infinitylock | f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

General

Target

EndermanchInfinityCryptex.exe
Size

211KB
MD5

b805db8f6a84475ef76b795b0d1ed6ae
SHA1

7711cb4873e58b7adcf2a2b047b090e78d10c75b
SHA256

f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf
SHA512

62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416
SSDEEP

1536:YoCFfC303p22fkZrRQpnqjoi7l832fbu9ZXILwVENbM:rCVC303p22sZrRQpnviB832Du9WMON

Score

10^/10

infinitylock ransomware

Malware Config

Signatures

InfinityLock Ransomware
Also known as InfinityCrypt. Based on the open-source HiddenTear ransomware.
ransomware infinitylock

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

EndermanchInfinityCryptex.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\CheckpointOpen.crw.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromWrite.raw.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Users\Admin\Pictures\RenameRedo.png.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Users\Admin\Pictures\SelectUnprotect.raw.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectResolve.raw.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateEdit.crw.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Users\Admin\Pictures\ApproveSearch.tiff.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe

Drops file in Program Files directory 64 IoCs

Processes:

EndermanchInfinityCryptex.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\PREVIEW.GIF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01848_.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02267_.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21307_.GIF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACEDAO.DLL.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSAIN.DLL.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\PUSH.WAV.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00224_.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101858.BMP.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106958.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21433_.GIF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15155_.GIF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSN.ICO.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46B.GIF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\ACCOLK.DLL.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN105.XML.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDEBARBB.DPV.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107708.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200163.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01172_.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BULLETS.DLL.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSTH7ES.LEX.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086432.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01842_.GIF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199036.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14794_.GIF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OCLTINT.DLL.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01041_.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\VCTRN_01.MID.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME45.CSS.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\MINUS.GIF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00146_.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107262.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\1 Right.accdt.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152716.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_center.gif.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287417.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02198_.GIF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GFX.DLL.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.SharePoint.BusinessData.Administration.Client.xml.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7FR.LEX.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\SETUP.XML.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRDEN_01.MID.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03339_.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME40.CSS.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow.css.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AU.XML.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00455_.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152594.WMF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\background.gif.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\MCABOUT.HTM.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF	EndermanchInfinityCryptex.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EndermanchInfinityCryptex.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EndermanchInfinityCryptex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EndermanchInfinityCryptex.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

EndermanchInfinityCryptex.exe

description pid process

Token: SeDebugPrivilege 540 EndermanchInfinityCryptex.exe

description	pid	process
Token: SeDebugPrivilege	540	EndermanchInfinityCryptex.exe

C:\Users\Admin\AppData\Local\Temp\EndermanchInfinityCryptex.exe
"C:\Users\Admin\AppData\Local\Temp\EndermanchInfinityCryptex.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF
Filesize
352B

MD5
dbd3255b08e0b2f8e1f1759a8a1666fe

SHA1
3f1d372441e71a3def80675a2a391fb3059e473b

SHA256
1092de30ce24936e353cf64ec23dc1b39984629534b5524d9804d3c5f27008d3

SHA512
6418eb75435d0148f6ab9f23b2b077e25c1a917ee7f155f3705f9631e795586dbc0aa33f2587ab23daec6b7ac3c7ff0f7952e27b421c6dfafb5bcca82e9b35b4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF
Filesize
224B

MD5
a49d132390e1d7dc8ce45b1d6d349a6f

SHA1
49a9c4248d65f2f9ea2b031dbf4e2edc06240576

SHA256
30aedc137d22fe9cf4c2b95d0c13c99375135b63dee098b8b9ba446e203ff476

SHA512
03ea4af4e3f8c754d1308a7f11865f47d96637b88517f74e393521ab563b711f03e900d616a615e4aaf2823c39d998feb90619ecaafd2390aaa69ba4120641d1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF
Filesize
128B

MD5
48af601684c2f945d1acebec3cb9811e

SHA1
d33d47b4463a0cae698fc2f76496a4c0f32153f6

SHA256
65da3f50affcfb0aca76256ba00fef49369772b6626b2daaca3393940ee458e0

SHA512
44007be6545f4acc5c7d731f9e97fc2ab81ad0df167f32c3829b854001d9ec8c2700d6c9f61916c512d8ca1966f93a0ac7ab870f9678ec31b9990a67c0c02c16

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF
Filesize
128B

MD5
020d0e8183a409cf3f49dc1d4113efd7

SHA1
dcdd6e591587fdbbaddd2fe9c90ede7fa3877db7

SHA256
462a5f8ea5cacea7fe5fa72b9ee94d98b90f47eee2bf6027986118ad36abf3d7

SHA512
ec4a6290fe0ad492b620f54d9786534bbc69dbfe6568fd145a1790fb68faa54c16dd560548ef7a1b72b6912f8c25d1314ae38d73cdbe880876852775a9a697d3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF
Filesize
192B

MD5
519a093e6700697a34619cf256b3a75c

SHA1
77591c1665a5562f2afdfbd1e0d5148a0fcb0449

SHA256
a8f71119d847bbd05351c7d0aaaf32fb27cfd6f551f5dc25285816cd492da521

SHA512
76875d06ad669f9732f7383918db0871f53c09e02ad193413286cbdfd198638e97f38810e34eeef9d0b3d83f68b722187a2ea80682307a1eae21763a6f6f4f86

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF
Filesize
512B

MD5
9b02e567a371437de7fd262b9e5c9476

SHA1
c3be1dcc770e6e42c2723213ab0f6c81ca8eb0ab

SHA256
abe15fa17eb14b8fdde38f751f775fdb02147f35c886dd9dfae33b2573000366

SHA512
ef3fcba574c1676d82d8f521b5c6746ad848085e32febf6dbc7d6a296831bffef132e613f9050f0a9cb5d5bb971c98b1fd5cd73a6369ed2ff4e9b8881fb6990e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF
Filesize
1KB

MD5
438f95277112ef36c2487841f49ccf5b

SHA1
c13cb6d176d7057827ee34d460437f032f3be064

SHA256
7df907a5a3ef72a6aeb5d7e9d367b00059df75cc672c45722f727a83a8eb3d36

SHA512
26ecafc0f66134b888ef971bc43a279aa2dff83b82ae1db5704e879d4042e83076f95695f606e72c8857f02651e872f235b91aad362b6ba459f057a292b3d2dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.CB77D3A3468CE9362C4E39CA4C9CC388AA7D3E8709AD020E646A71776F9F58FF
Filesize
816B

MD5
2e364164efdeca80749688553eff955c

SHA1
bab01d2e54be62017d4e061daa99cfdbddc23ff0

SHA256
53715e908a54f53fc32559fa47a5bb3b86e74fe0b9b45e8acf766794aa6e058d

SHA512
d65c66ad0842ac87f0b5a3fad672b1b72142de1f8a893b29e8e8da0435b601024e5975be405537ad275bcafc2f179c106a16dde7ba9a77b93f47040ffea95f5e

Download Submit
memory/540-54-0x0000000000130000-0x000000000016C000-memory.dmp

Filesize
240KB

Download
memory/540-55-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/540-5403-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/540-5404-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads