phobos | 41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eaf

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11-01-2024 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
Size

56KB
MD5

dc2d809e46c60ee990844ee7fbdc17cd
SHA1

839ce9c0e3cab37d4de0b25460d9b0dc047bb2ae
SHA256

41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eaf
SHA512

0c3ddc1e5071a45b5c95165b655d1b0a1ba9538fd4066ec62a7904c60974671250b27634e29d35c08658936e3674683b990e3bbc81307ee5fbfce52a2df675c7
SSDEEP

1536:UNeRBl5PT/rx1mzwRMSTdLpJPQG9TY28U:UQRrmzwR5Jop28U

Score

10^/10

phobos evasion persistence ransomware spyware stealer

Malware Config

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

1256 bcdedit.exe
1160 bcdedit.exe
1544 bcdedit.exe
2804 bcdedit.exe
Renames multiple (307) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

1268 wbadmin.exe
2792 wbadmin.exe
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

2736 netsh.exe
2656 netsh.exe

pid	process
1256	bcdedit.exe
1160	bcdedit.exe
1544	bcdedit.exe
2804	bcdedit.exe

pid	process
1268	wbadmin.exe
2792	wbadmin.exe

pid	process
2736	netsh.exe
2656	netsh.exe

Drops startup file 3 IoCs

Processes:

41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe = "C:\\Users\\Admin\\AppData\\Local\\41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe"	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe = "C:\\Users\\Admin\\AppData\\Local\\41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe"	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\D5NM0E2V\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACR0LGSN\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IMWY02E9\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Public\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KZY3GE37\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6S505ELS\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\UK06G3BB\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B23MSSI3\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3I8TNX97\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe

Drops file in Program Files directory 64 IoCs

Processes:

41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749G.GIF	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02055_.WMF	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Person.gif	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files\Java\jre7\bin\kinit.exe.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdemuxdump_plugin.dll	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.Infopath.dll.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.DPV	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7ES.DLL	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cuiaba	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_foggy.png	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10263_.GIF.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL083.XML	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153514.WMF.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_TexturedBlue.gif.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME30.CSS	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART12.BDR.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB3B.BDR.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceme35.dll.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_ja.jar	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bahia	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00004_.GIF	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200611.WMF	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233018.WMF.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-11.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2native.dll	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Xml.Linq.dll	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Apothecary.eftx.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\highlight.png	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\form_responses.gif.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00441_.WMF	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\highDpiImageSwap.js	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188669.WMF.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281243.WMF	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237759.WMF	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\8.png	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\fr-FR\Chess.exe.mui	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107742.WMF	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files\Java\jre7\lib\jfr.jar.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XML2WORD.XSL	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsBase.resources.dll	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\tipresx.dll.mui	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw120.png	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15134_.GIF	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152414.WMF.id[415F2EE0-3316].[[email protected]].mango	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00512_.WMF	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_over.png	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292278.WMF	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPTS.ICO	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2304 vssadmin.exe
2676 vssadmin.exe

pid	process
2304	vssadmin.exe
2676	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe

pid	process
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exevssvc.exeWMIC.exewbengine.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
Token: SeBackupPrivilege	2644	vssvc.exe
Token: SeRestorePrivilege	2644	vssvc.exe
Token: SeAuditPrivilege	2644	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2768	WMIC.exe
Token: SeSecurityPrivilege	2768	WMIC.exe
Token: SeTakeOwnershipPrivilege	2768	WMIC.exe
Token: SeLoadDriverPrivilege	2768	WMIC.exe
Token: SeSystemProfilePrivilege	2768	WMIC.exe
Token: SeSystemtimePrivilege	2768	WMIC.exe
Token: SeProfSingleProcessPrivilege	2768	WMIC.exe
Token: SeIncBasePriorityPrivilege	2768	WMIC.exe
Token: SeCreatePagefilePrivilege	2768	WMIC.exe
Token: SeBackupPrivilege	2768	WMIC.exe
Token: SeRestorePrivilege	2768	WMIC.exe
Token: SeShutdownPrivilege	2768	WMIC.exe
Token: SeDebugPrivilege	2768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2768	WMIC.exe
Token: SeRemoteShutdownPrivilege	2768	WMIC.exe
Token: SeUndockPrivilege	2768	WMIC.exe
Token: SeManageVolumePrivilege	2768	WMIC.exe
Token: 33	2768	WMIC.exe
Token: 34	2768	WMIC.exe
Token: 35	2768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2768	WMIC.exe
Token: SeSecurityPrivilege	2768	WMIC.exe
Token: SeTakeOwnershipPrivilege	2768	WMIC.exe
Token: SeLoadDriverPrivilege	2768	WMIC.exe
Token: SeSystemProfilePrivilege	2768	WMIC.exe
Token: SeSystemtimePrivilege	2768	WMIC.exe
Token: SeProfSingleProcessPrivilege	2768	WMIC.exe
Token: SeIncBasePriorityPrivilege	2768	WMIC.exe
Token: SeCreatePagefilePrivilege	2768	WMIC.exe
Token: SeBackupPrivilege	2768	WMIC.exe
Token: SeRestorePrivilege	2768	WMIC.exe
Token: SeShutdownPrivilege	2768	WMIC.exe
Token: SeDebugPrivilege	2768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2768	WMIC.exe
Token: SeRemoteShutdownPrivilege	2768	WMIC.exe
Token: SeUndockPrivilege	2768	WMIC.exe
Token: SeManageVolumePrivilege	2768	WMIC.exe
Token: 33	2768	WMIC.exe
Token: 34	2768	WMIC.exe
Token: 35	2768	WMIC.exe
Token: SeBackupPrivilege	2376	wbengine.exe
Token: SeRestorePrivilege	2376	wbengine.exe
Token: SeSecurityPrivilege	2376	wbengine.exe
Token: SeIncreaseQuotaPrivilege	2484	WMIC.exe
Token: SeSecurityPrivilege	2484	WMIC.exe
Token: SeTakeOwnershipPrivilege	2484	WMIC.exe
Token: SeLoadDriverPrivilege	2484	WMIC.exe
Token: SeSystemProfilePrivilege	2484	WMIC.exe
Token: SeSystemtimePrivilege	2484	WMIC.exe
Token: SeProfSingleProcessPrivilege	2484	WMIC.exe
Token: SeIncBasePriorityPrivilege	2484	WMIC.exe
Token: SeCreatePagefilePrivilege	2484	WMIC.exe
Token: SeBackupPrivilege	2484	WMIC.exe
Token: SeRestorePrivilege	2484	WMIC.exe
Token: SeShutdownPrivilege	2484	WMIC.exe
Token: SeDebugPrivilege	2484	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2484	WMIC.exe
Token: SeRemoteShutdownPrivilege	2484	WMIC.exe
Token: SeUndockPrivilege	2484	WMIC.exe
Token: SeManageVolumePrivilege	2484	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2040 wrote to memory of 3032	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	cmd.exe
PID 2040 wrote to memory of 3032	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	cmd.exe
PID 2040 wrote to memory of 3032	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	cmd.exe
PID 2040 wrote to memory of 3032	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	cmd.exe
PID 2040 wrote to memory of 1100	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	cmd.exe
PID 2040 wrote to memory of 1100	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	cmd.exe
PID 2040 wrote to memory of 1100	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	cmd.exe
PID 2040 wrote to memory of 1100	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	cmd.exe
PID 1100 wrote to memory of 2304	1100	cmd.exe	vssadmin.exe
PID 1100 wrote to memory of 2304	1100	cmd.exe	vssadmin.exe
PID 1100 wrote to memory of 2304	1100	cmd.exe	vssadmin.exe
PID 3032 wrote to memory of 2736	3032	cmd.exe	netsh.exe
PID 3032 wrote to memory of 2736	3032	cmd.exe	netsh.exe
PID 3032 wrote to memory of 2736	3032	cmd.exe	netsh.exe
PID 3032 wrote to memory of 2656	3032	cmd.exe	netsh.exe
PID 3032 wrote to memory of 2656	3032	cmd.exe	netsh.exe
PID 3032 wrote to memory of 2656	3032	cmd.exe	netsh.exe
PID 1100 wrote to memory of 2768	1100	cmd.exe	WMIC.exe
PID 1100 wrote to memory of 2768	1100	cmd.exe	WMIC.exe
PID 1100 wrote to memory of 2768	1100	cmd.exe	WMIC.exe
PID 1100 wrote to memory of 1256	1100	cmd.exe	bcdedit.exe
PID 1100 wrote to memory of 1256	1100	cmd.exe	bcdedit.exe
PID 1100 wrote to memory of 1256	1100	cmd.exe	bcdedit.exe
PID 1100 wrote to memory of 1160	1100	cmd.exe	bcdedit.exe
PID 1100 wrote to memory of 1160	1100	cmd.exe	bcdedit.exe
PID 1100 wrote to memory of 1160	1100	cmd.exe	bcdedit.exe
PID 1100 wrote to memory of 1268	1100	cmd.exe	wbadmin.exe
PID 1100 wrote to memory of 1268	1100	cmd.exe	wbadmin.exe
PID 1100 wrote to memory of 1268	1100	cmd.exe	wbadmin.exe
PID 2040 wrote to memory of 1464	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	mshta.exe
PID 2040 wrote to memory of 1464	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	mshta.exe
PID 2040 wrote to memory of 1464	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	mshta.exe
PID 2040 wrote to memory of 1464	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	mshta.exe
PID 2040 wrote to memory of 1972	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	mshta.exe
PID 2040 wrote to memory of 1972	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	mshta.exe
PID 2040 wrote to memory of 1972	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	mshta.exe
PID 2040 wrote to memory of 1972	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	mshta.exe
PID 2040 wrote to memory of 2680	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	mshta.exe
PID 2040 wrote to memory of 2680	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	mshta.exe
PID 2040 wrote to memory of 2680	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	mshta.exe
PID 2040 wrote to memory of 2680	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	mshta.exe
PID 2040 wrote to memory of 2716	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	mshta.exe
PID 2040 wrote to memory of 2716	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	mshta.exe
PID 2040 wrote to memory of 2716	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	mshta.exe
PID 2040 wrote to memory of 2716	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	mshta.exe
PID 2040 wrote to memory of 2876	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	cmd.exe
PID 2040 wrote to memory of 2876	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	cmd.exe
PID 2040 wrote to memory of 2876	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	cmd.exe
PID 2040 wrote to memory of 2876	2040	41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe	cmd.exe
PID 2876 wrote to memory of 2676	2876	cmd.exe	vssadmin.exe
PID 2876 wrote to memory of 2676	2876	cmd.exe	vssadmin.exe
PID 2876 wrote to memory of 2676	2876	cmd.exe	vssadmin.exe
PID 2876 wrote to memory of 2484	2876	cmd.exe	WMIC.exe
PID 2876 wrote to memory of 2484	2876	cmd.exe	WMIC.exe
PID 2876 wrote to memory of 2484	2876	cmd.exe	WMIC.exe
PID 2876 wrote to memory of 2804	2876	cmd.exe	bcdedit.exe
PID 2876 wrote to memory of 2804	2876	cmd.exe	bcdedit.exe
PID 2876 wrote to memory of 2804	2876	cmd.exe	bcdedit.exe
PID 2876 wrote to memory of 1544	2876	cmd.exe	bcdedit.exe
PID 2876 wrote to memory of 1544	2876	cmd.exe	bcdedit.exe
PID 2876 wrote to memory of 1544	2876	cmd.exe	bcdedit.exe
PID 2876 wrote to memory of 2792	2876	cmd.exe	wbadmin.exe
PID 2876 wrote to memory of 2792	2876	cmd.exe	wbadmin.exe
PID 2876 wrote to memory of 2792	2876	cmd.exe	wbadmin.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
"C:\Users\Admin\AppData\Local\Temp\41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe
"C:\Users\Admin\AppData\Local\Temp\41dbdaeb1dc8fe40358a5e168af596da85c6a84796e63c9d10c11f2077129eafexe.exe"
2⤵
PID:2756

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2304

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1256

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1160

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:1268

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
PID:2736

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
PID:2656

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:1464

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2676

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1544

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:2792

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:2804

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:2716

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:2680

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:1972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2424

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id[415F2EE0-3316].[[email protected]].mango

Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.INF

Filesize
533B

MD5
decc47bad99272317818a41e7a522d85

SHA1
8d92c3a841aca4b24ae76a488c4e9985570c81d7

SHA256
153e9423e652627ab50fe46f33f0ee612adefaf54ad06bf70947650cdd32871e

SHA512
e8982763416ce78756050b0383398505979193e92a5cd7541758756a7e1c188405073329fa8f737861b4de5236c8a88f797cd0bf0083245349eee2905d906a7b

Download Submit
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02097_.WMF

Filesize
1KB

MD5
e3d6d9c99344bef76ff5e6fa940c1379

SHA1
84da7a8bafe3d5898bef2d806b318af5adcd85f1

SHA256
dd0a8ab83ad0ac36cb27968e73c3b8c87f5d3080854b214a74b53c152f534036

SHA512
63184737bdff4cc24545d32c83df3656d772538a91644870386aba113dbb09763d4357a45fc5e9197bcb0f3b5aa519d5f8fed6ff48d4d8f953e56b96fd43209b

Download Submit
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00241_.WMF

Filesize
1KB

MD5
b0d582502cd3ceeca01a0741bc96982c

SHA1
015498c371e78b8fc5ed5d0831bf2f8fcf803d05

SHA256
255c3a22d46b57e3f291eac23e404ce7b331400041930a0b43eb777bf8ed06fb

SHA512
d0b92159fe96a71ee641bb11365923eb89c391045c2b275e5fec0512ffca3c430cef1c25270c7440cfbb36d2e525675fd80b69ae2a9273f27ea384d19c58cf07

Download Submit
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00636_.WMF

Filesize
1KB

MD5
42968ab756f9db46dac524acd13c5283

SHA1
6cb4841f1adb1015105a551e1de9a673f2169650

SHA256
7fbcfcd86bdfa943dbd68f67c3fcba6e7ab86fda2d14d28862c176bf18579fca

SHA512
e42291e186e3b3f2e0dd3325d9ffee51a5b1b80fb0125a9fed79926f95f400ae38e7dc60c03718f3b6c8ed970fb9d2d9902bc8648c9d8f0fdf0f9fba8f735dbe

Download Submit
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00351_.WMF

Filesize
1KB

MD5
dd7428c326b6303dcda2df68badec0ef

SHA1
83d0d1df0c2116857baa8ab9c2d5f856e29d6b04

SHA256
59f4c13183ac051510c1eea1127c45540085a860875b07d4987d64ddbf46acbe

SHA512
402a8282fd6f050b125d6ae5efb9fd2bc9976356101714e908743d20f0cb317e43180936e44b709cf83cd12bc628674b74d46a1579332e54d0176484274bcb67

Download Submit
C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01244_.GIF

Filesize
467B

MD5
cafc2a2dde2f05e2a60677690d2ca245

SHA1
8bd9c447b79435b8497212ef76f5b43dffb030a8

SHA256
db91bef58cfa8c3ad4587f4d737202a2ea4374deb35305e8e56a4e0b57232a7e

SHA512
7f293929a1147163d71c612084c7fb99740a1fdae3a3f9d7782f795c10c1b7b2e49617e9d6746938167a2dd49bc5c53788bd8751c61ad145d2d42700ae1f1575

Download Submit
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml

Filesize
928B

MD5
7e5a19c335555b4fcaf22078f0a5e362

SHA1
55079ae8c6067cd839503f9c3ae7ef9deb72892d

SHA256
202115097d1bee389d4d4d81db00117252be97d5691af316941f3843ef7a05f5

SHA512
371b8cf9a6485a2c59fb928a8b460caec1f7a572126641f568f77133b78e0e7b91fd52c10e6089c286d4162050ce50f9aeb1886784d75d338ab02a6b7d357a68

Download Submit
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml

Filesize
964B

MD5
0fb569bd35d44c9ffa7d4728af4e734f

SHA1
b41945703b8efdabbb18c60ccd93d2115ceb78fa

SHA256
788ddb3f7716950d0d204e6cad9fe3cc1dddb6140f615cb1c76bea0541722c20

SHA512
b94c1fd2dd103b19b5fbac6c76d3166be91b01d659e1c912a26ccc48664a153c62cbbbf15ab3869aef08fdc8bb3918e4ce83bb97a1a428f55ce12793d50ee646

Download Submit
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml

Filesize
961B

MD5
5360b12f6a07af7be93437d215f72fca

SHA1
fe12fecaca49a131167d88817c4941514ea408e1

SHA256
a0cffb66ffbe1d4701a3aa75ae66af7ca178b45f5c722de3d9021a543129f80a

SHA512
a0b23b148cd30b1d4a41e81aca63179eda341bac1d1c3bf83924d0bef90a47e11f2de08b4cbb879331d507184ec1df9b59c18951e740b94247ef726b15fcc410

Download Submit
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml

Filesize
962B

MD5
c3c9945cae188df73afd04c6251ba98d

SHA1
4327d33b49b3c7046cdff83bdd31c724bdbf4118

SHA256
a2a40bb99c6a44d49eeb216549045620e8cb9fb90fb165eff71f846f30264096

SHA512
a674c78678624d59cff6386381c0e4e459836484aca4e617fec26729878743d2ffa5dd4a3bab0a0f0f27d60095739cf4ee0a6b0f4a5d79d31b43a7ecdbba02a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml

Filesize
960B

MD5
e2b1e53f26985bc0bc2a99c7d107a1d1

SHA1
b0b9bccd847f973baaed9790a33f3f77d2d1db1c

SHA256
3dc463a76fc170607c07b104c3cb531362ce7d6e10c1a34e0c0f370aeae08ce8

SHA512
0c53d4208a6b0cc0e6959d7eafc24012efd854316ac3830267861fd02f1da0246a268e75a7549b8b5ede05d08798f22f87c7bc305b62dbf76632cdff107ff718

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18255_.WMF

Filesize
2KB

MD5
68a8b1b2741f9c2ba2c58d3afbeff021

SHA1
7ef6db0684eda77c6003d00c98da41a3e76556cc

SHA256
3b19ee6de90710035284dadad89bb5ad0057db27c79ad2eca5f5d5e540a892c1

SHA512
fb35085a488c6f3cda39a51a67d32a8f88f8ca8b68fe07d68f2a86cfa28879b4998bdec237ee28e61a1271a5cd9f5705e1cf8bc6176df8a2cb3f410da2f90d5c

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10264_.GIF

Filesize
185B

MD5
6f6b5e30af6a9e64b7b6a19c39de7e0c

SHA1
f4e37133cd52efd2967e90d645332c44a56b6832

SHA256
babd6f664158d665504571b169a1e81ef75470cdca4fdd7d95be6cdb7826136d

SHA512
4521a9829f60e2f4af33d4f72dbeedac048fcec352554b449ca36bcc32b64b65151bb7fcec78b389c37ed5819acd4c7f61e9ec08591408dd2400cf78ab5d67ed

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21333_.GIF

Filesize
416B

MD5
c7ea739796f77dea0edf2dcebe980a6b

SHA1
5bab75849b9d716b8fec896e7b0f2d37659b3bad

SHA256
4cc7e6272db6b1ad7581f76c63c694e926e20698e9b02223d5041a55960463f2

SHA512
afa36a9eba55e94eaaa5c64129338d6af50a0a485c2b37075594e0415b8d2f2d181574a8b99969a92f90790085f761fb66b1a03020afc715fa17121b803ac534

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21339_.GIF

Filesize
108B

MD5
60c6b126049a35e50fffeadf17279275

SHA1
1d58c87e67c4b9d2c7ddd6b1f9c033eff16ca9b8

SHA256
77133f431d5e12dd850002c0d3d4e0fecbe3a7a699d604dc8c5eae9976e1d260

SHA512
a3e171c1c71e0c8fb05df6d783f5ac9c7ce0f9c3bbe653952ea048adce025192d5eba4ed8cc7800bd52afd265256ecea887ea63725c49cf563455ff321d45e76

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21434_.GIF

Filesize
177B

MD5
81e4bf29a6552cb0df60980b937ed4a3

SHA1
ca18e846361c6f84ae934ac108d5df987e977925

SHA256
8d84ef2aa665b1d6e1a15112d9c53eab04b68a09a088de5392ee63d51060db81

SHA512
ff58938f4d4c80baba6b15d20744b9762757cfc6834d8a5023b209f07914793881361ab457eed2fb0d17e28a8c99c541a142809f19715d0350c4487e78846ed2

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF

Filesize
175B

MD5
6790430bcb39e961b83668cbaa1573dc

SHA1
9f01e584f766dfbb5e49d6e32f7dc51fea2d0d91

SHA256
5514e3463923ca8257bc073bf34413d0426a6b45bf569b5a5b74c7c5298c57a7

SHA512
6fe6a31054dc68ee8c59da7de683ce56963f27b6a3e8ed634184c5ac99b6cb4dfdc2ab7980b4acb1f9b2a44ed61cd363ebb388b44cf466c736789d9bda98573e

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115836.GIF

Filesize
173B

MD5
4df019b7bb2ba1e54ed725a85be04261

SHA1
f40905a7a7dd1623fa8f075715c862f6b944e961

SHA256
33c35642a71ce7d31f92ebe614045d206968f058cb345c7df4ab397a2655f16d

SHA512
654f35be8431fb1e9995a75ea93b9fb04fa12e7ed94923df34ec99bf8052c46effb28ea46417357e1a6ce6f9a8663525d5ad48cd74942968df2a178396024ac1

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115842.GIF

Filesize
176B

MD5
5dc32f41bef844b95b3a8d79e9633c42

SHA1
50cf558caa78030567cf4e265f7c9cba3a2d904b

SHA256
86d2cf5b090f43ee54d8f7c1dcf746a853951191457ff6dac96269a9d24860b9

SHA512
99e7e8bbb58a6727ddbfa71f9dbb7d02658a11d7e735367ead3cea004ed3edba9cca8997117745fb40733672879b5f466a7e39cd5684729eb413bce49c2019ec

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14595_.GIF

Filesize
471B

MD5
a50b718c3518b630251fb54b92bde360

SHA1
a9582222b6f4df2b4e3e4ee5fe91d25ff086b943

SHA256
9d2ce1c032646d2a3381b68bc9201e3dcd53b764e83a0d356d67cc4926ece015

SHA512
95e0676e3177262d29c4105edd4ce1fa1c2a2da5cd3289ab0f873fba782a0185e4bbede5d64fae1f6c4cea5ca3ae0697d7113e6ee63f229431bfaf3f8990c517

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14768_.GIF

Filesize
423B

MD5
e0a6fc12e9cddb11d637714157db14e8

SHA1
5c2c7b2a90861b03082d3af01f802d42b937476b

SHA256
2f1411c6a9eed5ac2ccf7eb35456b8601e3c96907765746895325407cc307cc4

SHA512
3f30489d8544921a38f743f905aded78827948c695acce03cf892121893ad7193f7810ef5e5941e2183483e27cd384fa37dba257931f392fe0781eebce384ebe

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14801_.GIF

Filesize
900B

MD5
8edc22fedce822ad66c7733ea98784b2

SHA1
9c0986ff2345b18e88d604e24a105ba386d87b21

SHA256
fa807c957eafe34b850cb453a096df2e5899f0902a837fccd59f9aafa869fb44

SHA512
31bdbaf34b4e8f2edff432a5f1ee5fb571105081cea907b6cd41c529f4a9ec4956d009378f3b4fd912abab84605d78da298d4718b75780814e1fa1e86386d20e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_COL.HXT

Filesize
205B

MD5
0ec3bbc188caf04134280e5a95f00446

SHA1
bd398b51e76ebec0b43d756e04548a1907e8d2ba

SHA256
97779f7cae716a4243ac78cdd8c051cfbefdd111d26740978dd0f4c962c2aa7d

SHA512
e67b8b8f0a30a663360fbac820bfe536abb5534db6e0475424ad3dfd526793663ba5e7d866ebea85f67c9154d6bbda2d38789255f83567be05848cc0d7c1934c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_OFF.GIF

Filesize
341B

MD5
c2dc578691371996eab94eb37f6896e4

SHA1
9c09715d6b50b203e161cfb59bbbfaa7837532c4

SHA256
9f3a97071dc41574af5b54e44945fabef8d5da339d179476a78dbd624a60033e

SHA512
a3778926bde4b74eb0dbda8c7857f2f05c6abfc39222f80332bfdcf7fcfd4db9b81ddca44c45a1155244e667f98f07c7211c25a29c68a62d89b8637e8ae05e70

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF

Filesize
222B

MD5
3e586cd8128ba5d03ccbc121909e7421

SHA1
140dc52658e2eeee3fdc4d471cce84fec7253fe3

SHA256
1207fbf437a6d60bad608c9c4a7397194c4f3768142a32c7e5f3a1415452a992

SHA512
f1759159e90975a7baf3c666e402f9063909bb11f47371c9472ae40315ba13454f0ff4aa418c7d0079eebc09909268b5d2d39ef871f0e5850544b1442f9d6f1d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
9cb5fb90f42219febcadbc6eb57257f6

SHA1
c948b86625804155f9ac9478a07cae11d8021563

SHA256
1093af6901915021573eb2e3bcb49af7f1eb79df351806d325b80f1baedaa185

SHA512
9c9031770c5c67f40b93dc7dac91822f3b5eabe1deb83eceb2a878afc810a810ce0521f966e68fa49aa1973cec342cd3ef6096ebaaa191b885a542e4a178ca5a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Main.gif

Filesize
1KB

MD5
79b9e09ca5f8f8ebd840da4c96afeccc

SHA1
efd9e4cb4eb7a896db0cd0de5138eb5be50864db

SHA256
318e9e1df845c4135ab519baf8e2c9e617df90e2b3020741ab5d926bb0d4cc93

SHA512
2df29a7c367151d76b4adab7002e0e90337c1ee07f935545cf30cb729ae91171bceeec0e2611e50d91d097797bc221ff63f949e225629f23a0dc5de3dae851da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK

Filesize
114B

MD5
301657e2669b4c76979a15f801cc2adf

SHA1
f7430efc590e79b847ab97b6e429cd07ef886726

SHA256
802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b

SHA512
e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_COL.HXC

Filesize
621B

MD5
59bcafcabdd1f16e7b9889ee10dec858

SHA1
116cf3bc4321fa20352d009e1d0cea588a9b61e0

SHA256
006f8885e892963b3d4a0b53141f888ef5d0b36770d43b82296bcbf800a89d13

SHA512
2d0fe70022c2bd7397b94c78b27d6c3d2426a644a1601b6381084941e9b1dca913d0e0787d8e463d69d7730031233f5b85ec76b480b736ced324fbd45727dfad

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos

Filesize
549B

MD5
db10fd32bfe67918ed177579d4be9d76

SHA1
44ecf4c5a6fbbd1ace84d0efe91f13d6ba6bb738

SHA256
c936ab1da7ef4314182c8edabaeae90f8d51ed45bc48848d35670adf5b470d31

SHA512
bb574ef876e7529d4f3c4c52cc54aa1814f2c02030b83a5bd7223d4b31c992668c00e4a7e68d4f1caaa6493db4ac84eb649fe59e98feceb9828119cac1e74b05

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Curacao

Filesize
77B

MD5
2b62a30906a2b8bf3b68abd2ef9d105b

SHA1
9898d25a214dba04ebd7e3030ac9e2e90ea7a369

SHA256
075561eff2cd3ad586776fa904f0040282c5f6a261f6a8fd6a0a524d14cd2d2c

SHA512
6db5955477a9bb5386c1af03df526496f9e64533e6c3071c8e5c44062541e91e9bb39096da947a91bdfa5e7de53c1e047dcf427c1dfde94554d7458f8f0862ea

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Guayaquil

Filesize
65B

MD5
1ef5e829303a139ce967440e0cdca10c

SHA1
f0fa45906bd0f4c3668fcd0d8f68d4b298b30e5b

SHA256
98ce42deef51d40269d542f5314bef2c7468d401ad5d85168bfab4c0108f75f7

SHA512
19dc6ae12de08b21b36c1ec7f353ce9e7cef73fa4d1354c436234167f0847bc9e2b85e2f36208f773ef324e2d79e6af1beca4470e44b8672b47d077efe33a1f8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tijuana

Filesize
1KB

MD5
71c7e24524aea1022361143d0a876c84

SHA1
b141efff466f27664599dd2aa91f0b7c50736f1d

SHA256
07a692cc9bc920ef8caed75ba9af60ad2d6b144c83bfde3b91a77b5bcce277a3

SHA512
4cd51849de464e0139ce77de3003af1ab1b6c639862fb7d5e8362f33ef0a9828f8af9ebd6d4b4ce9dc5a67084bc5c1106fd3b3327fc428e25c75b780e98d37ff

