akira | 2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2

Resubmissions

20-06-2024 08:48

240620-kqs3fasgrl 10

24-02-2024 08:34

240224-kgll1afd31 10

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
Size

573KB
MD5

2cda932f5a9dafb0a328d0f9788bd89c
SHA1

e27521c7158c6af3aa58f78fcbed64b17c946f70
SHA256

2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2
SHA512

3bcaf2bda26b22b67edcdd5ca357c8e0b7124788dd905c7bf6cacce080ae3f24bd09e1e9260a3ebf3d4d62ea749f7a8b965193a2ebf6db85a563735874511880
SSDEEP

12288:BV0qnXKTH2P6rxTcQpXDHgswvodgTAdA:BV0EMm6rxTcQjos

Score

10^/10

akira execution ransomware ransowmware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\help-you.txt

Family

akira

Ransom Note

Hi friends, Whatever who you are and what your title is if you're reading this it means the internal infrastructure of your company is fully or partially dead, all your backups - virtual, physical - everything that we managed to reach - are completely removed. Moreover, we have taken a great amount of your corporate data prior to encryption. Well, for now let's keep all the tears and resentment to ourselves and try to build a constructive dialogue. We're fully aware of what damage we caused by locking your internal sources. At the moment, you have to know: 1. Dealing with us you will save A LOT due to we are not interested in ruining your financially. We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. If you have an active cyber insurance, let us know and we will guide you how to properly use it. Also, dragging out the negotiation process will lead to failing of a deal. 2. Paying us you save your TIME, MONEY, EFFORTS and be back on track within 24 hours approximately. Our decryptor works properly on any files or systems, so you will be able to check it by requesting a test decryption service from the beginning of our conversation. If you decide to recover on your own, keep in mind that you can permanently lose access to some files or accidently corrupt them - in this case we won't be able to help. 3. The security report or the exclusive first-hand information that you will receive upon reaching an agreement is of a great value, since NO full audit of your network will show you the vulnerabilities that we've managed to detect and used in order to get into, identify backup solutions and upload your data. 4. As for your data, if we fail to agree, we will try to sell personal information/trade secrets/databases/source codes - generally speaking, everything that has a value on the darkmarket - to multiple threat actors at ones. Then all of this will be published in our blog - https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion. 5. We're more than negotiable and will definitely find the way to settle this quickly and reach an agreement which will satisfy both of us. If you're indeed interested in our assistance and the services we provide you can reach out to us following simple instructions: 1. Install TOR Browser to get access to our chat room - https://www.torproject.org/download/. 2. Paste this link - https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion. 3. Use this code 1482-AF-KRHS-EFGF to log into our chat. Keep in mind that the faster you will get in touch, the less damage we cause.

URLs

https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion

https://akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id.onion

Signatures

Akira
Akira is a ransomware first seen in March 2023 and targets several industries, including education, finance, real estate, manufacturing, and consulting.
ransomware akira

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2744	powershell.exe

Renames multiple (8546) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell command to delete shadowcopy.
execution ransowmware

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3060 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3060	powershell.exe

Drops desktop.ini file(s) 47 IoCs

Processes:

2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Music\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\01FJG7XT\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\8GCG5X8D\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\Y7486HMD\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\FRQCHPZ2\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

Processes:

2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\microsoft shared\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00122_.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742G.GIF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15273_.GIF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_COL.HXC	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBARV.POC	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\PREVIEW.GIF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RE00006_.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue.css	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01065_.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV.HXS	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CRANINST.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\THMBNAIL.PNG	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\TAB_OFF.GIF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182888.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\29.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00202_.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBRPH1.POC	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\MDIParent.zip	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Cordoba	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00231_.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Bermuda	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\PREVIEW.GIF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.DPV	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\Revert.wmz	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107290.WMF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR10F.GIF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\MANIFEST.MF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21329_.GIF	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXK	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SessionOwner.ico	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEB11.POC	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\help-you.txt	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESN.CFG	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_de.properties	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exepowershell.exe

pid	process
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
3060	powershell.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
1044	2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeBackupPrivilege	2576	vssvc.exe
Token: SeRestorePrivilege	2576	vssvc.exe
Token: SeAuditPrivilege	2576	vssvc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe
"C:\Users\Admin\AppData\Local\Temp\2b28270c1675990a2c78b31faab547fb75948dd1c2b22e892377ee5e40abebc2.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject"
1⤵
- Process spawned unexpected child process
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\help-you.txt

Filesize
2KB

MD5
a4d54eaae8d6e0e75825329fd216b836

SHA1
3dd23b09f2fb318e8ad6bfbcd5937a928207811c

SHA256
e366a7512389c1f73a47b9976854b28a73224cde2a0495f3bbc530cc4100bea3

SHA512
1282c30947707871b79d7c10a4e6ad556219e19656a426edb6116bad03059fcef8867d79f6cd558d0b084f193357550bb8788df34fdd750ade432d2a92adeba6

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.zhq

Filesize
28KB

MD5
1ac32a467da14f14e782b0b7478e4a48

SHA1
a78cce1716a3558e07c45d3e2f157e0eaadd9b48

SHA256
ab9b33fc5bf568439de84234248d69dac2a6e6fd0fb724e6aa48d6ce993c92ce

SHA512
f0a6f4946323f68d1392b05e5a9b4d1dd3f4adbfb05fc89a042a225f61e57da7df4bdca764f49d77a3ac9a49321b2296cc883bdd1a4ee0c0c1c2a2e1580e8d55

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_OFF.GIF.zhq

Filesize
875B

MD5
e5e08164ed513e373728b98de7adc6ad

SHA1
04b3462b7018fe33b3980079fec7410f9d35753d

SHA256
e55ad9b088c99373453a014c37845a0b2fd24f2013b6b5d797d19529626f3d26

SHA512
fcfc16cd152f36ed8270e978a1eb239281c768886e25704ccbe6506baedded6e15bf0584710f9e0d5e9e25d976da1853743aa68b7e8131e916f0f08e949b1de5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF.zhq

Filesize
756B

MD5
782bbf00f2cb8596b42c23d426e242aa

SHA1
d590c30f0e823b511df3b081a50daafecd7d0bc6

SHA256
199bd4076573fdffa577ca1e9c3010e4f937daae94b52d4eafa3e6309136c05a

SHA512
fa64cab0a7d9fb196aa550537faa1d387fb3d5d09654348ef9936f93f7aa4dab3e6cb2415e44ddb1786bd0b3a5eb65ed12891a36432e8b91be7104958dd9f8b3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK.zhq

Filesize
648B

MD5
195ac54144612ac1161527bc6b55980a

SHA1
c6986a64f83ea3a80a3093583540cac96079175a

SHA256
fe6b0b92817bbb597f9b894f1d4803f21587c719e28ecf9c1bb2c13e17730148

SHA512
48edfff1b9e78c9d8de3f1c3f5c4d473ec0a5366dd873b08c9c02158ea3ca1eaeeb03c0992cbe89072fbf74ee3869ff1897bd22fac67edd4910ef06c736ad94a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK.zhq

Filesize
647B

MD5
6ca60338852f76e23f45eae203c5081c

SHA1
d563e582d679d23cba4052ca2da8c82dd6440023

SHA256
580f79e7809121b858893a9aca3c56104465f8ee049bf579d4c091bf93fae680

SHA512
32ef325d479cdb6cc8c5b169db928943fb6ce01a27ac9a09de2e50174d7b49d927c2ba8cc66b77b56ff77a3ab1ce66adedc48c6890db4a73ec12a56531e90e2c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF.zhq

Filesize
719B

MD5
40799527ae61a8b1b91ff27c9018b3c2

SHA1
e70e052ac6cd8dca09dba0b381a0284e380a9fb8

SHA256
069914cd92ba1b39e3adc6f8cd9ebf39e1eb9ba2ace25ff92ff7eb2dce1838cb

SHA512
7f9be2a2d5c805331d2735f8fee76d255224616ed6fe349ca3f6fb5569a404c9661089db9e76abd8255f7b5f53a8216ecb902947ba2af164debc154961c0c7df

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF.zhq

Filesize
1KB

MD5
95d5497616926096fc699771a0502414

SHA1
d3d55c0d9f8f8e7391df63ac05ee897824a658b7

SHA256
f55adb0cef106efe96a72d1c2e49eaced0b2f33822d366605260d422f2c24ca1

SHA512
a8be1f007e9dd46fcad2b3071e042e75a16f8497dc38982254bdd4653d2896bb810195fc582066535e4709c8fc8b8e14f9052b604e6852b3ff2bd892dc7191dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF.zhq

Filesize
1KB

MD5
9c9caf7b0504ef6745d49c6ccb8b0591

SHA1
23aa3c635c1cfa48649a472e36cff8a7a56a9801

SHA256
486033439f2ec474af9a4d4bb4c961f6a2be61bc11f80c2c61b8af182bb9237a

SHA512
7ecabb435357ac5b1cb9109d5b452c31da28278c98aa8a7bae33db42278117ed4774208b17c9eb0b4d88cd86c522b35b3c3b82d08417bff6f83c9b76fcc54d57

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.PL.XML.zhq

Filesize
1KB

MD5
45a26f7788655203caf3a3313b265dce

SHA1
b37ebbfe316e291f217cdbfbff011d49cdc0cfd8

SHA256
aa5cf99bf3ae7b388b63eb700f203a04c17ea43f0e13664057febf3aee579a20

SHA512
6dae5c29789d79f4e63499d3accc908b58f7e38ad74b0470d6820c9e30e5d3a2f2a59b73fcec974d3384ca3be34f862cdbe8792fad25ac4d2886e1919b856b37

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.zhq

Filesize
12KB

MD5
e9dfa4b7599aacdc3f2cb48930a8f984

SHA1
f3dd808f332055bbb8c2031db52238a1aa2e0f5b

SHA256
7dd2fd8409a8ede1f2dd9f021556b0b110af46566b328e35a597fc175d68e918

SHA512
b845a32412e4c8f51f961c5c36742171037f23ea555a2df700a5db81637f302bf50ca8aebf518a5c3e0036706db7a4cf99bf2d2f48c591ea2f9239adac8d6620

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.zhq

Filesize
9KB

MD5
269e94b158cb0b02d15a06ceea2fc0cc

SHA1
b110b90657c8da3c44d7f0ca317d231ff9bf82d4

SHA256
63eb8ddc9cf3091b8690a5aaef8f3ee9a6c962b3135259b4c6cd2a64dbadcff7

SHA512
cc1ead1e2b03f5d009522e6728ee7e90c43949b30d2be2eadcc137ed3eda04474f7705bf85b4061a45c6f1b00869699d0074e6f2c990848d6f7ef7d54fbb1abc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.zhq

Filesize
591B

MD5
14be688b58cb1757327fd8020f2879c6

SHA1
1936a7044630de2323aa1228ae35225b653548fa

SHA256
e6b21baabdff3422fa76783e46fa921aae4e0c732d22230e767b9eade66713ee

SHA512
e2aaaba28f0e02750976ca35cfc69a1396e1246ae72223b2e9b6a8ee5309139d5f892c932d7c28859381022bd5d96d66023fab11784dec45e149e2f964cee1d3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.zhq

Filesize
8KB

MD5
4f92edb837345de827f642b5952983b7

SHA1
848443cbbe6353567c26db64c548dc2a7d53e3de

SHA256
37538dd243c0b69b2636d6290ed3e832dc2f545fc9052f6fd98d8ef1ce700f84

SHA512
41eebd4d1277f9fb1b8411f2572655ac04a6637a7fa3d3792f7c9bcd8bcb159047c67ccb6d660fb9610157724e68109f2e7a4f97a493bc3dec42dc496facaa6b

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\invalid32x32.gif.zhq

Filesize
687B

MD5
f8662201665fe9b57ee6346fb916226c

SHA1
0d5e27eb17a67712bec71dfd869eba3256b1233f

SHA256
c686758dadd6b681099b9279890ead3d60d470dba414dd5c507b14f15f148bef

SHA512
20ecb8153ffd4fb56c5531c38a1aec336dd06bc5f9667e041d6c9886f98b6f3385d200348f934e6ae6b8cb19c9a165c93cabfeabc2ed8d8f481be095cea0d8ac

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5.zhq

Filesize
561B

MD5
f4c499568c0a647f7939361fa40a3c3b

SHA1
17e460f1d147f33e19fd4d3784d52f28a931b01a

SHA256
ef71a896253dab11dd4f673ca8ef2551a4a95ac9928cbc6b61fde1dd9859541d

SHA512
0313013696c3e118e591ecc219b1bb71919361b190ed8645d02aabca49ab71b962cd6610934c885a74f5d77ec206b925abd26323cb920cf1272601b40e996704

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\GMT.zhq

Filesize
561B

MD5
82eed85639b2a9199fa3369e04ced2cf

SHA1
972ffffe516931d57710440b99247362541c5d2f

SHA256
d2e9c6ca8803f9c40148d97840b34f8a6450450c4e9d77b1c68aad134e31b48d

SHA512
f2a513c476b3f6b0b41a1892cd3396d0870facdc35c949d13e924c739be4a683c1cca5b68491b8c2ee5449611488c32fbf825221ecca1ccc0c22841d14fa1b69

Download Submit
C:\Program Files\Java\jre7\lib\zi\HST.zhq

Filesize
561B

MD5
68edfde0b7c235e79e2a77e26d57de9e

SHA1
a8e79767e8aa64a529cb044409bb513b80702e41

SHA256
d5805c3a504929eba11f59a36d42c8f76a9116d5df1550b20860b4c5d8f8f8e6

SHA512
5b94d4af6e52908c4f483571209038e79d299c61df90ce7c545120870a3fbeca5beed62a48c491cfb347be60fa7c985957d1b16dd8b6732ec659c10a5c03fa37

Download Submit
C:\Program Files\Java\jre7\lib\zi\MST.zhq

Filesize
561B

MD5
46a3ca39b7ebbc3da70b6de81470b1ab

SHA1
06b02868e77c350b02c73d8b836da97f24c09cba

SHA256
289facd47c2379a50b51e53dcb20caa8ac206183750dc481baec3301962377ac

SHA512
50512df36d10a64bb634dc8844d30d48680a08842797c2acad91c0acaa331836a7bc85bc10f367e17d32d2de9c6a85317eec325cbb993c2939709d677f5beceb

Download Submit
C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\vlc.mo.zhq

Filesize
831KB

MD5
cfad828dd2e3af9d186d0fac96964934

SHA1
46ed7d720f26d111e34ec0375a639bd745e1ee3d

SHA256
5981ba824b6e591e89c890de97062c988d3e61071b03712b409509e574605d62

SHA512
dccb486c2fe6c788d82f74f07ecebf5202cb8caad1ca4bbeba1d5372f326ab068674f22c89f8814a807bf24698aa55d95c1bedd75342aaa494c9afdc749add09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\CURRENT.zhq

Filesize
550B

MD5
7eed856133d43ff1dc3dbd412d2a0791

SHA1
9737a365795891ca3976b96e58e8dd14bf56e0d5

SHA256
121aca53de861c0e04da98049a450af116788d3eb46e168f549ad4cd545f9a86

SHA512
0eb63555c921590115954ecc8f1bc9573928e06961c6a64e24860e34493f1522480f49a9dc9637410b31c85c6987bbfc4c907816b766427e7bf6285d3a2e0fc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\Y7486HMD\desktop.ini.zhq

Filesize
601B

MD5
1cc9eee3fc78e77bce2150bd473550c1

SHA1
b7ab91b74bde3a68555fcbcb6cb6992664536801

SHA256
8d8dcdc2e28f8389893eae8f00d7eb91a9d90ff0b911451b866b79600c80e8c7

SHA512
6dd2f9679e9714e8bfeda6678498b13ed2b342f417f8eaacc87ba4b6c9f451efd2a35c5865f44f9113b897348ce04558d14edf8fbd2f506be68ce59ad5454942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.zhq

Filesize
28KB

MD5
c05bca168af0fd157ebc77ea26629f4a

SHA1
b53cbd940eb53c0df7ab7ca361d85f5875ebf074

SHA256
a1eadde33362fdaf3c96b81b56154fa6b907805dc40ad08b0e0487199e9593f1

SHA512
16ad8f42b694743ec4adce7d5f4b2ed78e8f8af7f84bbea469e12f7dee99af571884f2ef7d8f8f6b0332c07649d73376aafc232a824c06b76444b935d41fe96a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\15kjbvz9.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite.zhq

Filesize
48KB

MD5
7e0894a8eea14d922069b1e1de4aa78f

SHA1
dffe118c0f65d373d7bf17addc1aa487ff052444

SHA256
f0b1594a84245a3a1067b3db302919e1ca50b64cb70c093225da350ad93b3a4e

SHA512
f3bae70aee11c2d864feddf9c1cee08517251b65062f63ea47d2ec06a527acaed887432f15b4b218236c08ea3bf26b351188a55f0fe5944a30450bac479421dc

Download Submit
memory/3060-9-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/3060-8-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/3060-7-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/3060-6-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/3060-5-0x000000001B1A0000-0x000000001B482000-memory.dmp

Filesize
2.9MB

Download
memory/3060-4-0x000007FEF56DE000-0x000007FEF56DF000-memory.dmp

Filesize
4KB

Download
memory/3060-10-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/3060-11-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download
memory/3060-12-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

Filesize
9.6MB

Download