1ab318a23ddb1d570f31b78902b05f0c

SHA1
8d8b2424ce01c26710becfbed2d57367760b1d9d

SHA256
aee5252a84860719a9f71c1ca0cee9ffa313a2af0bbd56dd6c85c2da7e06b721

SHA512
893a3ec70aabf2052d2a1bb44f674dd19c5b7141f55f797d1eb431b2d9f371f5ef9da3adc1dfe755088ed56b434808c467297704e10019cc10d0826275e69778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Default Programs.lnk

Filesize
1KB

MD5
704e71979ff412dcb3aee2e845346488

SHA1
4dca1b9c94992e917aba29b2395073725e52b2e7

SHA256
3d8aeb72cf960f918067735931b86b34bc902aa1472bd94e9db73cd032f28f23

SHA512
82d4741b75957cb3e7f1e755e3d585ebdab4fe98eb92823418403fc4f9ad194e1eb64342eb1f0e60ebc43c1c43bfecc7cc32a7671c1cd8b8b89541192afa56e5

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk

Filesize
742B

MD5
5db341e167dc93acf67b5b7a7328e0ba

SHA1
ac207e55526a5971a26332fa0a11e0f3ab8285a3

SHA256
05a5c36973066826f0e482ad447adfd4f70d2870e534eac6ac41f997d2724326

SHA512
d2d7e56475f227605e9effd9837f52c70e506766deac5cedfe454281853dee1c044b1e6965786b36a0ca6efc53a30d6834f0b5e72626d7f92b1227b4e7e81457

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip Help.lnk

Filesize
747B

MD5
a29c969a911598f14c7ac4540cdcdf59

SHA1
3efd8231abab3f258300201c8f20609f1ffe12d7

SHA256
960b1914e4ce1ef2f8d76b0235ba62de91575dfb3b7ff14ae073431836aa6780

SHA512
f96cb7f61842f2c6faf33b6b3254613f4bbde86e3124b9cc1cc7c64a958f71aa12b428ae911876c3ad44eb196e1d5351cf527871916484502ea0a4cbff5c6e26

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Speech Recognition.lnk

Filesize
1KB

MD5
858ab8f969d68677e88f2251cb038c93

SHA1
2d8ef7372c611f14ce9d0e1c5d08f34bbbe3c9b6

SHA256
0138e7b495e24a8bcf97adec0765e668e3ee1b4a214757ec117e4ec584257b43

SHA512
e08f0e77baa0ae3e155932670b1ca8f87c0282f3bad9cd9a7c8f3dd908e3d9707fc056d78407ac7874a97aada8e938c47365136161a02ea47bb5999dc7613868

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\desktop.ini

Filesize
370B

MD5
6a652df48be98eb45a7730b78168fa96

SHA1
97b099714137cedf07082acbb5f9905ef8966b26

SHA256
0af6db9ad1af8088eda4f9ce92bb8b7a8b194d8100ee1f24995be60059441897

SHA512
fdab6cba4fd546be3042ba5ac7d116331293d781df91f1d1ab16f5ac0a2a059b274cf05a41e0395536e7a83f141bb7bec9c38429953caa0186b4481ab71d012e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk

Filesize
1KB

MD5
6432a859826319af3a0e1030da8167c4

SHA1
3d006124fb9e00472a7ad6c1a23d426b26e67862

SHA256
fec81e96a75150d20f77ee922bc0706d353d7a440f0db0d6dc6e57c030b9e326

SHA512
29ee3119df1f23b32461e9e9547a841427f2f47fbec406406bc75c6e671fd3d2b9eabe5916a734273672a51d97d517f84186b5f6de1aa68126c817292668f07c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Math Input Panel.lnk

Filesize
1KB

MD5
2d53ef4e99bbd10682b4f8144c41c260

SHA1
304f747539948d2ae0caf700eb2cb64d59009d66

SHA256
7ec0e27f5e167bba6da6e53a2ec30c16c64042d380dc22d2cf48171ac93bf743

SHA512
2367ad4f09dd35896c33cd6ad0a359d8de376e96aef5d8b4c1ce1b2e82f9767ec361e8497c72548765a4a52212b8fb2ab08498f06aeb5650b5a5009b08025968

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Mobility Center.lnk

Filesize
1KB

MD5
712f0ad1126bf2242436540c080dec41

SHA1
6b0425beb4a59c1b29ea2b7e63ff89ccacbd9821

SHA256
20db359f05a1c06b27c8f7e7d177e8dc5156563c00d14d38268fc579d4b438ca

SHA512
0039f5b1abf3fb879390b254bcb62b7400749af2f67e19fb1b9486677121c39d1caef9fa33461e5aede6ab6b279c2388032ec0615702001bc56a8a003ec8a010

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\NetworkProjection.lnk

Filesize
1KB

MD5
ba65d48c8104acbf6fdd73dc37bad03e

SHA1
83f31f2e6cf0ee423ac7e600a96c20031362f821

SHA256
c9fbf103589188abe6cb941dadb40868f4c096970275a4bf4b3794050bfd5b8c

SHA512
45af7eed2caa9ed886f93af8dfb5b0619e06b787e8006b2fa3f9752ae17df20a8474a7548c9157c2b67b2ce8d0b316747583291a618a6ccac6d0354b09863d9e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk

Filesize
1KB

MD5
ba65d48c8104acbf6fdd73dc37bad03e

SHA1
83f31f2e6cf0ee423ac7e600a96c20031362f821

SHA256
c9fbf103589188abe6cb941dadb40868f4c096970275a4bf4b3794050bfd5b8c

SHA512
45af7eed2caa9ed886f93af8dfb5b0619e06b787e8006b2fa3f9752ae17df20a8474a7548c9157c2b67b2ce8d0b316747583291a618a6ccac6d0354b09863d9e

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk

Filesize
1KB

MD5
a4e3a7a5d185ad71d5deb3edcf2cb235

SHA1
bf5a9af34e93a8802d301cae5476cea6bbe30d6b

SHA256
7f51e45a0ac1ee498665e5525b2117a147d7fbbbab25345e79d6debdff43fa11

SHA512
2f2e9c3bf6d0f2d485837951895e9f636de0ed8313c586e914c4cf0d60b22e5c93e291062b537acf2e70ef2bffd39cd5566dd98bf7fdbfcb6490129961474109

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk

Filesize
1KB

MD5
f1e6b2fb3df0c1d4f16f6d6d4fbe6f46

SHA1
eda008b8090fbcfb68be4c5defa997acd4a25166

SHA256
5e04932a45ed87ab41562b5a6ebf9f038e9dd826ccd37bd7d905e3f7adcc5ceb

SHA512
b14a77d21dcf003cbb6b40367d13fc44ff7ef6c281f87e32fd00b56c78e8c140cc7d27a42c45f55f8d8fe060445ffca5280119adef8a8640f7a84218c608600a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sound Recorder.lnk

Filesize
1KB

MD5
7a73b131cdc9a20c61c84333a939621f

SHA1
a569cd56fceff022af631ea89c5ff9a0d9ec1a81

SHA256
dfee5ef33cba5c3806c517eebceed064001681a75a0cd79297ace21aee494726

SHA512
3e042c70261ba36e421f83da600193a52800e7ef4db12e9b8b3597b7cf50fb06ff576bee90f72a7a53cb5358fef95917a1e2de96657a7b79c235dd8849b4dbf3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk

Filesize
1KB

MD5
e9654156f18004997f6bef996d14d9be

SHA1
6a52168175b2de15c6ef967ee9fd06ade3d12355

SHA256
1f7800e4b32e8509d8339a837e2d9a2f9a3c24451c492c2280130dd7ebb44fce

SHA512
5bde457b26edff04ca41324dd209c67ad1a88e473615d38edbd74e32c0428c77f1680bb0ab153b7075f2f9c2fb887f320ea4c715268d8d234d8132de7b72bc34

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sync Center.lnk

Filesize
1KB

MD5
a34b90941fa11493e63205a680794292

SHA1
d2c329877664ea00987d5cdfc626de1046256e94

SHA256
fd43a3a4708e98c1ac8397c25e7e0dd55739e77e7b9b6375db928a2d26bc32f9

SHA512
84d30596d39621c6fec13d27f3ed85e3f3d0934c2c3c85e04f54ebff3f34713dd09a85c1e0877c98e26066b54e8989358ddfdb0a847345bd078ec9fe4a15a1b7

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character Map.lnk

Filesize
1KB

MD5
a2a5df65392593977444edbc1fa44799

SHA1
70ba6c894d2eb893c8e9acf14a9c00d787390fea

SHA256
273710049098319087fea7c7cd6306099164eecdb6cec7b195c7d93caae42ce8

SHA512
0810c6fb9bdee8e70c2681ebbc7a8026e5c36ee209df2750b8844f32eccd6f26e1f502d8ee6473b93046928fd6d0bd9421ee98de82f337bf35481392034d7f86

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Disk Cleanup.lnk

Filesize
1KB

MD5
7fd520dcff6c74a1705aaa25f17decd8

SHA1
6db51bf3758b5dc6fa9902affe0695b0d09b22aa

SHA256
daa92ae689ee99ddaaee5416ad4ea512064c21796b0874fcac0b2ab7c5c6e890

SHA512
6ee5bef59bee13800db75700e632229d7aeb5d3e4c75ab423239d5a6ad655ecc028fa2348f5f9b6e90f26c49365be78b2013b806f731bb6a3005c82a3672d687

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Resource Monitor.lnk

Filesize
1KB

MD5
48b4d6e1dda05cf46707be6e7c831127

SHA1
e601fe284e2f2f16506120d75fc2bdf9bebe0e39

SHA256
fe3a0d097c7a46c702c7eb5b530158a020bf7036928c46de62c24edb84e9d58d

SHA512
6767c7b91422b7b5a3c1181506f360e8d18a42e1915e969ec36a56f8eda8d775ca26da2b9f85e9638e7285f70e53a22093f9b8201ae15b2daa7e10f15b09a40b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Information.lnk

Filesize
1KB

MD5
cc5ab64297db61cd546a44144b46626f

SHA1
88e796692957fc7525a6ffdeef5f1099c02b6a18

SHA256
954da2864beb5d0a9e86b2d4342f83bd24d61870273376e2569a15380d9edac1

SHA512
780d8288ff302e296d54a6c1fca00d9b2fa1f9232bac85d79021ccf5569b9f1bdcc0931e5f5071a53dd49f1fd98a1b6d1c626118616ea56e37364baf0d4d8626

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\System Restore.lnk

Filesize
1KB

MD5
5fdcd3eb0abefce2037c5f9140395ceb

SHA1
4d3f81bf652da52ab5fccd96b97e02784aa71ade

SHA256
ccc1eb75ada80f1a5c5e6afd84b574dbc9f2717de963557216b9fa52f32aaae2

SHA512
f55fb4868d60068895e49929fce1392d8124b470cace02e10f31a9725440ab862b763a70f8c3e73ae6a5d9f05e6c4abf86cef3b7e8cef8d1142db839b80fc663

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Task Scheduler.lnk

Filesize
1KB

MD5
9d268c61860d63bd0a0432b82754f354

SHA1
a8d86c41ce30a2a9cb853fb9308dc0932cb09cc2

SHA256
9241f76cfc6b7199fc0ed7818774d046d41f797cbe069990deccdc8173e7e6ef

SHA512
7a8c0bdd13f14437d842dbb174958e0b75c2ed4efe3d940a131c221f75d17d041face3fdbaeed62e373c7252d8ee83373b73a205fe15dff797fc35cbd8ac65f4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer Reports.lnk

Filesize
1KB

MD5
36c97fd8b0ba23a3be369828ef4472fa

SHA1
8d6caa063d01169b1336fd4d1a20bc406e9f98f8

SHA256
47325111670f8464625b880a132ad893fb4466d8e450beb9d06f91534e8c90ce

SHA512
8a069234cbd17551fc27ea1ca8fd8bf7e3980cf136a5c81fb6c6defa50be5474f740d67d2347269fd8998acdbe88fea86bb7e844e22acb8afc0f722a41c1a6a2

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Windows Easy Transfer.lnk

Filesize
1KB

MD5
3a7e8d643feafe64ddb0b5bda14091ac

SHA1
1d2da770d2535ec3b8b5fb93280be2046749a08e

SHA256
b4a99490c37fd7734b660e11673829f26dfa2acdc2748670283b03cb3e45dd75

SHA512
a8c911489a5022a5e673027035752c3a546ed694ab3da32217acb099bf5eb6396aba91d30997e389f4b65a83070a4daae26a9b4c24791b31b90aa5174a297410

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini

Filesize
1KB

MD5
899e67a1070dd5405d9f75db3aa01d11

SHA1
2312f6241a379f8f03aa701d3fdae2c469d0503a

SHA256
02762ee2aad7a590818be326d3784352e2e2cfb726bb5d0f9d85973c81efd621

SHA512
d8eefac36abd7636ff2d01cd1bd320dbe578ae3988f828d95de8a9e82203d40166dd49386dfc608b2c788e8e8b6bdc74d127c4b00b920f60cfc6a22894dff124

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\dfrgui.lnk

Filesize
1KB

MD5
88c655816722612434bf6b902df322fd

SHA1
ed71d8ec8f322c28087e6567471e8629589f1312

SHA256
6aa4220a5ff07c4058a6763792a5a8aef6472b00b6e52e38caff75a8edd45e7f

SHA512
8e9df0ea59f6bde1526743269242fab54fdd8ebac33bd0a0477338eeef2c06295ed2f9bcce2a8fbf643099e4d050fce6bb19869f550e7adf5de07db0b2018388

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\ShapeCollector.lnk

Filesize
1KB

MD5
f9bcc4ac0e63dd335375ee8b7f43985c

SHA1
9d1c07064970e6b6621bae73f2e18f8970b67081

SHA256
5da9bf55d5e00d58990b0a05149cfd3825ef6d8e94065774b6914cf41678614e

SHA512
1b52045faa49e52d538064e39dae604f25ebe2fb1c02042039f4af0d2fa13084fc9621e58ee64ad1a71011c5c1d6e4b1ce8a9eb208bf888009486d944ecbc169

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\TabTip.lnk

Filesize
1KB

MD5
da4e6c123f3543b54e58d9bc2eb4607b

SHA1
cbc0ea58b04273f1216f826c30e14a0a69e235fd

SHA256
e3aa4ce076a954a3d2281a856cc2a4238f9cec6e6925da68dcdb09b2fb2d334c

SHA512
48188a71027a1fb48e7c4c44a59ff43af057e77e2b35e0de71bf201d5c464dcb9d3d17381fa2f2caf89c0007cfe4ea16130b9659371fe4570b6e58f05c2cc770

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Windows Journal.lnk

Filesize
1KB

MD5
9b2441489d84395aac86d53c4cef17a1

SHA1
94a466559302658ccdbf25c164773305c193bf88

SHA256
eea742f5fde181a47619fa1f34874697aad762b934388378342d4c330c286733

SHA512
09aa975faab1d65a25934cba60940d552ab046232cb365302f6baca9ad44a16b0dc06466d7bcbd0ed0e04de633dadae3f1d8cc1f6430ae24b65a1a4d1070f48b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\desktop.ini

Filesize
343B

MD5
6e82341dd9d5da2e24f541f69131c9f7

SHA1
cd72e2fadcae1849c242b1477b90c25d38baf8c7

SHA256
5bb9bdfa400e1984117318e3efd18c7260a97394eb5d2924c3066b40771b6ad3

SHA512
ef1f29382777c0230b3addfaff09eb30529f8f5bbf031303dbd1c5359e1e34dd3846d9f9522993df2b89aa65d34124e26954df5d6a22eb0e1388f7138e6d26d7

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk

Filesize
1KB

MD5
a984a1fee606519147f818d5e07dcf25

SHA1
6eb945a78d65a992601f4884c58b099463c58f0b

SHA256
944e11f1b4c264edf6b0a5c327aa800f391bf6c9116eb728a1ae0ef8ee33c600

SHA512
58e044679fa2bf0430ddeaa38dc50b2681478956719b5ff07cfbba41ead63f75c45df34dfc2c6e20b529cc68877fb533f5ec173a522b0c2227d4e39c277e1fab

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk

Filesize
1KB

MD5
d93901e0dcd355fc31fb153f1eca0c06

SHA1
afcb2a5ed54b94dea009efcef5578e935cd4a278

SHA256
1bab139e4e2b588fa50f1ad6682f794263979ba8b74744e3bb4fc3329d54951e

SHA512
55d6d8999e5c277db61049ae57042007c90ecb66e2c696bc9ad67bc55a6ce78dd49af7c04ec34136dd53a12e6ff6473a28de1cbf51d3bb5223246da19ec1b4e2

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE (x86).lnk

Filesize
1KB

MD5
e07a7f39700845df607689527d6accac

SHA1
4b9dcb3463711f515452bc8cda62d701e71f1bce

SHA256
e07a521323e40095057d815aacf357ee8123409d68028a342e66fe26959f01b4

SHA512
68469cf05f070eac78cee9025aad940022e0e302350a3d4679424eca0ba1e26a7ecf3d830fdf12854f0137c3181780bd045077854be108523a7274445b548abc

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell ISE.lnk

Filesize
1KB

MD5
e07a7f39700845df607689527d6accac

SHA1
4b9dcb3463711f515452bc8cda62d701e71f1bce

SHA256
e07a521323e40095057d815aacf357ee8123409d68028a342e66fe26959f01b4

SHA512
68469cf05f070eac78cee9025aad940022e0e302350a3d4679424eca0ba1e26a7ecf3d830fdf12854f0137c3181780bd045077854be108523a7274445b548abc

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Filesize
1KB

MD5
f897d205f647ebb89e73f305a307090d

SHA1
85f205158a227f482b437b745d3e54ffcec07c0e

SHA256
16d08850a4af66f9bf3180c5ad9a17ca7a0199c4373b9e17914aad85a5759613

SHA512
09bb59a73b236d567eb251b2a9f48079b3b8565820649ed11583041bd299ef19f094260951fca0e23539f451b03ec5033899ba1a391cf7479561c07bba0ca92f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini

Filesize
216B

MD5
0eb46b4c989ffa6c6fae0c55d56b263a

SHA1
91c51f0daf8d57bc4de84d4c77353e971fb1fc1e

SHA256
fc6aa09b1cbaef534d562c368574e5835d4b48b13df2991e0389941ceae35050

SHA512
572fbb9ab7a84b170629575a93d68b855bf192bb123008058bbed3609737c10733ab1633de9748bae4159d3cf525be9f2d9c545ae807c6fe27c2bb47e72cb3e3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Wordpad.lnk

Filesize
1KB

MD5
280ef0f79bdca38f59672f75da492f8d

SHA1
0213b16e93281435799d45f78ae45f99652f6030

SHA256
c809b2e0b923cd07cc551c753556c3e555a841572512dc308bb06db1326c3d1b

SHA512
6e7d6aa213c5f5ccf54fa0dadbbdf4716194c7b2341ad66684e9d8aac429b2353ae619f27fa053bed0494c67124775e95cd3f185deb3498a8a076af324927881