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Karachi

Filesize
153B

MD5
d13b5ffdeb538f15ee1d30f2788601d5

SHA1
8dc4da8e4efca07472b08b618bc059dcbfd03efa

SHA256
f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876

SHA512
58e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk

Filesize
589B

MD5
985f599bb4b81c01d5b5d16ad241d5ed

SHA1
a90b24a33383273378fc6429b95fdf62c4c2e5d5

SHA256
36bce57f9ab26334f370d700cd0a853618cf2051afbe561ba09b0aae5dc371a4

SHA512
fd8f3414083a7b4c75e9a5dc043f38db062971dcac022194c274d5f5816867961736dbf0e17b7da19ca9c835f2e11864e0f305895e8c76eee3d0c5ecdf3e0239

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide

Filesize
1KB

MD5
0a876dfacfdabc170818581a2e6e6d54

SHA1
376fd52e52867f959cb2076fbbc4d214778a7fc0

SHA256
e28b98a94e0077340a3aece749f2d400c3f06890cec9447f4c2567bd1e7a5839

SHA512
766fb737e92fbd233563887cf8335c9aa4e96d3a970c28b7ddebbd21ca764dc85ee4ebd805538f697ad8b2d59ed0c53bd46d9fb7077d54c136f9c22bedae9cba

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10

Filesize
27B

MD5
65435a5d117aa6b052a5f737d9946a7b

SHA1
b8b17ad613463c3c9a1fe928819fb30cb853e6b1

SHA256
ea49aa9f6f6cf2d53d454e628ba5a339cc000230c4651655d0237711d747f50b

SHA512
4f85061ef6c66bf0e030af017af8c7154ed3f7953594ae2cf6f663e8b95ba978a54c171b01f212880e2711c2fd745a12b959ed27e7f6b1847273f70a4010ccde

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville

Filesize
85B

MD5
eeb20c9bc165677800b6dc7621a50cc9

SHA1
def5026103297fa44a2185104f2ee400cb93329c

SHA256
6a3a9301bb8dd782bb5c170bedfa73e9e7c60235e6e1840f14bd14b812127ef2

SHA512
d4e72f43c75de83deb0526233423726503354d7112618b44c94e695d159a02b6da4823a2c9a2be8cf71d2c7e42108d0db7edbb54a640579f853e6d110e7599ed

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury

Filesize
89B

MD5
335a7c8e767a2dd0ecf3460eaabb0bbd

SHA1
111ffd83edcb095d251067456a3a60b754b4c717

SHA256
a0bf83b3948dce6afe987c170a5cd711a3d65fcd5c70e3b7bbfeeb1578544609

SHA512
bf0772423bdc11a4029439acef8922c6c541519ce98bce97681d1a1da32bbf3a73f506138d494d9cc860b6afb3584094565db7683f6b2a2cb30e3e94430d1933

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8PDT

Filesize
2KB

MD5
b8d5d64c3ef0b30644898a80682f5121

SHA1
bbc7b3902250307a2cdbb314abe98e34795032be

SHA256
2f329134686a44ee0362fd0c8b5d071e38bade32a5389e31282f64f565e76759

SHA512
f1f90923769648e585f3f38724d203e4bf6a10cab7c6708f7791a83dd6348b3b9948eaf481baa7bef31ff63d75b6fe1ec00cb888dc1acc8b65b90d96bff39638

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

Filesize
57B

MD5
ab9d8ef2ffa9145d6c325cefa41d5d4e

SHA1
0f2bf6d5e1a0209d19f8f6e7d08b3e2d9cf4c5ab

SHA256
65a16cb7861335d5ace3c60718b5052e44660726da4cd13bb745381b235a1785

SHA512
904f1892ec5c43c557199325fda79cacaee2e8f1b4a1d41b85c893d967c3209f0c58081c0c9a6083f85fd4866611dfeb490c11f3163c12f4f0579adda2c68100

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
133B

MD5
b85026155b964b6f3a883c9a8b62dfe3

SHA1
5c38290813cd155c68773c19b0dd5371b7b1c337

SHA256
57ffc9ca3beb6ee6226c28248ab9c77b2076ef6acffba839cec21fac28a8fd1f

SHA512
c6953aea1f31da67d3ac33171617e01252672932a6e6eae0382e68fa9048b0e78871b68467945c6b940f1ea6e815231e0c95fbe97090b53bf2181681ecf6c2dd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png

Filesize
138B

MD5
a2bb242dc046bacdc58e7fbbe03cce85

SHA1
052ab788f1646b958e0ea2c0ef47d00141fc1004

SHA256
486a8212c0d6860840d883981ca52daaad3bf3b2ab5be56cdc47ed9b42daba22

SHA512
d9bb4c0658f79fbcf22697c24bc32f4ef27ddf934e8f41cf73a2990d18cdb38379f6b61e50edef8ebdf5a2f59a0f8fa40e000b24f1c55a06cfa161db658326ad

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml

Filesize
453B

MD5
118db038cff249fc1b96f7a8f2b27620

SHA1
6f804438c7a4af3c57191138510a644d24bde92b

SHA256
8d43407158818d7f3e03cc0a6ae6d789e9e393467ba847a998214eb4e292b989

SHA512
4ee3a5d2c49d50ecd97193828389d3339661f90d8b8d41bea5fc4ffedb26578c738016fc772217f3f5049adadcf744273f6b9f60ba379a8e39fc60188be5dde5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml

Filesize
437B

MD5
ceb1e6764a28b208d51a7801052118d7

SHA1
2719eea8bde44ff35dd7b274df167c103483b895

SHA256
99d48b66d590c07b14f4cd68adac79e92616afcf00503a846b6bf4599bfeabc0

SHA512
f4a2df6229bca6c6ef9ef9f432847683238715eddcb1f89c291da5f5900c9a3461204d8495c3450c8bae1c1a661424089554d316468ba1b039a2c50d6e69bf29

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml

Filesize
431B

MD5
2c16868331f82ff43059dcb0ea178af3

SHA1
983589535e05c495ffeae4b0b31ddcfafe92a763

SHA256
be9ceb4464b22203feffd3700c5570b7d6d44c5d0d357148e1e6d5be5e694376

SHA512
184653d3e40df84cd0052e5d9477201f276ce0e8cbb5e4b7bfac86fc7da325eef476982910be24c20725a6db6617fffd88998d6053c1b694718bc7ab0bde9ea1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml

Filesize
411B

MD5
f7c78514872f9cb5585f8d69532cd2d0

SHA1
ff9dfbb62a3b48c85b6434ee831fb33a8dba9526

SHA256
5f7bcd85900e62abb00ce739eaad53d80170a4a6152d951b6825110d2fc17965

SHA512
50ee6ae916ea0e806b73c2e5bb727f6ee4837a696c5bd8559ede78148b40a5d5cdd135e28c8b5153a8fef568fd21ef0708ca198ace89e7120ffb84fd9bc91c01

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar

Filesize
1KB

MD5
8b550761ab80413c9c09f7fb472dbfaf

SHA1
67122822562203c17dd3f762194e470f90ddfa97

SHA256
f5ea79165516de2e7e1efb53d016983f5d18c3184413f044a4002f4b751c918b

SHA512
9546013cf4d45a2c4c609524b7ed4adecc7dc2fecded7c3b7085415a1bcd1c25db5d88bb591ac05fa5a6313763a8e8d5d8fc6ee6610b454cf7696b647e7781fe

