phobos | eaf933e9cadc5a4f777a463ee9f73769aad85bef8d72359895a0c773526a6b04

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22-06-2024 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
Size

58KB
MD5

9b949b041cfe8391d65657156c2cf4d4
SHA1

1a421a968ce61d0d5ab4c968602298979193c006
SHA256

eaf933e9cadc5a4f777a463ee9f73769aad85bef8d72359895a0c773526a6b04
SHA512

2317ff650d9ac22823e68ea6085e7b0c251eb09b30e1c6341765fdccf42e697bf1d6e1eeacae8ba117fce350cbcc581c96033df08eae163db7e5abdc2d78f7f3
SSDEEP

1536:1NeRBl5PT/rx1mzwRMSTdLpJ7pttkryVJLucrH:1QRrmzwR5JTtkrgLuc

Score

10^/10

phobos defense_evasion evasion execution impact persistence privilege_escalation ransomware spyware stealer

Malware Config

Extracted

Path

C:\info.hta

Ransom Note

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'> <html> <head> <meta charset='windows-1251'> <title>encrypted</title> <HTA:APPLICATION ICON='msiexec.exe' SINGLEINSTANCE='yes' SysMenu="no"> <script language='JScript'> window.moveTo(50, 50); window.resizeTo(screen.width - 100, screen.height - 100); </script> <style type='text/css'> body { font: 15px Tahoma, sans-serif; margin: 10px; line-height: 25px; background: #EDEDED; } img { display:inline-block; } .bold { font-weight: bold; } .mark { background: #D0D0E8; padding: 2px 5px; } .header { text-align: center; font-size: 30px; line-height: 50px; font-weight: bold; margin-bottom:20px; } .info { background: #D0D0E8; border-left: 10px solid #00008B; } .alert { background: #FFE4E4; border-left: 10px solid #FF0000; } .private { border: 1px dashed #000; background: #FFFFEF; } .note { height: auto; padding-bottom: 1px; margin: 15px 0; } .note .title { font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; } .note .mark { background: #A2A2B5; } .note ul { margin-top: 0; } .note pre { margin-left: 15px; line-height: 13px; font-size: 13px; } .footer { position:fixed; bottom:0; right:0; text-align: right; } </style> </head> <body> <div class='header'> <img src='data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAEAAAABACAQAAAAAYLlVAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JQAAgIMAAPn/AACA6QAAdTAAAOpgAAA6mAAAF2+SX8VGAAAAAmJLR0QA/4ePzL8AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQfjAwwMJwSFwIn8AAADNklEQVRo3u2ZTUhUURTHfzozmprmZ1pYEmkfJNEmiwwkSEyFECIQpEUboYhqFYHQXlcti9rUKldWBEUiuQpbtDDNzD5G8qM0HRXLRtO5LdJx3puPd++8+xyIztm88zgf/3veufeee18SdimDI1RxnL0U4gbAzxhDdPGCfpZs+49JWTTyFB8iAq8wTju1pDgXvopOliIGX+d57rHPieBuLvLNIvgaD1KvP/x1FiTDCwQTNOkFcJVfCuEFgq+c0he+minF8AJBH2WRnCUph8/nIZVhb2d5w1smEbjYSTn7SQ/TucsFlnWkPxBW6Xc4RkbIoHKooSNshsxRbT98Eb0mtyM04oqgmR6hUNvtrwrnWDa4nOVMVF0XLfw2aPuosBfezQPTmNpiVtFmnpj0W+wBKMFrcPeJ3RYWNfwwWHSSZgdAHX6Du5uWFpl0myqm1KiQrASgnNQQaZFOS4t5nhvkAnbZAbDHIE0wIGHzmsUQKdXkQwlACtsN8ijfJay8zBjkovgBbCLPlAG/hNUcswa5IH4Ayasdzxr5pBbWRRYMstGHYg04QAkH4FbQFSwTCKbdI7mzWVipbMceKtiCCFqO0OeY1caRbAaKOcgOCpQ+WWTyM8EwvfjkTfJoYZDFONqwaPyTHs7LbktlPNMYep2XuE22dfhsHjkS/i+3Wn/SK2EdoE72UeuyGH8rxbbLLjqlkRlb4TAzDo5fIJiOvRTnR+ju9VJuwveC/wASDsD+2h5KUyyQTVZiALzjFt3MsY16mtmqx2mt9BbUw4EQuzpGpVcCLQB8nDBZXmJFDoCeInzFS9ObxwzLmeoBMGA4/QBM4t1IAOHXDi7Zqwg9ACrCWotS8xnQWQCHOGsafzOFOhzLT8NxmoI3RZncULjG1ARA8DHYupxUucbUtxd4ghnw4JI30wdARHneMABx0j8FYD3xCkdefQByKFl9KsOjy6nKNBR0cZRCTjOk1JhrBCCY5r3pZtSS9bZkueSqmljVgPoPDa0Algk4HD8QG8AXph0G8Dk2AC89DgPosFKodvR83G/dtiRzTevtUChP0SCTpBQuM+bI6Bvk51gl96X/FFvzCh9oW0v+H2zO2tYtz/EgAAAAJXRFWHRkYXRlOmNyZWF0ZQAyMDE5LTAzLTEyVDEyOjM5OjA0KzAwOjAwG6lIYwAAACV0RVh0ZGF0ZTptb2RpZnkAMjAxOS0wMy0xMlQxMjozOTowNCswMDowMGr08N8AAAAASUVORK5CYII='> <div>All your files have been encrypted!</div> </div> <div class='bold'>All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail <span class='mark'>[email protected]</span></div> <div class='bold'>Write this ID in the title of your message <span class='mark'>29A92574-2686</span></div> <div class='bold'>In case of no answer in 24 hours write us to this e-mail:<span class='mark'>[email protected]</span></div> <div class='bold'>Our online operator is available in the messenger Telegram: <span class='mark'><a href='https://t.me/devos_2686'>@devos_2686</a></span> <div class='bold'>If there is no response from our mail, you can install the Jabber client and write to us in support of <span class='mark'>[email protected]</span> </div> <div> You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files. </div> <div class='note info'> <div class='title'>Free decryption as guarantee</div> <ul>Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) </ul> </div> <div class='note info'> <div class='title'>How to obtain Bitcoins</div> <ul> The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. <br><a href='https://localbitcoins.com/buy_bitcoins'>https://localbitcoins.com/buy_bitcoins</a> <br> Also you can find other places to buy Bitcoins and beginners guide here: <br><a href='http://www.coindesk.com/information/how-can-i-buy-bitcoins/'>http://www.coindesk.com/information/how-can-i-buy-bitcoins/</a> </ul> </div> <div class='title'>Jabber client installation instructions:</div> <div class='note info'> <ul> <li>Download the jabber (Pidgin) client from https://pidgin.im/download/windows/</li> <li>After installation, the Pidgin client will prompt you to create a new account.</li> <li>Click "Add"</li><li>In the "Protocol" field, select XMPP</li> <li>In "Username" - come up with any name</li> <li>In the field "domain" - enter any jabber-server, there are a lot of them, for example - exploit.im</li> <li>Create a password</li><li>At the bottom, put a tick "Create account"</li> <li>Click add</li> <li>If you selected "domain" - exploit.im, then a new window should appear in which you will need to re-enter your data:</li> <ul> <li>User</li> <li>password</li> <li>You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)</li> </ul> <li>If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - <a href = "https://www.youtube.com/results?search_query=pidgin+jabber+install">https://www.youtube.com/results?search_query=pidgin+jabber+install</a></li> </ul> </div> <div class='note alert'> <div class='title'>Attention!</div> <ul> <li>Do not rename encrypted files.</li> <li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li> <li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li> </ul> </div> </body> </html>