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini

Filesize
1KB

MD5
243a7e6d43f4893b72786338edcdbe81

SHA1
956c12364bb7c8856fd8114aa241ac6d815b6ae1

SHA256
2d49d647284fa9a5e22a0b8c83aa9335b2552362864852f96aa60f7c402098c3

SHA512
610b23eaaf300b9f468ddaf2ff62113d6f33196f5e108e64b0368594829915b6b40f4cfb55c6356d8480da837811ec0a7f5262ce756ccd568f06b04d2f9495f9

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk

Filesize
1KB

MD5
5d2c733e60c00796337452ee32e151f0

SHA1
5d34b49db10910136f40b1fde40e73646f8b42f9

SHA256
508d96dd2557175654bfc02d66331f21a7059b910abda1f3775205afa492102b

SHA512
51ec3b98fb4375070752a5a888a282dafee7351f993b40920f28dfdd89168a43f890fae621f3f2d541844dfbca581a93c39385c71cc4612d5cedef76f9814ded

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk

Filesize
1KB

MD5
9c056bc89590cb6ca0501895dcb31a18

SHA1
7b3f4f10ac2d65b27451fe7181fb7c261c330082

SHA256
a07397f0ed0ea9943dfad318e116d02e049b5f4773a583cb37aa40d947fcae9b

SHA512
15a3a5fc1b6b537544027a29a76bef64a4ecb042d892396bd94f5f1108724ddfa2b42920ba89f8db3d14f32a6b10315bbb9e0c8896c61dc74e7c7c53190a18b1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk

Filesize
1KB

MD5
ca5a32494d47137c3597d8c0487a3d76

SHA1
9b5220a7f9fff9fe5221e1a1b15304476839fc22

SHA256
430f33e62172676e526c81de14d0a9b4e171ca46e57f94cc2a1184a237407fcf

SHA512
22b55ccd5e4bfe7e368fbf0455ccd32299132f2c469e4207b5a5065036d86fd67783285bc98444ee88f758055eed41f75e41ad120678b786c040b936feb51034

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Data Sources (ODBC).lnk

Filesize
1KB

MD5
9ce7065852c8c2540e29f1d9c6df4b74

SHA1
17fbecfc1a2d336967880cec8b863ca03a0755f0

SHA256
a3e2c4dd1618bf8b0302c6b5e4914452407ff128c73002d6f675eb410262ecd0

SHA512
6450a19415f15c7312a620b2ce465d75d784e92df8b9e30609bc21c0ab81d454f565a5c2932223ee3bf6570c9e5e060f86f1c63715c598877aab9c62c19d7a79

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini

Filesize
1KB

MD5
ca75878c6523455ef9c9a44fa2c0c4e1

SHA1
5a0bd8ed272289cacdf415a7c109227d24a03dec

SHA256
a6ec0ed58f2d4557b7c599e2fada66f8b5f539bf352df6b400bc6671b4922edf

SHA512
6203eb6d7b44af7d8c7860a2fefdf599d3e11392bbd45af553a0c63aa58ebef9145a41f11301d87fa7be491b7aa62646439c355f06fee009222b372ae362187f

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk

Filesize
2KB

MD5
5f0106f15cf5f08f8d0c0531456499ae

SHA1
90186437c2ee90b865f88aad78372df5e5d17b5c

SHA256
45f0ad0968fa25bd6f1137db0ca36c94563b19112bdfd3802f7caa9694abec8c

SHA512
068d2fa11d29fd6d8bf312684ed3aa408335ddb54ebadc54905671bd6cac2525d5973d04742dab9c0ea0b410a49ba2ba1c9b201ced43a8c9a9ac3c9d9c2c5fe6