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml

Filesize
400B

MD5
a75d7d422fd00bf31208b013e74d8394

SHA1
3d59f8de55a42cc13fb2ebda6de3a5193f2ee561

SHA256
7a12e561363385e9dfeeab326368731c030ed4b374e7f5897ac819159d2884c5

SHA512
af3a1e15594a0bf08ae34a5948037ef492e71ee33d5d4ac9f24b18adf99a34563ab40ba8f47f2adff5d928f18d8a8cd60fc78e654e4d6cf962292d2f606def66

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml

Filesize
429B

MD5
d7d2fed9b7c55fe72a6cda66725cb7e8

SHA1
2cb154a1c4a0553658801a088edf87b5816cbbd2

SHA256
a6df5cb2b51fa56609c7daf08d28f0e41801b96f9514a9d179992a63afd516b5

SHA512
0ba4d570d624cc5aa6af629260668ad805285fcedd61002999734fe04cae47016cf52022c327cf22935ded99b30c52d9f041ead60a3425365116bf1bf4cbcf5e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml

Filesize
473B

MD5
437687da72730cf42ce36bd093b78b3e

SHA1
693e31dc362426bc4d7a6b2954f7c80267476d66

SHA256
d0d0b1face19fe4a88c6b51f6ced55ae0e00ac548b75809d88089ad431da5d3a

SHA512
7d05e270926dcb452ce405dac9dab6e9e1a0dd247bc93f0940826eb4abecf827acb6f42ef32d3b6f6ac4b46b28d522e0b25f6b8b679affb9a198db8ba4fe2daa

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml

Filesize
463B

MD5
48e296d8287ae11c252e4277ee885161

SHA1
8a75b573549c2791d38acb3a4d215fa2153b37eb

SHA256
c94a9a55369ccc4b41a71b9c18b04e1778a0913447ca6b5a630135f7a7ac0c1b

SHA512
b17a5a8a6009bfde681829bd7be3b550d8b8bf6bfee19bdd55567163890550980ac0633fd956f117006892638f408c63449d4520b0716e6866ab0858cc3f743b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml

Filesize
393B

MD5
e7b188938a141c90dda76cc258c01f8b

SHA1
fdf0e86d2f90e51797779674e429b6f826107a5b

SHA256
77cf0aa8aa6d73f27ad7faa42f7c9a76a689a60d74483f96050dc1cc0adb88c0

SHA512
b106fa59882b0345ce6885d902317af39a3f538731d100e4a92920ee7895ceab8a62d563c4137f8e3e1c7bd61ad6c017ddb301adbc01c7463984b3b245b3da54

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml

Filesize
405B

MD5
bb95a9de280c528c32806d0d5231de6d

SHA1
bbffb8596f1bc68df5603a10a3672a02ebd3ea8b

SHA256
a7ca0125b93e1a5681d5a9c294ec3a4e5680cc58e44fd223d2dac04232b7367c

SHA512
ac4cad4f24495aa6b0d5ed8aa439554f479cc2fdba4d5dd256f1983fa43a4121c8fdf79ad7ec9d9a396a73fd480bf2f5141ab5303d50c8b6d2ce47d158010a80

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml

Filesize
414B

MD5
c9580e2bd3527b65bf5b812b477ffe30

SHA1
66e921f302739af54e7a991ce38a1d37ead7c7c2

SHA256
e77bb87374bd3a9b3ccdf932d260091a3ffeb1d1ad9d236b54f0f6797585ebd7

SHA512
e86e61aa09e93395f03b9976d6af4f775be3e017ca371a837e538d440e04b7813d2855c3b7c2444aaa357c9d7a3b5ccca7649c6c557bc3f520b953d96aa93577

Download Submit
C:\Program Files\Java\jre7\COPYRIGHT

Filesize
3KB

MD5
2a79a18a4fce30f9d28abe3b0174812b

SHA1
fce91cb769cb486bd59d97a59943e69418c03e06

SHA256
46570844fde2506ac28543dcde5bd20877b0bb2522a0cb11671513722ddb842a

SHA512
4ed0cfe9d66106e365977378a53f7881d1bd795fda7e89bc8e879888b54bae79ce80746bde779c9aad058000f06d1b96d8e0c7bacb0b871d3fc075e684a0f2f9

Download Submit
C:\Program Files\Java\jre7\lib\management-agent.jar

Filesize
385B

MD5
4eefd60f439096ed98b6d8a585da12ef

SHA1
75cb70498807b0c823cac760e00652842c1a63c3

SHA256
e743d6195ff2f42282e101f9471874e8df79dc05a69ca20abf22015d48d28c6c

SHA512
78241e2336f4ee826719d5adc70543db0f0767a1660f723ddfce72c170322a13c0f3c547eaea6b6cfc47cdf6d8e5edcaff4bd003cbf3eb9d3435bec5158fb8d2

Download Submit
C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg

Filesize
105B

MD5
d1950d80f172e80f1c48685c51835807

SHA1
ae9fb8e72137c1729ffb559aa5f541bff78661c9

SHA256
523c41464ee47d61350e15bc091bc970d73ae2d00bfe7a88bc7fe00ae6202c75

SHA512
a6af7912278d814025fd2825a16943917461c881a8f2ff1972497a3a9f6998e349c5e375d69bc8697ae7197054083e0988198c4fc57cab3184f98f82a07a1a1d

Download Submit
C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi

Filesize
97B

MD5
9e0573ecb4a0800788a3aa64ad731bbc

SHA1
fa205d2a65684c6245a2272facf45fb12ace4014

SHA256
136dd1a7d0a62859f2077a62b7673c5c712fb750604a15f5f6140ab2c5112327

SHA512
3c01530d43156962f4a2305472eb5dc77464ae3bd88f932a2f55e72355c4c1db1df050c94951a1375ed6f69bbc4102ef6ea45574f4ca293123685564a1334596

Download Submit
C:\Program Files\Java\jre7\lib\zi\Africa\Tunis

Filesize
329B

MD5
66663b7d29e1bcbcfabbf26496f44d28

SHA1
652e5ca160b40dbdb15b9a3b89ef967d6d44d455

SHA256
8474486baa45dc211adc58156a75954f3542dc65326d6e5b157288711ed74e75

SHA512
aae76395ca6c3fe5e58a64618fb00ba73cf1198450da008edff89366bb9fb5bb62ad91f06b65a3af57c45aec92a67b2d51075c9438b526f5edc0aa4d4f38e17f

Download Submit
C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan

Filesize
557B

MD5
128e5d8a837d1d9b540b96013e4c9f19

SHA1
641eb152f889f8027c1fecec8fd81df2540400c0

SHA256
58bd661ff1a892697366215a8938d1c616cb4523e1ede78b49d155b132430917

SHA512
2a64edb3c126e9d432f8c8592af3121423a93af9d266649bb33b73e3d65a5504db3f00e268a51fb59ddd3e279f03d2048b3b243e9f5602b2399584928ff2a316

Download Submit
C:\Program Files\Java\jre7\lib\zi\America\Blanc-Sablon

Filesize
93B

MD5
90c805bcb9fa376aacfb38d598ec7bb6

SHA1
c264d31acdf5c68a97ba444c7fd7e8af853122c4

SHA256
dbcfcc77f5774ed3333f3963eb84a324fd967de4d62c96631be6af1d6b3fe136

SHA512
bdd9bfe471648e8a116ab65d97e56f38b2d7516e0ba522de25b284c7b29d089dc039bb653f1b08e6ea0792150cad576adc48890dd6956a6aa29e5175cc5e2f0a

Download Submit
C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica

Filesize
137B

MD5
1135e286fb5224ef530f4ce0ec4a2835

SHA1
e1ef9d5aba553828ff9b4ff2cf9c1f25b085c6a8

SHA256
4a93894f08d98d707cd9a0274f4c9a51bcfa27e701359e12befcc78ffb488817

SHA512
f57b77dcd655d347fdcfc3a1beada329998824caa5db061553a7c784a163b4641076ba99677a4e648d0477671aa14da7f883b2df8b9ed6eed3985e7c2c8ca4e2

Download Submit
C:\Program Files\Java\jre7\lib\zi\America\Matamoros

Filesize
788B

MD5
93a2fdbfe3bd18cfa0620f2632efa4d4

SHA1
c0b705de8aa572a851737c34f1721c501473d31d

SHA256
3e84c247e11701fb5451865acb6262c8495d47c5f397a772a7bc01c9ce9f5b12

SHA512
1e5454026ba8100ebf7a32dbdda862c9c315b1f6a758242a7c451ade0ff87ef3757fd8caf58c96a0bd63e7bde72217b9664edfa2bb426f50a9ca9cbc2dde655a

Download Submit
C:\Program Files\Java\jre7\lib\zi\America\Nassau

Filesize
1KB

MD5
4401d715587a3bcf3830b14dd764a25c

SHA1
33117586fe2f2cbfde2a7ff3b1fbf74927a65e42

SHA256
8b3827b7bae22f976e2a59e9957ba8b3b9cee57a4cf923a4da970a8f3c1e79c5

SHA512
7b63cc90c5cb65c3a54ab7249b67d9f12eb86237410eb51e961bd39777f517d65b62a08f018e8d8ce89745c2222b2302a9a007c88771968e81e97a60ce037def

Download Submit
C:\Program Files\Java\jre7\lib\zi\America\Noronha

Filesize
377B

MD5
527e3a39bc066f9dfcc85c57acc8d262

SHA1
aed5fa100750d77de0ce7e7c2e6d7a322131c910

SHA256
43c2ae1019ad57912662c9bd170d8d6986299bad4ec76811e70c98c4a1ffe3b6

SHA512
a1a0266e0c1b0e8b33e4dd242be63b258df4f2d1ae748583649dcb22ba82c7cd27c4ed12f632f7fd745f484621a303f8ace8c8f91646c74ffc71cf0ab12275a4

Download Submit
C:\Program Files\Java\jre7\lib\zi\America\Regina

Filesize
481B

MD5
05640f18f5c0807dd96697e31fc5d8ba

SHA1
659edaff37a05ac603d08c90d2b5d26d9c90c78b

SHA256
86fbc959c7ffdeba173fc2baa99a8a93d75ba5d6a83a3e3300bab1b0a46b1d42

SHA512
000113934c92690a06eb580a6128941aef65c5d9ac043811627175332a0a6aaa4f55bcae211aafed8c5a7cba9dae94a162785c749c08392cd42978cef1771b48

Download Submit
C:\Program Files\Java\jre7\lib\zi\America\Resolute

Filesize
1KB

MD5
cb97b848abcb6376d491ac6bd9cbeadd

SHA1
3800020090c3bc180b0cf63fab7b39905680453c

SHA256
d6369598c0846422df1f6e1029041784e34d3b6fcc12a3ba0fc1613a0f80530a

SHA512
5c910d7062750c5f76f87e174eb0b1225453fbf36ba072d04ca025579af6a051c7af85c7772a4756876659ab6f8cc4429c11b3620c3f5298e0599ea4f8d5a644

Download Submit
C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund

Filesize
1KB

MD5
81ed540e1204e3237f63da49df05a7d5

SHA1
88176d30b1bf7d6f87f1ba92dac451b883dc1432

SHA256
256fb9c4796b15a7ec4b0d5319e9e493ca4cffda658310420bdfd31e1c59da79

SHA512
92b183b168ad7cf33673e688094d8199cff7c3063aa3e2b83891838f02ac1a79291e6a36e8216040c588306191634cf51484c79f56106492408dd09079e0f807

Download Submit
C:\Program Files\Java\jre7\lib\zi\America\Whitehorse

Filesize
1KB

MD5
1036f4aae37bd39b2ecc451c487e33c1

SHA1
8d60a72a4873cf55fa7bac47dff692303d17d157

SHA256
b61465acf0031e6a4cc34a66d568bd1735668abf591a6badb1f5f5bc20bf9919

SHA512
3ac2c8d3259ecbc41b186c2861ea6be3e6f9cc6b673a2ef610d42c91b359f31e941aa7de1d6ae801191870acdd6590ec788839cf9c069a7fc658d84582103a62

Download Submit
C:\Program Files\Java\jre7\lib\zi\Asia\Amman

Filesize
1KB

MD5
227fd460860a3ad1fd2b245793c07f95

SHA1
71d8da21d4bb33f4cc32b70b174815e40eda657e

SHA256
693195cf289838146418e1bd05fd1a482c36ff75a77874609d615247285d5b99

SHA512
ce035dbe02b8e15091f7fee997a823dc4a0ef12c14e4f7d8441b9d3d9878bd17036db61e24d4e67db2a6e1f8b50168f6f03311b19713c688691ce4298b1deb2c

Download Submit
C:\Program Files\Java\jre7\lib\zi\Asia\Colombo

Filesize
129B

MD5
5f54d1240735d46980b776af554f44d3

SHA1
acf7707c08973ddfdb27cd361442ccfba355c888

SHA256
2c80619d7e7c58257293cda3a878c13e5856f4e06f6f90601276f7b9179c9e07

SHA512
b1f542f68a48608ae53904fbe2105bd8f3e544941abb38ec9d24cb7a26f916ef94cfb431cce0c64077dc2934913130d78492914a5e9ffc52f311e68217caef15

Download Submit
C:\Program Files\Java\jre7\lib\zi\Asia\Dhaka

Filesize
121B

MD5
709c6a80af0276b170c521117ede47c6

SHA1
8e6d9001ca20e76482e1ab88d54d47c65c8c7836

SHA256
d8129de4286dc4fd245c7776b51d76aaa727956e8fc88ff928eb69ff7fc17e0b

SHA512
bef13fa741340cb7c1174406f76f9c65445c76ec091e47daa8537b5f769ad2231347c61144ce8f6e4cb16fd5cd27bb169930c3f8c3b5b9e24e6609491fbbd4e3

Download Submit
C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe

Filesize
261B

MD5
0d4ec840c1db49efd9ea0f2dd0a7c66e

SHA1
df44812586d12298c713564804b42142fb68a8c9

SHA256
2091501cde52f2dd75b74ad947075b6381c5f503af97a66b592b7caebe9e36cf

SHA512
85585ff43a93051adce2aa4f7213bb5a8e4b4160bc1ba20eb061fe1b7d489cc07676b512e00c37ec63d76e08cc98598901ae6babaaf57a0c59eda9f621c1bbfd

Download Submit
C:\Program Files\Java\jre7\lib\zi\Asia\Jerusalem

Filesize
1KB

MD5
433b6e531d44ca54bab63198a3f6b388

SHA1
f1dceea33541fd68c8e9caaacc76f062da393a90

SHA256
c00b114d3e1a4d978c0051e7e8503f7fd30dea142240d6b950164a37cce3edaf

SHA512
ca77aab2370179c0f5eeb6b8ed8b56eae5c3083860f51eda2031f7d5772e2018011ad5b004b1db1e1b5bc2e4c0f300735eac814cf913f54791fa26375d3eaa11

Download Submit
C:\Program Files\Java\jre7\lib\zi\Asia\Manila

Filesize
125B

MD5
38397588c4d02f8b95c263852e9aee7a

SHA1
80691ad30930c04fe1bb2f645f9c6c0548ece80d

SHA256
42d699d9e89e439804c0981f96b1a3fa7dbe42c6be1dbca6211c6faa4e0e2463

SHA512
e46b5c1865b53513bb10be9e3a2c2a54ee9e88f83e8802e85e728a2364ab649ecd4af605b41d7583688f8a78d1b49e36f1ef5b8824ab89885578eed8ebdbfd15

Download Submit
C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk

Filesize
581B

MD5
88a4ef65b666e053c28c9e023d8579f5

SHA1
4a9c1d641605648e7e0ff0f87d1ea6d21ff42a06

SHA256
88d5d20f83be8b19edd7cf53771fa94c1a67429f7bf9cec90822dc84a3a434a3

SHA512
9ef796e128b899f33feb0fba39017a0365e6289c3249ef6d2aae61c6c0283febf89626323bcee6e1e3fb9e80c4908c2ca09ddd53396ac41c78ba2e5c47500f0d

Download Submit
C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda

Filesize
465B

MD5
a1534d6e98a6b21386456a8f66c55260

SHA1
c7239c0fe3b7a00d812e548f4cb9d8d863e8c251

SHA256
4c555a3d8b83f80c2e0d0b647769e82148ebe7e27811d0a63277d6f61abafbbc

SHA512
af0302203a3ccb765aa4ce1b1ab524ffa500d62e179ffb527b76d2b62f5ba31b037902d8d46278378e7255a91251f06c0779fe4940d47a582415a201b0e401db

Download Submit
C:\Program Files\Java\jre7\lib\zi\Asia\Seoul

Filesize
233B

MD5
64321e9c7da09049fe84bd0613726226

SHA1
c2bed2099ce617f1cc035701de5186f0d43e3064

SHA256
e43fe96a7f7ec0a38984f78c064638b2daa75e261ab409bbbe2d3e590265ec7b

SHA512
4f56b895d0ab27f71ad4f5e54309538ab3052955c319ca5f718e6b8f8fbed1bd5f51f036eff7cd82d4403ad4b93395ddf75dc8621041ef5c5ca916c1113104c7

Download Submit
C:\Program Files\Java\jre7\lib\zi\CST6CDT

Filesize
1KB

MD5
359a1339722ce22ffdafcf70fb387a3d

SHA1
a958f03b193b09efcd8d35934c33b524b4e0cd7b

SHA256
fbb4fa31c3fa0c14ccb3fe426e39dcad529b17e379309c0adbe27fcc93feba50

SHA512
4a90df2fa4bfee474f9e79570ae05a26b6752f0244ab755a49ac0d38f69f28ed97b134092f353ded2c968a3d9baf2d08a73eee2943e8116b65c4c8357bf2dc0b

Download Submit
C:\Program Files\Java\jre7\lib\zi\Europe\Oslo

Filesize
1KB

MD5
677bb0dcac881a5a4638ede690ca721c

SHA1
ab8e52e9f345d8152a39110c9ebbc07bfe37b182

SHA256
97d364e2d3d35f030a038c41bbadc42d0c15fa8d79ba569987e19fddb2e80f9a

SHA512
6485b77c5bd7581ba0f80318493879df55d29606e30bd8a609f18a94da581c46e2284287869d3d1b7dd2857a5388fd97c87070279305b66e10d67430d5c96a06

Download Submit
C:\Program Files\Java\jre7\lib\zi\Europe\Vienna

Filesize
1KB

MD5
fb4aa89fb89bf94d0590a3174d1193ff

SHA1
c3812f2105099071c24141a994a9d5087199dbf7

SHA256
655a3ef0465a9f30fddf25f4dde0c19a05c6f9069b83961800c1944165955273

SHA512
a494c0d9faf3defa9ff320421d0c00e4e39845f7e998c6a06c50b5e7edbb1ed7a948dda23ace06a3433843615553d2357f1cb04acb4ad1155ec43f1d07511524

Download Submit
C:\Program Files\Java\jre7\lib\zi\Europe\Vilnius

Filesize
1KB

MD5
515d8db6175667b02ed715ba8aff0b2a

SHA1
44ca509396091b269d47da24e3d7e09fd8da7268

SHA256
d50e2d8474134908822ade46e27717d1a22aaa2d4ebd66ee14c988ecafc01461

SHA512
b0003c56ca6ca6789847ca2d75eb762a7da8870cde67cde39baa6d8a50c0a4c62fa1cf67bebb892ea50515ea7913209bdd0ae946b76ddbb1aef46a8f9cba5b8b

Download Submit
C:\Program Files\Microsoft Games\Solitaire\desktop.ini

Filesize
101B

MD5
22577911e88af39f79409e6de8eed4d9

SHA1
93436ea60c5dcdd2e9893a025f560ab72422ae8c

SHA256
e08dd9962eedb16e12840ea2a977cc07bc5fa8d96259682edaa080573d525e4c

SHA512
2db5f3b0000212518614c74c73dca3205cda5751aa2504ad9bf9b98be46e98143c064980dce9a8a6372305840946717c38e244d9e1f2ecbdff683fc1f0a8fbb5

Download Submit
C:\Program Files\Mozilla Firefox\xul.dll.sig

Filesize
1KB

MD5
69016e6a597d194701476b8e04d4e028

SHA1
71a24ddb0c5bbd321d3f09d7b322c3655fb5e129

SHA256
4740d289d0a31bc1fc00e255845b3d8ba7cec2d6d0ee92177d23aa293f9fca3a

SHA512
a9399ea57f65c6569e2a9e9ebe9fa2da7184ec92a555549f39cbbe9dff15530ad526107a2a2304d822be37580a965c6ea4e88a46adebd8ff3af402d2c25321ae

Download Submit
C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png

Filesize
201B

MD5
6294c74db1a4aac788765b4e0a0278b5

SHA1
81e9bbc06946e3c078d1c1aa150ca93e501ace6d

SHA256
ab3df617aaa3140f04dc53f65b5446f34a6b2bdbb1f7b78db8db4d067ba14db9

SHA512
a4a83643031063cab4226cef7e215765e6f997ce7719173632a66a45bfc0a710b3e6bc19a590108bda91576030e2e37f77e339a3f4e71478d96dafb0d46d2941

Download Submit
C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac

Filesize
1KB

MD5
c3e4eefedd55eae4334456daa4aa0ad7

SHA1
ba9abe2d4d40bbd94530564b6eb178ec02a47204

SHA256
7081ba3d8887be22551f56b5f50da675bda7dd02f40e9fcb150ac84fccbe387f

SHA512
a302516427a81e59fe955f4316fd56b8e5207542b1abdd7eb3fc2e9dbc669849dce90d12d9160b59d45af233e63e2156f3a3f1e7807b7ae1b1225a94d472cea3

Download Submit