Emails

class='mark'>[email protected]</span></div>

class='mark'>[email protected]</span>

URLs

http://www.w3.org/TR/html4/strict.dtd'>

https://pidgin.im/download/windows/</li>

Signatures

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

1668 bcdedit.exe
1120 bcdedit.exe
588 bcdedit.exe
1916 bcdedit.exe
Renames multiple (222) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

1728 wbadmin.exe
1480 wbadmin.exe
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

2704 netsh.exe
2140 netsh.exe

pid	process
1668	bcdedit.exe
1120	bcdedit.exe
588	bcdedit.exe
1916	bcdedit.exe

pid	process
1728	wbadmin.exe
1480	wbadmin.exe

pid	process
2704	netsh.exe
2140	netsh.exe

Drops startup file 3 IoCs

Processes:

2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe

description	ioc	process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe"	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos = "C:\\Users\\Admin\\AppData\\Local\\2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe"	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\B5JWTXJ4\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Public\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ASWW3GU0\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QE6QYUAB\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\334W6EWO\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6KIMP0IT\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\L54IQZD2\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UIYQP923\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XHX8DMHP\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\FLASH.NET.XML.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.DPV.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153095.WMF.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.Infopath.dll	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OMSINTL.DLL	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay.css	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00021_.GIF.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187861.WMF	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02431_.WMF.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18246_.WMF.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.GIF	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_es-419.dll.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01866_.WMF.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR32F.GIF	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.XML.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\PhotoAcq.dll.mui	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285822.WMF	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Urban.thmx.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\OFFICE10.MML	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR30F.GIF.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR38F.GIF	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB1A.BDR.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLJRNLR.FAE	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\PREVIEW.GIF.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00116_.WMF	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18234_.WMF	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.TLB	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\System.ServiceModel.Resources.dll	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00122_.WMF.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.dll	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.SharePoint.BusinessData.Administration.Client.dll	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\RPT2HTM4.XSL.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OART.DLL.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Category.accft.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152622.WMF.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10254_.GIF	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15275_.GIF	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKS.ICO	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\PROFILE.ELM.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\WT61ES.LEX.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199423.WMF	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00194_.WMF.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL016.XML	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\gadget.xml	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\RSSFeeds.js	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04117_.WMF	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099181.WMF	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01749_.GIF.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0228959.WMF	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_03.MID.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01744_.GIF	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_OFF.GIF.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\2d.x3d.id[29A92574-2686].[[email protected]].Devos	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

2880 vssadmin.exe
2900 vssadmin.exe

pid	process
2880	vssadmin.exe
2900	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe

pid	process
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exevssvc.exeWMIC.exewbengine.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
Token: SeBackupPrivilege	2484	vssvc.exe
Token: SeRestorePrivilege	2484	vssvc.exe
Token: SeAuditPrivilege	2484	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2744	WMIC.exe
Token: SeSecurityPrivilege	2744	WMIC.exe
Token: SeTakeOwnershipPrivilege	2744	WMIC.exe
Token: SeLoadDriverPrivilege	2744	WMIC.exe
Token: SeSystemProfilePrivilege	2744	WMIC.exe
Token: SeSystemtimePrivilege	2744	WMIC.exe
Token: SeProfSingleProcessPrivilege	2744	WMIC.exe
Token: SeIncBasePriorityPrivilege	2744	WMIC.exe
Token: SeCreatePagefilePrivilege	2744	WMIC.exe
Token: SeBackupPrivilege	2744	WMIC.exe
Token: SeRestorePrivilege	2744	WMIC.exe
Token: SeShutdownPrivilege	2744	WMIC.exe
Token: SeDebugPrivilege	2744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2744	WMIC.exe
Token: SeRemoteShutdownPrivilege	2744	WMIC.exe
Token: SeUndockPrivilege	2744	WMIC.exe
Token: SeManageVolumePrivilege	2744	WMIC.exe
Token: 33	2744	WMIC.exe
Token: 34	2744	WMIC.exe
Token: 35	2744	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2744	WMIC.exe
Token: SeSecurityPrivilege	2744	WMIC.exe
Token: SeTakeOwnershipPrivilege	2744	WMIC.exe
Token: SeLoadDriverPrivilege	2744	WMIC.exe
Token: SeSystemProfilePrivilege	2744	WMIC.exe
Token: SeSystemtimePrivilege	2744	WMIC.exe
Token: SeProfSingleProcessPrivilege	2744	WMIC.exe
Token: SeIncBasePriorityPrivilege	2744	WMIC.exe
Token: SeCreatePagefilePrivilege	2744	WMIC.exe
Token: SeBackupPrivilege	2744	WMIC.exe
Token: SeRestorePrivilege	2744	WMIC.exe
Token: SeShutdownPrivilege	2744	WMIC.exe
Token: SeDebugPrivilege	2744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2744	WMIC.exe
Token: SeRemoteShutdownPrivilege	2744	WMIC.exe
Token: SeUndockPrivilege	2744	WMIC.exe
Token: SeManageVolumePrivilege	2744	WMIC.exe
Token: 33	2744	WMIC.exe
Token: 34	2744	WMIC.exe
Token: 35	2744	WMIC.exe
Token: SeBackupPrivilege	2468	wbengine.exe
Token: SeRestorePrivilege	2468	wbengine.exe
Token: SeSecurityPrivilege	2468	wbengine.exe
Token: SeIncreaseQuotaPrivilege	1688	WMIC.exe
Token: SeSecurityPrivilege	1688	WMIC.exe
Token: SeTakeOwnershipPrivilege	1688	WMIC.exe
Token: SeLoadDriverPrivilege	1688	WMIC.exe
Token: SeSystemProfilePrivilege	1688	WMIC.exe
Token: SeSystemtimePrivilege	1688	WMIC.exe
Token: SeProfSingleProcessPrivilege	1688	WMIC.exe
Token: SeIncBasePriorityPrivilege	1688	WMIC.exe
Token: SeCreatePagefilePrivilege	1688	WMIC.exe
Token: SeBackupPrivilege	1688	WMIC.exe
Token: SeRestorePrivilege	1688	WMIC.exe
Token: SeShutdownPrivilege	1688	WMIC.exe
Token: SeDebugPrivilege	1688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1688	WMIC.exe
Token: SeRemoteShutdownPrivilege	1688	WMIC.exe
Token: SeUndockPrivilege	1688	WMIC.exe
Token: SeManageVolumePrivilege	1688	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1200 wrote to memory of 2572	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	cmd.exe
PID 1200 wrote to memory of 2572	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	cmd.exe
PID 1200 wrote to memory of 2572	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	cmd.exe
PID 1200 wrote to memory of 2572	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	cmd.exe
PID 1200 wrote to memory of 3024	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	cmd.exe
PID 1200 wrote to memory of 3024	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	cmd.exe
PID 1200 wrote to memory of 3024	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	cmd.exe
PID 1200 wrote to memory of 3024	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	cmd.exe
PID 3024 wrote to memory of 2704	3024	cmd.exe	netsh.exe
PID 3024 wrote to memory of 2704	3024	cmd.exe	netsh.exe
PID 3024 wrote to memory of 2704	3024	cmd.exe	netsh.exe
PID 2572 wrote to memory of 2880	2572	cmd.exe	vssadmin.exe
PID 2572 wrote to memory of 2880	2572	cmd.exe	vssadmin.exe
PID 2572 wrote to memory of 2880	2572	cmd.exe	vssadmin.exe
PID 1200 wrote to memory of 2632	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	cmd.exe
PID 1200 wrote to memory of 2632	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	cmd.exe
PID 1200 wrote to memory of 2632	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	cmd.exe
PID 1200 wrote to memory of 2632	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	cmd.exe
PID 3024 wrote to memory of 2140	3024	cmd.exe	netsh.exe
PID 3024 wrote to memory of 2140	3024	cmd.exe	netsh.exe
PID 3024 wrote to memory of 2140	3024	cmd.exe	netsh.exe
PID 2572 wrote to memory of 2744	2572	cmd.exe	WMIC.exe
PID 2572 wrote to memory of 2744	2572	cmd.exe	WMIC.exe
PID 2572 wrote to memory of 2744	2572	cmd.exe	WMIC.exe
PID 2572 wrote to memory of 1668	2572	cmd.exe	bcdedit.exe
PID 2572 wrote to memory of 1668	2572	cmd.exe	bcdedit.exe
PID 2572 wrote to memory of 1668	2572	cmd.exe	bcdedit.exe
PID 2572 wrote to memory of 1120	2572	cmd.exe	bcdedit.exe
PID 2572 wrote to memory of 1120	2572	cmd.exe	bcdedit.exe
PID 2572 wrote to memory of 1120	2572	cmd.exe	bcdedit.exe
PID 2572 wrote to memory of 1728	2572	cmd.exe	wbadmin.exe
PID 2572 wrote to memory of 1728	2572	cmd.exe	wbadmin.exe
PID 2572 wrote to memory of 1728	2572	cmd.exe	wbadmin.exe
PID 1200 wrote to memory of 2796	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	mshta.exe
PID 1200 wrote to memory of 2796	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	mshta.exe
PID 1200 wrote to memory of 2796	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	mshta.exe
PID 1200 wrote to memory of 2796	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	mshta.exe
PID 1200 wrote to memory of 2624	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	mshta.exe
PID 1200 wrote to memory of 2624	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	mshta.exe
PID 1200 wrote to memory of 2624	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	mshta.exe
PID 1200 wrote to memory of 2624	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	mshta.exe
PID 1200 wrote to memory of 2972	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	mshta.exe
PID 1200 wrote to memory of 2972	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	mshta.exe
PID 1200 wrote to memory of 2972	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	mshta.exe
PID 1200 wrote to memory of 2972	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	mshta.exe
PID 1200 wrote to memory of 284	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	mshta.exe
PID 1200 wrote to memory of 284	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	mshta.exe
PID 1200 wrote to memory of 284	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	mshta.exe
PID 1200 wrote to memory of 284	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	mshta.exe
PID 1200 wrote to memory of 1704	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	cmd.exe
PID 1200 wrote to memory of 1704	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	cmd.exe
PID 1200 wrote to memory of 1704	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	cmd.exe
PID 1200 wrote to memory of 1704	1200	2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe	cmd.exe
PID 1704 wrote to memory of 2900	1704	cmd.exe	vssadmin.exe
PID 1704 wrote to memory of 2900	1704	cmd.exe	vssadmin.exe
PID 1704 wrote to memory of 2900	1704	cmd.exe	vssadmin.exe
PID 1704 wrote to memory of 1688	1704	cmd.exe	WMIC.exe
PID 1704 wrote to memory of 1688	1704	cmd.exe	WMIC.exe
PID 1704 wrote to memory of 1688	1704	cmd.exe	WMIC.exe
PID 1704 wrote to memory of 588	1704	cmd.exe	bcdedit.exe
PID 1704 wrote to memory of 588	1704	cmd.exe	bcdedit.exe
PID 1704 wrote to memory of 588	1704	cmd.exe	bcdedit.exe
PID 1704 wrote to memory of 1916	1704	cmd.exe	bcdedit.exe
PID 1704 wrote to memory of 1916	1704	cmd.exe	bcdedit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-22_9b949b041cfe8391d65657156c2cf4d4_phobos.exe"
2⤵
PID:2416

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2880

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1668

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1120

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:1728

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2704

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2140

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:2632

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:2796

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:2624

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:2972

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
2⤵
- Modifies Internet Explorer settings
PID:284

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2900

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:588

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1916

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
3⤵
- Deletes backup catalog
PID:1480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2204

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.id[29A92574-2686].[[email protected]].Devos

Filesize
23.5MB

MD5
fa869c0734430575a04efce5d34ebaf5

SHA1
8c0cb74b19024f28e4d09315cbd87bc0d924a36d

SHA256
323720f16bc87e6016ddcc4a1bd3179ba8cc6562687ffbca4d434d43057372c0

SHA512
d4475e9993607e7eb671bc1bcb3217d1c54e3b24e5a22579867c4bb367b57fb0f809c35b4076d63633af585556e4cf09d15e27bc552dbacb2e6f35e17fe9c4ed

Download Submit
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml

Filesize
964B

MD5
0fb569bd35d44c9ffa7d4728af4e734f

SHA1
b41945703b8efdabbb18c60ccd93d2115ceb78fa

SHA256
788ddb3f7716950d0d204e6cad9fe3cc1dddb6140f615cb1c76bea0541722c20

SHA512
b94c1fd2dd103b19b5fbac6c76d3166be91b01d659e1c912a26ccc48664a153c62cbbbf15ab3869aef08fdc8bb3918e4ce83bb97a1a428f55ce12793d50ee646

Download Submit
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml

Filesize
961B

MD5
5360b12f6a07af7be93437d215f72fca

SHA1
fe12fecaca49a131167d88817c4941514ea408e1

SHA256
a0cffb66ffbe1d4701a3aa75ae66af7ca178b45f5c722de3d9021a543129f80a

SHA512
a0b23b148cd30b1d4a41e81aca63179eda341bac1d1c3bf83924d0bef90a47e11f2de08b4cbb879331d507184ec1df9b59c18951e740b94247ef726b15fcc410

Download Submit
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml

Filesize
962B

MD5
c3c9945cae188df73afd04c6251ba98d

SHA1
4327d33b49b3c7046cdff83bdd31c724bdbf4118

SHA256
a2a40bb99c6a44d49eeb216549045620e8cb9fb90fb165eff71f846f30264096

SHA512
a674c78678624d59cff6386381c0e4e459836484aca4e617fec26729878743d2ffa5dd4a3bab0a0f0f27d60095739cf4ee0a6b0f4a5d79d31b43a7ecdbba02a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml

Filesize
960B

MD5
e2b1e53f26985bc0bc2a99c7d107a1d1

SHA1
b0b9bccd847f973baaed9790a33f3f77d2d1db1c

SHA256
3dc463a76fc170607c07b104c3cb531362ce7d6e10c1a34e0c0f370aeae08ce8

SHA512
0c53d4208a6b0cc0e6959d7eafc24012efd854316ac3830267861fd02f1da0246a268e75a7549b8b5ede05d08798f22f87c7bc305b62dbf76632cdff107ff718

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF

Filesize
185B

MD5
6f6b5e30af6a9e64b7b6a19c39de7e0c

SHA1
f4e37133cd52efd2967e90d645332c44a56b6832

SHA256
babd6f664158d665504571b169a1e81ef75470cdca4fdd7d95be6cdb7826136d

SHA512
4521a9829f60e2f4af33d4f72dbeedac048fcec352554b449ca36bcc32b64b65151bb7fcec78b389c37ed5819acd4c7f61e9ec08591408dd2400cf78ab5d67ed

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21434_.GIF

Filesize
177B

MD5
81e4bf29a6552cb0df60980b937ed4a3

SHA1
ca18e846361c6f84ae934ac108d5df987e977925

SHA256
8d84ef2aa665b1d6e1a15112d9c53eab04b68a09a088de5392ee63d51060db81

SHA512
ff58938f4d4c80baba6b15d20744b9762757cfc6834d8a5023b209f07914793881361ab457eed2fb0d17e28a8c99c541a142809f19715d0350c4487e78846ed2

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF

Filesize
175B

MD5
6790430bcb39e961b83668cbaa1573dc

SHA1
9f01e584f766dfbb5e49d6e32f7dc51fea2d0d91

SHA256
5514e3463923ca8257bc073bf34413d0426a6b45bf569b5a5b74c7c5298c57a7

SHA512
6fe6a31054dc68ee8c59da7de683ce56963f27b6a3e8ed634184c5ac99b6cb4dfdc2ab7980b4acb1f9b2a44ed61cd363ebb388b44cf466c736789d9bda98573e

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115836.GIF

Filesize
173B

MD5
4df019b7bb2ba1e54ed725a85be04261

SHA1
f40905a7a7dd1623fa8f075715c862f6b944e961

SHA256
33c35642a71ce7d31f92ebe614045d206968f058cb345c7df4ab397a2655f16d

SHA512
654f35be8431fb1e9995a75ea93b9fb04fa12e7ed94923df34ec99bf8052c46effb28ea46417357e1a6ce6f9a8663525d5ad48cd74942968df2a178396024ac1

Download Submit
C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115842.GIF

Filesize
176B

MD5
5dc32f41bef844b95b3a8d79e9633c42

SHA1
50cf558caa78030567cf4e265f7c9cba3a2d904b

SHA256
86d2cf5b090f43ee54d8f7c1dcf746a853951191457ff6dac96269a9d24860b9

SHA512
99e7e8bbb58a6727ddbfa71f9dbb7d02658a11d7e735367ead3cea004ed3edba9cca8997117745fb40733672879b5f466a7e39cd5684729eb413bce49c2019ec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_OFF.GIF

Filesize
341B

MD5
c2dc578691371996eab94eb37f6896e4

SHA1
9c09715d6b50b203e161cfb59bbbfaa7837532c4

SHA256
9f3a97071dc41574af5b54e44945fabef8d5da339d179476a78dbd624a60033e

SHA512
a3778926bde4b74eb0dbda8c7857f2f05c6abfc39222f80332bfdcf7fcfd4db9b81ddca44c45a1155244e667f98f07c7211c25a29c68a62d89b8637e8ae05e70

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF

Filesize
222B

MD5
3e586cd8128ba5d03ccbc121909e7421

SHA1
140dc52658e2eeee3fdc4d471cce84fec7253fe3

SHA256
1207fbf437a6d60bad608c9c4a7397194c4f3768142a32c7e5f3a1415452a992

SHA512
f1759159e90975a7baf3c666e402f9063909bb11f47371c9472ae40315ba13454f0ff4aa418c7d0079eebc09909268b5d2d39ef871f0e5850544b1442f9d6f1d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Main.gif

Filesize
1KB

MD5
79b9e09ca5f8f8ebd840da4c96afeccc

SHA1
efd9e4cb4eb7a896db0cd0de5138eb5be50864db

SHA256
318e9e1df845c4135ab519baf8e2c9e617df90e2b3020741ab5d926bb0d4cc93

SHA512
2df29a7c367151d76b4adab7002e0e90337c1ee07f935545cf30cb729ae91171bceeec0e2611e50d91d097797bc221ff63f949e225629f23a0dc5de3dae851da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_F_COL.HXK

Filesize
114B

MD5
301657e2669b4c76979a15f801cc2adf

SHA1
f7430efc590e79b847ab97b6e429cd07ef886726

SHA256
802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b

SHA512
e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_K_COL.HXK

Filesize
113B

MD5
b9205d5c0a413e022f6c36d4bdfa0750

SHA1
f16acd929b52b77b7dad02dbceff25992f4ba95e

SHA256
951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a

SHA512
0e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML

Filesize
179B

MD5
bec4473fc43b77e28e60f89da4e29c00

SHA1
d5dbc7c6642a8a23da14f952a0f64fe874e8191b

SHA256
5e06bfa9ebccfa3d8759270620b6860f0b92be9d69ef7d7802b78ee5b5f07f96

SHA512
ff2c101c1172e64481be5e98b2216d5eba93b81210a1a67adecfe05bcf37c3d965c06b368ddc1ffb7e4187cda0373720f6a27476f036a41517762d5cb3729aea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTL.ICO

Filesize
1KB

MD5
8722af8683c6dedfa35cf708f04e507a

SHA1
e411318d7904624a56946cec0059e380b0a4bd0f

SHA256
a338f849bbccace695e284ab83c0cecc84876fdb292078f1186b31e9b6a07127

SHA512
1341ce0453aeae411696a7343f2f6a6fa991fbd483433841cfd4b202ad476d77ba62b66ff547baf4e29a5bd38e7c1f2f78ead201ed1bb8ec50b98eb763bb11da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTS.ICO

Filesize
2KB

MD5
d4a7e4b0851785143ecd98f019ace3c9

SHA1
99d3d7b7167a9ce2fe67a0d296bfdf60ba7a8a8e

SHA256
ea3a2d1ae34d98f545d82a53ff2d1c6e5334ab4a0a4cd902e3fcd0fb697bf32d

SHA512
cfaa3e8c5f61f0b662c6e04296ae67b83d81fe96eed7872bc503c131cdf47576777d1857d0575ca309652f63f5de2a8ad6fe072bd3c3127eda3d353e61260c2a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp

Filesize
2KB

MD5
cc084392f2514a4337b42f4865e2cc83

SHA1
79ff391fe2ea7244cdb5a1e1e5bc68ee0cc1c17a

SHA256
3bff857daf1c246b3ba79bff08805f403b65b0e2a5cffb40b078a383eb861514

SHA512
9c19d048cc3c0b34e8191368b9d243a4a9a25bdf4c55b3d51da4e97a679ca8507dd7368fe3ba22cb32451d433533d215549a276271462f8d1d1c2a9ff37ab68e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
9cb5fb90f42219febcadbc6eb57257f6

SHA1
c948b86625804155f9ac9478a07cae11d8021563

SHA256
1093af6901915021573eb2e3bcb49af7f1eb79df351806d325b80f1baedaa185

SHA512
9c9031770c5c67f40b93dc7dac91822f3b5eabe1deb83eceb2a878afc810a810ce0521f966e68fa49aa1973cec342cd3ef6096ebaaa191b885a542e4a178ca5a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SAVE.GIF

Filesize
621B

MD5
59bcafcabdd1f16e7b9889ee10dec858

SHA1
116cf3bc4321fa20352d009e1d0cea588a9b61e0

SHA256
006f8885e892963b3d4a0b53141f888ef5d0b36770d43b82296bcbf800a89d13

SHA512
2d0fe70022c2bd7397b94c78b27d6c3d2426a644a1601b6381084941e9b1dca913d0e0787d8e463d69d7730031233f5b85ec76b480b736ced324fbd45727dfad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\VIEW.ICO

Filesize
318B

MD5
385592b8ece89d5bb6c8ff79b132c562

SHA1
bc14ffc7e1686ee066f445f1ab95714ad631b9e3

SHA256
b57536fb8401facf2e6aed14ed0f15e42a4f38b1e05eebc1a8be1613909c5165

SHA512
62ad043d2e28c8e5eddfb9d46edbacd40ac092b3fcc0e5bca70ac0d07d9d4b80cbf194f99803bbac70f3b963f9a3e7ae2ba29ecf3d71535ea3ab257115862bc1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
ab58d658c2dfe0393df78f57740dcdb8

SHA1
096427e4fce6a16c49a01f645139172fbf077ba5

SHA256
882993b55cc0c527f0a6059b69b3faf4ef3ccb9cecd3d8847ca0e49a1444debe

SHA512
bfbad9a939371aa29f4ed8c5bcad0d0299766bbe6dc1d9d6233ae0c060a394c0b8bf665b11a28c3713d434340dda690cabb578ecf3e2a4a462d797f0b3f30df2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
0ad4cf7b35f62b8ff9c73f481594fbdd

SHA1
08b895c85051d99477cdf56d80c4006c262048ef

SHA256
c55b90509b8cb9bac53fbdddfc93d4e572685c509f1218423c43a5d6013bbd48

SHA512
697f1c0117c89ea0486b5b8e9dded787eafcfd710251cef4cf5cc275b1572a5cf9d499e44fa672aca8a77521a33b2e5040cf69c7cc3947fec2cd75d2296edecf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
64321e9c7da09049fe84bd0613726226

SHA1
c2bed2099ce617f1cc035701de5186f0d43e3064

SHA256
e43fe96a7f7ec0a38984f78c064638b2daa75e261ab409bbbe2d3e590265ec7b

SHA512
4f56b895d0ab27f71ad4f5e54309538ab3052955c319ca5f718e6b8f8fbed1bd5f51f036eff7cd82d4403ad4b93395ddf75dc8621041ef5c5ca916c1113104c7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
9d1101f2c45ce53f2ead40247bc2629f

SHA1
c7c2770645e7611ae33bd7a0b3ed948d39f17c06

SHA256
47f0149b43961165c5fa224dbd2d1e956cf0a26b86d15ee3e12652c2a6e013ca

SHA512
91ae75b332bb98b6116352147701514db0426f710600bcbd1bdfe31f20ab83c2c21c794244055372e5d11ee177f8dedfd31a1d9a744b84be0f57b580a8464ec1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
79f7ca0fba179cb0bc93eb2f178e4ace

SHA1
a529d3822d5bbe18f6c3acfe44b19f0449e76f9f

SHA256
86a618c687c518ca93f7151a26391ef0e19101986d30f7eeefa420b0574fc5ec

SHA512
3924f19e1a9e1b9b9eac515c1d5dffff2aafde9745ad8d20b0d71dfede631875c611b58b2624fef0273830341b497fe7b554710d18bdfedd57c36ac0a764947f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SAVE.GIF

Filesize
615B

MD5
9c1b2a47c87f33de47ccfcdc098e1806

SHA1
4ea8f90ce4f6569e41788252674776594ca668f8

SHA256
8d77e83b50a81c442acd64cf5a57ee30906256da88e661e87cba51320f2cdda9

SHA512
b317fc3bea365325bc928e347d081bf019c0dd35e764172ed105212e86ab4ab303b92bd1bb0752cc27c0a7d46548e199df353fb84873e812a744878d9d34bd30

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right.gif

Filesize
369B

MD5
697538917066fbdc54bb7922e0f2eef8

SHA1
21cf57e715733ecaadd17747a6956fea5dfcc3e9

SHA256
1270be94b76ac32534581f51fecec7ce90ed9e0f3693f310058fba0c6ca8aaa7

SHA512
26806e433c67cbcf7bff91a47e214a312929f279739bdf2ca0b5d26f04e40f76f6350161c7aaa44de48fe70aa6bb67293d9736aaac526f1f794e94f135538be1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif

Filesize
580B

MD5
bd38f281632881248ac7f09eef8a6319

SHA1
5a40ad5f3ec39d2ad991e0b94683a0ce987d5066

SHA256
b92428daaf38be6775a2b1ce78f5c8ce213b90c6e6fbd95bae56458ab90f7437

SHA512
1e102e101b9c679ff5bbb874806650bc12a69dbab6fd446617e392c99620c81e35c2233a745934692b2e4f20b46a7cf5e90cf38a97b87ea588d525ce356b6099

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
ccd9d8aa4c9fbad1069e4dd2c4982652

SHA1
58cc653eba0694d39e7615ee7e049c8441fe6600

SHA256
35e1150f8a8236fd8c2be2c6da618b5f5366caabb763b7453201f5c430441aae

SHA512
7530335f5f01da26479349321531093d3da8a1cefd4e916496dd254273076df9ef5eb91ecde1221e37a2525e76a8578a6859ec79a15ddb0a69e2e39578afb8f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OnLineBusy.ico

Filesize
3KB

MD5
175b6d3035eaaf10bcc78b54ab021ecf

SHA1
480f5c00b285f824d6eec209d6937e05c34d1805

SHA256
868d0516a42b8340eba07ffaa00f5928e1d6a7daf2a3c4d96c1b86b80e2e3e81

SHA512
eb0b26da872e4e957415ca60d0114903a3b62dfc6f4b02db745004a32ce55d791baf8d550284be03157a59a433fdc9e39a3129155cc0a73cef87febc51fb2f6b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\PersonalContact.ico

Filesize
1KB

MD5
d33c6324366941b3c100293e79426478

SHA1
afd047c1461a2ce36b775cc94392672eb43f1463

SHA256
d2a2840f1282913c2678160f13f3204616a9c302ae3b8f47bf17783ef3323aa7

SHA512
7cffef992a6008d2d5b1cd768ae722d533a7e2a637b421ab67f16175328ffc9f3a4cd72ed5db695796d335371aad94c4bf9003fe685c3833b7687b59bbb6b940

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxinfo.ico

Filesize
2KB

MD5
46b109680d8e37a25b4ca79ff35e270f

SHA1
e1d4ca57aa3114a7931c7a5bbc8be1ecd8bd7882

SHA256
54a918ed71329a2e6af831153825cb69b8cd45938a352d3b0882c92969a353dd

SHA512
7533cfb7af8b272d23734efddd2eba7524a746ac0664621ba3c05f139417f6e68bdf6e38c57ea16e8552d0b491a37f320f8f95d7b9e39e3c171a28f81643197c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTOPENWORLD.COM.XML

Filesize
807B

MD5
b024a04198ed894b334178e411856122

SHA1
ca7552399eca0ceec6a3dbf393396fade2f5f550

SHA256
cadbea407cb411d2ed1c47c77536b622eb7d53d4fd3ee3b9897d554298683fe3

SHA512
466ef38a6bd49fc816e208b408e5bcc7d366dc7eb9072600ab21510b6e1417894bffeee5ec96f5a0a535d8e541fd505ae3450f2233e5a128bb073394c530e879

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\WANS.NET.XML

Filesize
806B

MD5
b4052c951a5d5df0482bec08dcd1a1d9

SHA1
99f3e0929eabf972e94c276c6423499860202f65

SHA256
f860ea6cfbfe8ddb3862a09c1b443f3273dac1a4757ce9e7a3b34d46f971ff10

SHA512
c26450d504e58cdbba0ded009158837855dadd8040b0c05845ee25b540567758c650df3d6b28c3571adff47e39d8ef99b30144250477524a19ab172d0870ef82

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.TH.XML

Filesize
810B

MD5
938fcac2676e99d92efee069eacacc37

SHA1
575b35480aab9ada77d22f922bc57cb49a7580a6

SHA256
9b8747ddedfdcb06f34ca5161281e28aafe3bec2e4b21aa731e17bb46dabc6c1

SHA512
515074b8b8c14986ab86913a659ffa007cab07db5c6798ef6a4e12279ad3bf68262ac42ce991ed20a06825a8e5b8d0efc48aca38dad5503178d1dce0ef68c33c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AR.XML

Filesize
812B

MD5
dc5794fd7e35debdd2e25f3e22761cce

SHA1
348034e08eaa9434bcf5713e9880f60bfd33ba78

SHA256
15dfcf446deb114d465215cf49907aa5efc5fb8531f97607d50148cb4b680288

SHA512
6a9b27a6702e40ef03367ce611716816cc4debac9086983148ff75c4e8656f10ff5edf73e95e18efe9e0ef7b721350e86a20919061d0ce1266258384ef98b1d2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IT.XML

Filesize
804B

MD5
0b0d4b77b1494ca873f4311cc88a9fde

SHA1
e88f8c3100290bbcdc224f4db05a77811726fe90

SHA256
60107be66c9efe4d6aa0a3864f71d60b3800c8d6400daa36c05609d099b5f891

SHA512
0a2410540f096ebd0464f16681b7375152fe8844ad2fed5fe86b352a61d6c65695051c82a36b77156a79ac633943463739752163d48b26abedf2db2c49ba794d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\MSN MoneyCentral Investor Currency Rates.iqy

Filesize
205B

MD5
0ec3bbc188caf04134280e5a95f00446

SHA1
bd398b51e76ebec0b43d756e04548a1907e8d2ba

SHA256
97779f7cae716a4243ac78cdd8c051cfbefdd111d26740978dd0f4c962c2aa7d

SHA512
e67b8b8f0a30a663360fbac820bfe536abb5534db6e0475424ad3dfd526793663ba5e7d866ebea85f67c9154d6bbda2d38789255f83567be05848cc0d7c1934c

Download Submit
C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn

Filesize
350B

MD5
80bda6f948a1289beefa36d2ba38194d

SHA1
948905d56e776f1efa1e026b309c6669b089a2fa

SHA256
9cb5d05f0db60b9e0d1b76af229fd2a705903d6a1278d4b815faa536a60c118d

SHA512
ebbc2ac06f50c65430f2d3df2dd94434a6bb0e431a48e5929d57b944882f66e488f6abb668535f0bdd5007b92d18d2c4b726ccbc547c60c6adb3c8f5b7f4e586

Download Submit
C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn

Filesize
362B

MD5
565aba2aa486212bffe024fefb3a8ba0

SHA1
13f8e2befaf22d391595db2f5bb2efd761cb41ac

SHA256
891c1644d5e29e33e5bb88666853f9531b93a3d6fbbd4a8b01e4e8701f836bea

SHA512
a7a9610937383b8b9feeacacbda08f5d05692cd1550b238caac7a94d17399d689bc95e5afbd7a378e4cb2524d59c3bc3591e975a6aad65bcb6f6cd2e65cbe8ea

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.Lck

Filesize
4B

MD5
f1d3ff8443297732862df21dc4e57262

SHA1
9069ca78e7450a285173431b3e52c5c25299e473

SHA256
df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119

SHA512
ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000

Filesize
240B

MD5
cea67ffae620e6410ed0590dc6ec9b92

SHA1
de0e7c9e496fdd650fd8ab826e84b256eeb85812

SHA256
2dfba633817046c7f559ed4b93076048435f7e1a90f14eb8035c04b9ebae2537

SHA512
ba21e55aa88dc8b12e13ebff9e67570177db6aacfb606658650397e6423937d882b1e1c93ed62d12de0dfd59791d78c6a73d68e55f343cfa1f85235daf3b89ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index

Filesize
24B

MD5
1681ffc6e046c7af98c9e6c232a3fe0a

SHA1
d3399b7262fb56cb9ed053d68db9291c410839c4

SHA256
9d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0

SHA512
11bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT

Filesize
16B

MD5
4ae71336e44bf9bf79d2752e234818a5

SHA1
e129f27c5103bc5cc44bcdf0a15e160d445066ff

SHA256
374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb

SHA512
0b6cbac838dfe7f47ea1bd0df00ec282fdf45510c92161072ccfb84035390c4da743d9c3b954eaa1b0f86fc9861b23cc6c8667ab232c11c686432ebb5c8c3f27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png

Filesize
890B

MD5
251a7e1401487e69a415fde9d5128b27

SHA1
9bb2d9b5d93e8f9dfe5337014008bce57b3cdb18

SHA256
d1db33e3ae5c6779e11ecc0ddf3962bf0559582980b5e5a92fd5caf91cb1bff2

SHA512
b572720338c60d4c27870e563145269d62470bd32cfb6ba4dbecc881632273189946d813fb6c6f4ea0539f9f0a6975c89b1bcf7fe7c297a005a4b15d8a4eccd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000004

Filesize
50B

MD5
871bdd96b159c14d15c8d97d9111e9c8

SHA1
8cd537a621659c289f0707bad94719b5782ddb1f

SHA256
cc2786e1f9910a9d811400edcddaf7075195f7a16b216dcbefba3bc7c4f2ae51

SHA512
e116d2d486bc802e99d5ffe83a666d5e324887a65965c7e0d90b238a4ee1db97e28f59aed23e6f968868902d762df06146833be62064c4a74d7c9384dfb0c7f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Browser

Filesize
106B

MD5
f536fbf78e26387affb82ee89943b870

SHA1
3ac8e44a9491c16bcd86dab6781acc4f7e1f76a7

SHA256
34dbd6bf55d0d075d666181d9278b8387482a8b5804e44e1ddaafe6876dadc15

SHA512
d9ad640884f40495b4255bd221f0902ff64f84e3136053d03abee7ca417d32a1d72f24a75cb67bc50629e102bdb2f81c0bb087e0eb5cb82fa3d67c4fa5d92450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QE6QYUAB\desktop.ini

Filesize
67B

MD5
53553242d57214aaa5726a09b05fe7bc

SHA1
931613845dd0e72f1b1a5ba0c89f1c34e5cc089d

SHA256
1be2b3990b410ca4fb38d1f79019c4018cd8820b69618646c81d22dfcbddc802

SHA512
dd0a0b9213182c99444bb7fb2eba5b28f521a768880be2539706730693ed9ea462feb4fd46b1deb5e7d4f31a284f2803b476209b451c9dc4d6ed056d71736d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C755D294-FE4F-11EE-88D8-5E50367223A7}.dat

Filesize
3KB

MD5
b4202f7fe985b9648b4676e6f70832bd

SHA1
d37c2b3927946ed617455b3c5913fcab0bc1af52

SHA256
6cf1b57d59e7111bc218dfb01dda93ac0f776715599a1c69f89035bd20c16a10

SHA512
447ea3de41bc400836a5a3df01efe61c2b3d5d646e9310f399c4842c5268d96042d8432d85fde19dcc8f43a2243626e9de850c9ce37d46fe0d0dd0fe5b2b6a88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Bears.htm

Filesize
255B

MD5
6df9012b2b7cb3c55963499a26309bba

SHA1
6d7aaa7d2bcca4a8758b398ab7617839203c828a

SHA256
80bd5cb5a9ca35dcdea1d59b5f1778f4114f6215af38004a02a99a1d37383648

SHA512
32aa05aca47a17b6afdbadabe83e929e5a55777c5f5ddb0c854ae78ef403a2baeda46e7f1f1fd7de5237749f43d5f8ce0c95e260ef25e27e20cbdffde41bcaf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log

Filesize
2KB

MD5
c3eef41f29629d2c7796d9c3ee638df3

SHA1
65c07cdd1c2108cb27649aad8690f2643d018e41

SHA256
04893027370077030b48fd90535706dedb3b2d31e4f6ce5bfbcd1c8578017383

SHA512
96898187fe2e319b120c3026a300b06109bc1c9720660a30d8a3705d7cf58f37162d61e904f64b798c4368e4716c3adbbbdb8d047dae4822c131f4526d5b331b

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
d2a70550489de356a2cd6bfc40711204

SHA1
02ec1f60b2e76741dd9848ac432057ff9d58d750

SHA256
e80232b4d18d0bb7e794be263ba937626f383f9917d4b8a737ba893a8f752293

SHA512
2a2d76973c1c539839def62ba4f09319efa246ddc6cad4deb48b506a23f0b5ddbc083913d462836a6eff2db752609655f0d444d4478497ab4e66c69d1ef54b5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Filesize
174B

MD5
897208d5df122e307ab837d982b2c085

SHA1
cf4ca14a7adcbc197cd84c1997efdd076911d608

SHA256
eaae98aa73fe0b561c8b02607a524fb4853bbe81c6de8c3d8a9b7449366809d4

SHA512
b0aa03063c42515de12fbf6d89924a3ae7d8bdd64d7c9bae94c75d571c939655253f3e87368fcd96f5784b2aee8fedac8f66200b8672ab47cc8b37c57a9ad334

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ty9peokp.default-release\sessionstore.jsonlz4

Filesize
833B

MD5
5896cf4827474d1dd04f483e94f82442

SHA1
372c979db150dedddc4d4520e68b1922a282ce01

SHA256
f9a250dc807b5a4fbf459bf5a1ddcd7347f0e6f21f8df32aaa7a79013e540af6

SHA512
23f167acc659615289dfbac3a7d9fdea5c3a7de690051e79b5ff693c2a29c518e12be87850c7136b43cf321eac9695847bf02924c4024b5218e196e9a9f389cb

Download Submit
C:\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
65fe580cf845ed035c4e57ad02a987cf

SHA1
6a7fc08e53675bd325b0e6426eec4ce52db7f2a6

SHA256
4afd6e7f6ef862c727cf5780abfde2094eb56e93383b6e9d4cb7fae81dd17cd1

SHA512
bbc34c4f8892aaae0831e02cdc146ffca22efff5e70601bafa084bb0824e88c87fd20988e602fdcf649ba0322ea1d74cdd5bc7805525987c4115096173e33b76

Download Submit
C:\Users\Admin\Favorites\Links for United States\desktop.ini

Filesize
224B

MD5
59763dea4943fa0a7ec51296d5f2c7b3

SHA1
c3b3795c396c3f64ac68d9304f97b34adfdbf206

SHA256
6eb69e26de2a26eda48af77d4cec893aa0cf4748a64cbefcfe11a22c1e680ad9

SHA512
92c41f07d1aad07acbe943f36731f4739b5bd84822f660459e464262d45f4970203210180655683feb51868735d9deaaf37fb8308d415376bc631ce887b94fdd

Download Submit
C:\Users\Admin\Favorites\Microsoft Websites\Microsoft At Work.url

Filesize
133B

MD5
b85026155b964b6f3a883c9a8b62dfe3

SHA1
5c38290813cd155c68773c19b0dd5371b7b1c337

SHA256
57ffc9ca3beb6ee6226c28248ab9c77b2076ef6acffba839cec21fac28a8fd1f

SHA512
c6953aea1f31da67d3ac33171617e01252672932a6e6eae0382e68fa9048b0e78871b68467945c6b940f1ea6e815231e0c95fbe97090b53bf2181681ecf6c2dd

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk

Filesize
1KB

MD5
1477fccb6f5105178b8a4959217a35a0

SHA1
c66fa5d6d133a7cb7247edd1b32fc6b82dec3dd9

SHA256
118980fc1bef9a9da8a06e2a864d3f5f5573b37786bac8709746a8ca26a12523

SHA512
1715a141037d97e12c98f91a62bd44e76364af02e8ad5024699e9dc3951d005eb3471de1bde3569a61af8e5127883cc1133b6274928bde3c5ad5840e36ee764a

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Run.lnk

Filesize
262B

MD5
25a495be8250cc90b02a483e82df99c6

SHA1
0f8ca0d9fa83bb38a8a400a893185e589a968742

SHA256
ba1d859d62b101dc263d6834aaa81378941736dfab33b15243a4bf3b45691735

SHA512
6926347d0da33ecdf2af9d5ef5966f2108da941447c4e33ca90eeebf82a4171a1439bb3b285c31387e08b5fbd964851fd98d4c352975802de74ce02b03b7bd0d

Download Submit
C:\info.hta

Filesize
6KB

MD5
babd525cf93958b52681e98738ffcf3e

SHA1
e89725470a265e9cc39d1ba47cb6bc7e533b07d3

SHA256
9e0c0a671f2274eaef17526828a13087b1d87aed59f6fa44eef9ef7582e757f3

SHA512
29487480c4c4e540e05cc854c2eaec7aa36d9ffdbe63123fd31caa4e5aa55b37f77e955ee23f00cabe617ea1b0910a6e57f07a6549b883a191e86d4ea6685acd

Download Submit