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Firefox.lnk

Filesize
943B

MD5
e6c6a8ec488c9a099e40474f6e0fbed1

SHA1
c96935e61f77c7fc6e989549e297a5147629ebcf

SHA256
03a5443dddf21a7c82051ae2bae485b3c127736f6f33a8549f3dbb1c24f7f079

SHA512
350ad16711c2d3e2cb8b8503e4b6f92cb8a31f551a4b7efa5e3ec7c7cf36a7e0f75db3c7baffce9af8fdda5e2fb12eb3464d0b97391b968a282d12e19667ae6b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini

Filesize
1KB

MD5
df85bd5fc19ce943ce79515873e5d610

SHA1
3970fde45fb5c244e00810a5b550f43a8cddfe12

SHA256
39ffdcd297277a6770cd27a23e2f920f68ffd1bd7c676eccdbf5f38fd2644b08

SHA512
ffcc9923095602b442d19d483c33eb561ad2c1f43f94c0999b073229be417e961ce96187705aa9e68bd6c2baf80a6255efa5ba819b12be59b58019c01276892d

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk

Filesize
2KB

MD5
58f71a40ddce75e1ecb880ea5e9a56f8

SHA1
ecb316094cc893a09cd0dd023c3b89f512607b82

SHA256
0665e89015b3ff229fe0c3312795122330da80e7f9c63c1e28fb9e657bc7da86

SHA512
5018b03fdf63e65dbd2c96f09c2720dc6da083cc3712210490af78b0216829cf142b80647dc09537b82f5231570a3f8c6d73c6729dc4cf2ba2e926e0cecb89b1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\desktop.ini

Filesize
606B

MD5
20bcae0186b3eb9ce5e26fa24c7e987e

SHA1
ed4ef71cfde63d5a4ca63cf4d1cfd2340e194ee1

SHA256
bd7c67a6bc79d9917829ba40c3cb798db3e2d599a406b7a28649d40fcfdb9d7f

SHA512
c8d5d7aeb614f7b63f1b2b9e9206dc88cc2eb510afa439ec1c58e4b60da7266f618cb623677a2702f2d0a581f788182e37a30c80a24cd217412c9a410d5981dd

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk

Filesize
1KB

MD5
7a27db5d69ed6623e80b52414daf91e6

SHA1
b2f7baa5101b21d9cf59465d692e2157a0b63ba9

SHA256
ec3756f2764ac3777c58d5e1459df194abb4e4bc3a7ab7b976bd6dab64744e62

SHA512
db48d793482f1eb6844b0c37dbb5b40fdd32c710b10fd302ce0d0b2a4a84ffb1692d69e799a9a0b7ec6d1ff7c7bef79ff47f93b02fe534fdce2b55446afccbec

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk

Filesize
1KB

MD5
72afbe21dce30f89d968ec2a79f270e5

SHA1
7aa160573286424e7e1800e6326199d9673a3181

SHA256
99245cc02d8172dd691a4069176a065b11625e163686248c260099b4bc95b74c

SHA512
4e1a6a63ea6f131453f3344f57df193507c239603b0f56ecb008ee9c74cb9f72b8256cd34bb6a19ececacdeaa4db92923126317def5d94d93c55edfd1afac1e8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

Filesize
174B

MD5
77b7db3d1e882ddf3577df1149c976b8

SHA1
c99ca9ea3ef17e9625a226d170b389eddf1baf6a

SHA256
8bf0ebdd7c4b91bd0791dbdfcc4f0a74502ddda67f23d9a01435bffd272edde8

SHA512
6497c7747b9d345c30d23a2d43cea0e5e48b46a08c8190ce398f9178a0c291849ccc04990f8d099463c11431e39b6cdf321aa4330534521f854bc798483e22d3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows DVD Maker.lnk

