2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2

Resubmissions

20-06-2024 08:48

240620-kqs3fasgrl 10

24-02-2024 08:34

240224-kgll1afd31 10

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-02-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
Size

573KB
MD5

2cda932f5a9dafb0a328d0f9788bd89c
SHA1

e27521c7158c6af3aa58f78fcbed64b17c946f70
SHA256

2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2
SHA512

3bcaf2bda26b22b67edcdd5ca357c8e0b7124788dd905c7bf6cacce080ae3f24bd09e1e9260a3ebf3d4d62ea749f7a8b965193a2ebf6db85a563735874511880
SSDEEP

12288:BV0qnXKTH2P6rxTcQpXDHgswvodgTAdA:BV0EMm6rxTcQjos

Score

10^/10

ransomware spyware stealer

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	1416	powershell.exe

Renames multiple (8527) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 47 IoCs

Processes:

2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\K9KFIAQ8\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YSYAJTCS\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U6FX44QQ\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\7GUSN8UJ\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Indianapolis	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\WMPSideShowGadget.exe.mui	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0211949.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10O.CHM	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21364_.GIF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_ON.GIF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH.HXS	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ru-RU\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EXPLR_01.MID	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00159_.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKS.ICO	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Johannesburg	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\EnterConnect.avi	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\WT61FR.LEX	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\wordpad.exe.mui	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mexico_City	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\OneNote.en-us\OneNoteMUI.XML	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00121_.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adojavas.inc	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\WMPMediaSharing.dll.mui	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Creston	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Dotted_Line.jtp	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00361_.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18184_.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\flyout.html	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDIRM.XML	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kiev	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD05119_.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\TWLAY32.DLL	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01146_.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02384_.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45F.GIF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\Java\jdk1.7.0_80\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18227_.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cayenne	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files (x86)\Common Files\System\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN082.XML	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.DPV	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_hail.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Panama	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exepowershell.exe

pid	process
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
2944	powershell.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1968	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeBackupPrivilege	2564	vssvc.exe
Token: SeRestorePrivilege	2564	vssvc.exe
Token: SeAuditPrivilege	2564	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
"C:\Users\Admin\AppData\Local\Temp\2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
1⤵
- Process spawned unexpected child process
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\help-you.txt

Filesize
2KB

MD5
a4d54eaae8d6e0e75825329fd216b836

SHA1
3dd23b09f2fb318e8ad6bfbcd5937a928207811c

SHA256
e366a7512389c1f73a47b9976854b28a73224cde2a0495f3bbc530cc4100bea3

SHA512
1282c30947707871b79d7c10a4e6ad556219e19656a426edb6116bad03059fcef8867d79f6cd558d0b084f193357550bb8788df34fdd750ade432d2a92adeba6

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.zhq

Filesize
28KB

MD5
350494f7dd1dc78ef3784ae61353d45e

SHA1
49adb0e47e484bc8ba08d7728d3961aba242c5be

SHA256
76671872e187d87ea7dc26c6e4520771efc66ceeb0b8e7486a95f898649f2414

SHA512
3d5e1d6d60a9c86a57c8abd43b39faaa3746d0bd607667b2d6033ca316daaa0274716271bc5aea077e115f26dc88fa1745274d2f6f7d875b85c2ca16988578b5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.zhq

Filesize
875B

MD5
5b71c594414ec11b20925f7250893779

SHA1
8ffd1d732004edff9be66c5f57731e4b5bb18125

SHA256
84b75d347db72455bd9a16d6776ebd6db0ebc5545b7b093e444a44f2a57f0d2b

SHA512
b32ff7eac16006c6c59087ca3c7de34815db96f7b7f327db166b6ae4cbd9f654f104528268b620531b30a8514325bff3c625e039e7cdfec4df292a37ace14c48

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.zhq

Filesize
756B

MD5
27006cec1f9fbc660cd4f617aad883f5

SHA1
8b80a56392b75d58d7142e38e53753dc73e5fbfe

SHA256
2d970da51eba06c017895715d0cea0785f909b11ee5649054b5e019dc9631601

SHA512
7ae6744116b0c413fd22e6238fddbc962336eaa0fbb7c4b34a2fa55d1bb32a5db851afbe250d65f16b625f3273d342c6068f3e20ed4674d811ad968a987b765d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.zhq

Filesize
648B

MD5
8811fd98129b1a0ce3d4e2500635051e

SHA1
49e05f5d9078d0d270815fdba6f1a470d25cba2b

SHA256
9dd2770d535771a476e3000dd8b9edfe4575d6341cf79d0d8e586c55454a9f93

SHA512
0e4b473a5690f4b0e8d1125bab3c9eea6f1a8e10235f63082ee78b326b1df6e81941da7949f8c02040c34dcd8255333890aa146f4fa52a4f11b6c9c45c5a3659

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.zhq

Filesize
647B

MD5
dc24eb523f378735882a9a7980f99c5b

SHA1
205c7f1d24bda3d8d8c5e561378250b49db8a285

SHA256
a8b3b6996bfb4d43325d3c17496df6441d606f2aab823d7209d3ff68d9f78b03

SHA512
27c61494de9f0b1d3ca3f0b337b91b438409a837edd8c38c0f4b60cce422a853d1edd534023aaaac880c5a01b7b631725a23094a5148dc2e483941e3e27fb6c6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.zhq

Filesize
719B

MD5
33637be0fba0e80db963773db7c04255

SHA1
886a36f1deb6dccf2464e55344d2ae600efbf426

SHA256
61662f060c7881f41741d622e4943c95251ee79e924f71aa4a3d6c48a29b83a8

SHA512
369909cff525a95f1054354f14f9317db96fcd1cbd4023a19ae6e00c5fc5a60744dac4b9707e7c2c440ab651a4c91953451c9b9025a64165c2163d8e6d32144b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.zhq

Filesize
1KB

MD5
e1683eda158fae4b016293893243c615

SHA1
a43ca9cda51679658702caab4fbdbda2f483b6be

SHA256
e98f9e859de23778bb728a0ab6207c6528fbbe89a89f93c8632eaf4952dd4912

SHA512
675ce9fd4385dd56615cecef1876b1ac1ea4831d56f5e83799c674b94b13ac9a9ad19afcddf5aae802798ac1e65ae4c8b305fc68108a2df0b70aa9c6b22ecfbf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.zhq

Filesize
1KB

MD5
233dd108f358674cf2613a3b34820318

SHA1
6a39dc024759414f3cec60e13659107e2b192b4b

SHA256
d1d64791a2649d7e9662ae6e6e76c1056b6f02f5a7bcab7fae2e535c1f1ed566

SHA512
593e56e39e501eafaf98fbf8583234097c13d22ad1c223e34b9123a47911fe25078c4b277fae9962948d94a0378ff7352c78c6f4f31bf652d8591f2ba88ad8aa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML.zhq

Filesize
1KB

MD5
07cca5a1da551db6f52ee42a29e95672

SHA1
056d9cefb063b59354b8906efd26f51b86124d64

SHA256
13d1bdaaeffef632d4a3c37b7cf879e64ce75abcfc2baf6d5111ec72e1b653d7

SHA512
2c7bee72613fb7414839ca02eea89f0f8d60ae4938261c63a371ca147267b46b857b5ffa05c9e2e3fc52e057f70710427073bacf5965d75446aac322cee9ffa9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.zhq

Filesize
12KB

MD5
e7c54e80ae047d7f927d5269519df57a

SHA1
fa25489a1ee1cf1a398e78a4b3cfc1039735d9d3

SHA256
39067577f046680bc7671a93ce041e434d5fab2902e494d72dc64f3b2b8af630

SHA512
9de51d8eb2bbf86864a69d6d2aa8e60a4b637def72717605c7884ff59fc6f6fb3a21122b4e7f5f2968f2b7059cabe5a40bfe0eba13590f33541874b3e2c6e900

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.zhq

Filesize
9KB

MD5
f8133cd7928287ec7c811ec731b3c887

SHA1
17f969543f90a9c311afbe8365055dff9351a384

SHA256
f4a1ad42abac6438563404f127844b3a255ca999c8ea3178670dc1e863450031

SHA512
f3afdee7a7a6e23fc29237e2059256df499dfe088b6842f359f56732321e505045cd21bd21d66b98b458fb2ca39cf9fb1e14b76e60980116899919f56ed19f3f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.zhq

Filesize
591B

MD5
98883f636b67bd09fcb10fbef070f9d9

SHA1
f0630cf8147dbc9f3ff05e454798c88117c717a9

SHA256
bcaab4d0bef8c4c2094ce8967cb526a5fe8dee8dbeb597c0978022538731f44c

SHA512
1de7d7dd7f1f488d98b9378abcc7465bda68b243fece39157529ee04c9e7a26ff9fe6d1318c28622e9a1d4649ab5112f2844d06929e41d39e047acba53357d9e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.zhq

Filesize
8KB

MD5
83aa7e26c6a007131c7f51e0024f542d

SHA1
612393b12bef4804f7cd94590ef55926527c0475

SHA256
61755bc23c18f15970ee49a671201155fb7ae1b02a1d0ed84c9605f193f075ab

SHA512
559eb09ce92e73de8a17f9289b114085b6a557cedc13ea50062347361298a7966b3518710819ccb569b0930fba3ab94811db7b155304e7531796adb81f0773c0

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.zhq

Filesize
687B

MD5
11537cdbe2af036264a1d9c7ac539c87

SHA1
c8f36ab679de18fe5ddb9253b1bb43e7fe5dbcac

SHA256
0f759d3ff2222d3d725a20db630a0886ca02e879fde55908cc32af7f2ccff9fe

SHA512
35069eaa7b713ce89dbea95e84b0d1d77e95c58ceae700da78f194750cf8f27a5ef25a40545a0c7cfc79f2ca18ad1fa758ccc5e7b64c6c4031df2ae3a4a50282

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5.zhq

Filesize
561B

MD5
a05ee14d98a2698ef9571bffd2f69322

SHA1
0dda853123e663fd5819c157cf843bcf07a4cd2f

SHA256
6d515068c2895b41ef6cd56250e1a85cd80dfcd6b62a40ead3c744ca9e27f45c

SHA512
6e2c87a186068b6c95ed2c0e28530661d5d91ccf3ff29578923e101ace2e8a5a5d0d1584001b4f6fe6341a0db51c5fe7d9876d08df01f73bfc27e041c04c3ad5

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT.zhq

Filesize
561B

MD5
24fb6eaf5edfdeb656ba477d30a871d0

SHA1
66a316cb8c5a928a9ce91476448cbf89723d2031

SHA256
841788afed032c3a346954acca6c52bc498d83b04112e270a78419c186abb0c4

SHA512
840cc5e8f2548d5361f2ecc084b5b5fc03288aefa8fded5fc5bf44b3183fa515b3ee3637f780fa50f86c43601aa8c5203bd427ddb41a4dd3b6bedda106d95ecf

Download Submit
C:\Program Files\Java\jre7\lib\zi\HST.zhq

Filesize
561B

MD5
b48199f874d3c399231ce20e437afbc2

SHA1
589a62fa75af96f98b0c854df6adce49fd3c6986

SHA256
9907011320617a6399ce661694b47602ffd5f4476c7ac869218ea6b41ab80699

SHA512
5cfb334d8159de6d53c9f79eef7e9d7515a8a3de67b44b5b1331e4b2a087f82d38fbae2f05bcb4bc3e61575dc9eed04617e0e6c6437b553b36d2ef1ae1bab314

Download Submit
C:\Program Files\Java\jre7\lib\zi\MST.zhq

Filesize
561B

MD5
1b47586c2fd39d898286a5cddb309efe

SHA1
3b387990a200b884127717e03ae9bedb684aba88

SHA256
dc6ed667c98d9aa89dae2ba78b48afd6840939aee15ff4e1c0bcd4c04ab553eb

SHA512
4572eb9fb3cb5d939979a8e4a456bcb63a015e3f720fe784899ecab2827f7b2dd91af4c7a0c13b1e987208da70ba790f4e15be4709c5625935ff5d011272e916

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo.zhq

Filesize
665KB

MD5
6e6105f105cbb936ad2270c51a8475ed

SHA1
ef4cd2ffdf3557b965716f613249681a52764e95

SHA256
c9fadbb4f6219ad0fa7cc08a6cd48659ecbdcd06de57384bab537d8bc66338b9

SHA512
2edf3b2b7258ad55396a2f19d869e687f84ab98f3b450b7e9c9d62bea8ded8ee7a6fefe77992486186d74c3241c5eeb325a5feafcbc4ebaf2e622f494d8a64c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\CURRENT.zhq

Filesize
550B

MD5
f781d7085c8fc9fb93b1582dc3fa2bf2

SHA1
f48cd98d2980fef2365cc23ed82d016e00dfe972

SHA256
e28eb399e70c1153e7b7c95170cb033b581fab370bc7893a019905827058ec93

SHA512
cd62248f1df100f3c5e6dab276723b1ab1562ce3bda520021baf9c985a7dc13e1be54d22429e3dd284b6c15b2e03915fcf91f8ad14e3b38d89c36c8331d249dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2.zhq

Filesize
8KB

MD5
197b2d16452d23c0592477a0030163f1

SHA1
89d73a4c90b8a10e57ab4243ceac1cc3567eb0d0

SHA256
cad8168a7f4cf89c0488013eb2e07a3287026ee87c92e4ed60efb3616938f466

SHA512
a3269dd79da46c9bd77ba13a8fce5d01dea54eb61277fa62927f8e9ad07bedd6306d21f7509c3721cbaab1296bfb5bd784cc6ff0c1e0acd170a33a7224aefd0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YSYAJTCS\desktop.ini.zhq

Filesize
601B

MD5
ce49aaae40d4d135569fbe342552c241

SHA1
2277b5d1cb861661cc086e6847e3587e48a383eb

SHA256
39f656c584da68afe8835a34134378a38e571394a3468a6bc9f5f3d2dbfb8fcf

SHA512
ba721ca237a6f23b6008175c02263c27b29db926ea5b87a66f5a6d3032b04f864844375eff9ca4579e12ca4ac72d4538e19d94c1c8f92505f5fd874e817ac12d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.zhq

Filesize
28KB

MD5
4bbb5b4184e56368835e911a1823be5d

SHA1
79b2634533c2d33fe4be8203b0f52ed551876f41

SHA256
43c3bdbe0f4d40255705b055e7a7f7eb401eade7d53fad3428ea0f7b739236b2

SHA512
b8421e340c1820ac14b991d1a592de5d5e2b95ca707636a18d88bab0febbc63a83c7203501ada0526f41fceb5c7578221e0e07fd3216e09607f168e3bba0466f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bm46du9w.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.zhq

Filesize
48KB

MD5
6c18b5ee52c4b97d505fb977d2623289

SHA1
6f73c7e74923eb86839532ed002aeeca9a9018d7

SHA256
9c7dfe26af8eb0d4fb1a72fbe8439b9ea52c5cf570c438420ef558fa1a4535ed

SHA512
2b6c6054b9cf1181dbf56934dcf635291dbcb86ae4c315c55a405ddb98975af0eca95a962be9091464b841f332892a0a327a48a0a29b92ec115c7843ece6dce0

Download Submit
memory/2944-6-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2944-11-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2944-9-0x0000000002B50000-0x0000000002BD0000-memory.dmp

Filesize
512KB

Download
memory/2944-4-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download
memory/2944-5-0x0000000001F10000-0x0000000001F18000-memory.dmp

Filesize
32KB

Download
memory/2944-7-0x0000000002B50000-0x0000000002BD0000-memory.dmp

Filesize
512KB

Download
memory/2944-8-0x000007FEF56E0000-0x000007FEF607D000-memory.dmp

Filesize
9.6MB

Download
memory/2944-10-0x0000000002B50000-0x0000000002BD0000-memory.dmp

Filesize
512KB

Download