Filesize
1KB

MD5
f7ce4bd5dab610c33a6cc72ed03d95b3

SHA1
059d0b610a4f419efdd95846a43155cb7548c19a

SHA256
3711ad81a44b6e896093b3bf8754a3129bb93ea9e34691a2e9f93c85792601f9

SHA512
73c466e2b2762efcbb13c22de6064916f09c3dc28c7e6568883367f328e96b8d891e3be8255a2ea021ce1b51f6fb43f517e340f96f8df0ad5703946140f2f644

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk

Filesize
1KB

MD5
db2dcd5f6d8c3522dda899d501e1b0f0

SHA1
9cef523873784bea0d52383b993e3af64e63ce70

SHA256
374c2c372486b5789c143a7bfaa145ca5386578ef7ad4af6f1d7ded3afb07919

SHA512
2de05dca0d5a33ab9bf40a42f6d1c8d77e1960bad3957652d66db7f9cc5bf1781271108cb2da55afbf4a32a71dc0b06b1b53276992e5ad21c95e86ffba7ced81

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Media Player.lnk

Filesize
1KB

MD5
a48981dc08db958d08b56b2d85ab4814

SHA1
da99dd95f60e129b0be15cde114a23410c8aeab0

SHA256
87555048bed7010280ce209bd81c42ec7475d9e2f1fb433f5a0f6f5a47a28eaa

SHA512
171d7ebea9926ec2b416291167e411c3f46c36ed37c54250456caf753a3336c6d39ac044f7296e053fd7377ec9fce81e95804eecc59d812bb9c84aeac0f6e4d0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Filesize
1KB

MD5
e9af751c31bfc3ac1254978864e0c810

SHA1
ba769751b164d56fc933c9e534e03095eaa32702

SHA256
a2a841559564fabe17446a382767d7b02489d88f4a619748575bd40b2c26c5c0

SHA512
f783a37e284e5bfd1450db79d3695b9f60c5d0c38cb7562d2d64b439a67c3cb54447f9d2915a20d3535a405535909d597fb892a22e33e5d00023ff70f9c43499

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini

Filesize
964B

MD5
f58ba31d98e00dae29f4c5454a66153e

SHA1
fa99e6caa474a4e08eedc7ba32b2d8ebd5ffe36e

SHA256
1df4a6c68160d5776b8141df39c6742ec4c7eb154a42bd029b18e2e471e2ff82

SHA512
3598459b14efa4162ef631ff89759a51b053aa2dbe27fdcf32826904ba4a4a08c8fd717eacf96676a1c3812ce755e17c7eb4b496919a55db317d33bf492935ee

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Windows Update.lnk

Filesize
1KB

MD5
d4711bd6d9d8ee6d6b3e9c1658d5b8de

SHA1
9b2bac91316708f95ee171dbffcef28c376e22ac

SHA256
bbb477f174338f417b0c320a29c8e8e0e1b8b5313a96e62bf74a60ff6e7ee1b7

SHA512
3a424062c1651e3554820c4c6c6a73682dafc3fc28395d64bb65069d5a2206929e49f3d6043f13061cc75053e617a8bb7b55a5773cf908ed59b0cfe955309c59

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini

Filesize
442B

MD5
b9809cc1ea03bc9477a0ad8fc1af6cea

SHA1
9e38d2deb9ef4f318ae2754f5dca902f0d619eed

SHA256
65d6523dee0f9da7a95a1d99c16ae0eac3fadb1041fb025fd21129d2f8ab12eb

SHA512
091e1ca2f9f09808f08d6a6145401d5c6bedf5794b1f3e69c12146bcea6161c51bdf8f286a7bb40dd67936e2b5671811b2152231d7e46fede54136dc9fc2fb33

Download Submit
memory/652-57-0x000007FEFB2A1000-0x000007FEFB2A3000-memory.dmp

Filesize
8KB

Download
memory/1032-123-0x000007FEF8C11000-0x000007FEF8C13000-memory.dmp

Filesize
8KB

Download
memory/1212-55-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/1400-56-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads