Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-10-2024 02:56
Static task
static1
Behavioral task
behavioral1
Sample
e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe
Resource
win10v2004-20241007-en
General
-
Target
e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe
-
Size
147KB
-
MD5
3dfa97751d9b74984c353be2f1da5508
-
SHA1
3ab278f6f4ae48b8616f55c4b445ce2349b03a68
-
SHA256
e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c
-
SHA512
a9f70ac6018e37918f0b211c05b2c98e7bdbfa0bf782edd8ce9ed7fb8c8bd1c3deb094e0e5a19fe14a044023824d52daed8d556e8331ed7b4fe205453cf05204
-
SSDEEP
3072:xSOCPeTzv5sKdp1gsvtj/tvF1BpVM2P4sFVGcMsBPFJWVxOemEBgACOUX:xSO3zv5fpm2h3BpO2lVDMsLL8UX
Malware Config
Extracted
C:\ProgramData\PHALCON_RECOVER.txt
Signatures
-
Renames multiple (7857) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 1 IoCs
Processes:
LPW8.tmppid process 2392 LPW8.tmp -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2908 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exedescription ioc process File opened (read-only) \??\Y: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\D: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\A: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\G: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\T: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\M: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\O: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\Q: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\S: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\U: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\E: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\H: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\I: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\R: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\W: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\X: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\K: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\N: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\P: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\L: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\V: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\Z: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\F: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\B: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened (read-only) \??\J: e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "Phalcon Ransomware" e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "\r\nAll your files are stolen and encrypted\r\nFind PHALCON_RECOVER.txt file\r\nand follow instructions" e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\LLKTP.bmp" e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\LLKTP.bmp" e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe -
Drops file in Program Files directory 64 IoCs
Processes:
e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exedescription ioc process File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File created C:\Program Files\VideoLAN\VLC\locale\et\PHALCON_RECOVER.txt e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\weblink.api.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18192_.WMF e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15073_.GIF.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_09.MID e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285444.WMF.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\base-undocked-4.png e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\PREVIEW.GIF.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14654_.GIF e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_italic.gif.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Mozilla Firefox\defaultagent_localized.ini e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\WET e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\picturePuzzle.js e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-util-enumerations.jar e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jre7\lib\resources.jar e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02126_.WMF e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\picturePuzzle.html e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cancun.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Dublin e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB9.BDR e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\WET e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewDblClick.js e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File created C:\Program Files\Java\jre7\lib\zi\Australia\PHALCON_RECOVER.txt e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\PHALCON_RECOVER.txt e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18209_.WMF.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00145_.WMF.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark.css.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\de-DE\PurblePlace.exe.mui e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239191.WMF.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Dili e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02443_.WMF.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-dialogs.jar.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\CGMIMP32.CFG.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Faculty.accdt.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Groove.gif.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msadcor.dll.mui e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RICEPAPR\RICEPAPR.ELM e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02201_.GIF.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cambridge_Bay e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_OFF.GIF.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\7-Zip\Lang\lij.txt e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00602_.WMF.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SHOW_01.MID e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01297_.GIF.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL111.XML.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14791_.GIF.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9F.GIF.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml.Phalcon e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.execmd.execmd.exeLPW8.tmpcmd.exePING.EXEschtasks.execmd.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LPW8.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid process 1928 cmd.exe 2052 PING.EXE -
Modifies Control Panel 2 IoCs
Processes:
e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\WallpaperStyle = "2" e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\TileWallpaper = "0" e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exepid process 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exevssvc.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeDebugPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: 36 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeImpersonatePrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeIncBasePriorityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeIncreaseQuotaPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: 33 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeManageVolumePrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeProfSingleProcessPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeRestorePrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSystemProfilePrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeTakeOwnershipPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeShutdownPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2240 vssvc.exe Token: SeRestorePrivilege 2240 vssvc.exe Token: SeAuditPrivilege 2240 vssvc.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeSecurityPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe Token: SeBackupPrivilege 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.execmd.execmd.execmd.exeLPW8.tmpcmd.exedescription pid process target process PID 2156 wrote to memory of 2528 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe cmd.exe PID 2156 wrote to memory of 2528 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe cmd.exe PID 2156 wrote to memory of 2528 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe cmd.exe PID 2156 wrote to memory of 2528 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe cmd.exe PID 2528 wrote to memory of 2548 2528 cmd.exe schtasks.exe PID 2528 wrote to memory of 2548 2528 cmd.exe schtasks.exe PID 2528 wrote to memory of 2548 2528 cmd.exe schtasks.exe PID 2528 wrote to memory of 2548 2528 cmd.exe schtasks.exe PID 2156 wrote to memory of 2908 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe cmd.exe PID 2156 wrote to memory of 2908 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe cmd.exe PID 2156 wrote to memory of 2908 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe cmd.exe PID 2156 wrote to memory of 2908 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe cmd.exe PID 2908 wrote to memory of 2392 2908 cmd.exe LPW8.tmp PID 2908 wrote to memory of 2392 2908 cmd.exe LPW8.tmp PID 2908 wrote to memory of 2392 2908 cmd.exe LPW8.tmp PID 2908 wrote to memory of 2392 2908 cmd.exe LPW8.tmp PID 2156 wrote to memory of 2988 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe cmd.exe PID 2156 wrote to memory of 2988 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe cmd.exe PID 2156 wrote to memory of 2988 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe cmd.exe PID 2156 wrote to memory of 2988 2156 e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe cmd.exe PID 2988 wrote to memory of 2560 2988 cmd.exe schtasks.exe PID 2988 wrote to memory of 2560 2988 cmd.exe schtasks.exe PID 2988 wrote to memory of 2560 2988 cmd.exe schtasks.exe PID 2988 wrote to memory of 2560 2988 cmd.exe schtasks.exe PID 2392 wrote to memory of 1928 2392 LPW8.tmp cmd.exe PID 2392 wrote to memory of 1928 2392 LPW8.tmp cmd.exe PID 2392 wrote to memory of 1928 2392 LPW8.tmp cmd.exe PID 2392 wrote to memory of 1928 2392 LPW8.tmp cmd.exe PID 1928 wrote to memory of 2052 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 2052 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 2052 1928 cmd.exe PING.EXE PID 1928 wrote to memory of 2052 1928 cmd.exe PING.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe"C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe"1⤵
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe" /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS.exe /Create /RU "NT AUTHORITY\SYSTEM" /sc onstart /TN "Windows Update ALPHV" /TR "C:\Users\Admin\AppData\Local\Temp\e120d531b7da357b8c9fe4172a3b53c2e6eddfcc701a76cbce8a7a09b63b538c.exe" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2548 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\LPW8.tmp"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\ProgramData\LPW8.tmpC:\ProgramData\LPW8.tmp3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 > nul & del "C:\ProgramData\LPW8.tmp"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 55⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2052 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c SCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS.exe /Delete /TN "Windows Update ALPHV" /F3⤵
- System Location Discovery: System Language Discovery
PID:2560
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2240
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF
Filesize24KB
MD506d9e6ddaeb9ea8a2439adc26ee12128
SHA1bf74e3deb3388425447aed9c71939f13e1736a06
SHA2569d2680944c9c4feec3a7f73b98d6dc416d29848e403f1e2744dc2b94db481453
SHA51274dd5ba9cfb2191e05b6c22bc0203c99b70e16039663ac79f56ad01e28ec5308b0aeb2d1d621519e46681ca5b0fe91f9e84d30f4d95c546d55abce86b6ba3f4c
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif
Filesize5KB
MD53827c6d965edd5a8225ae820a38c8a26
SHA1cd93c09ba69f789e6816051f31658fb7e520fdc4
SHA256b87bbbf25c888e529c744215347792d8b9da15c29d628a6b762b3a3e6257aa88
SHA512ea86611c1d112bf870c2cddd58e876fbfad6d4c03a38b10c04dee19758ef31c00ee69b7b4f58058e3331c40ab3f800dcdf0500168ba9bea08dade61a7796f340
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif.Phalcon
Filesize4KB
MD54d0b67208a603a024db1ae788e63fb14
SHA1aa2dc30a6a6d4339c311eb6c5839dfaa0da5cac3
SHA25645150584c575d6eec736ca309fcf8933661cb02246b8fb93fdc52e1cb3a4d622
SHA5129d932182ad18d193618937e4385c390b12720c55a7a0662e5796da004c8ba5d062929d429ca281c1edaebdc47cf9d3586f08505c09574315776966014eb2b67a
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif
Filesize21KB
MD5ac9ef9d119fc8695c9272020a9880aa8
SHA1f4dc4a31909bb66715f08c22ead7e7775d161478
SHA256c47426050d3470b10be7327eae8c0ae3f7d5f17836f121152eba2b20c51ea74b
SHA51287599d3554c3ddbfda2cf82ecff51d6e2f994e7019071528d2cac30f323d730264b4b9c13588e84ee3ae97eb17a37aec7da1e92449bd5ab02348bf14020115fb
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif.Phalcon
Filesize15KB
MD5eeb25c04b38eb818cae5d8073f37fd8c
SHA11eb82ac97f010672706c3637240fb1feeb154709
SHA256f4deec6c4a19d0a8b3c6ed46ff51e61389c670ce5599e323329da8fe02354a29
SHA5127cef7df023ffe89b015be5098be86ade65535bd18880c87f3df4670a9b843c6ec9927918978ce31b8de93271b8a2811ef26871ba8f4d94cc74ca107f101471bd
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif.Phalcon
Filesize6KB
MD51791fa50e74c79bf7670ac053240d237
SHA178919904c6dbf5c4886bd1253a0e25153ce28699
SHA256a43b68ad56e3398349f78c5222542f361f75747a5d1b26d609e2214c37324bf6
SHA51270757818d8df277a8c5847e3120a17284403989531afa94d8d6755cbb5ff75de49b409b8f0bc0d9006691683b075d53e03758dc39335b97516faed5288f739d5
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif.Phalcon
Filesize20KB
MD5f3a0d8acec6fb8b311030c1e3704c2fd
SHA1d6e7333b3943d9738da859deb5cfecd9db94ac98
SHA25662d7aa071f21f8b65392db9a89d84281aef25ef8bdb7a28ab0259e94bea0edc0
SHA512d0455d6a83e31948ad13d4b228d37ae1b6c71f81ae52e10631d0598081f89df5794bdb2a0f8fae29f481aabff4630a865655f61da620e4246f42d1d80ca2ec55
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif.Phalcon
Filesize15KB
MD5630277ba9988629b96dd62b0354c1592
SHA10e86f721b092cb1122b5bd9a48d07ca6a50ac05e
SHA256e972e127e0d4022f7f4760ea6293a96c1135990d6460b16f651b3bdf9893ca2d
SHA5121c259eb0e00bd7c969c1afbf9265101c0b6dcfc8836f8d4a36e851e3941f45f0f2d679ee3ccbaf14cfa781277eb6a6299dac892ff97cbcd7842da6b895e44a33
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg
Filesize7KB
MD558c7d2fc36910410902be705811088a9
SHA149f37954cc19e8c43bb85a66b84693920932f5a9
SHA25666477f3b012ab3ad905d8c41d8804a62cd4ef26fd23d04c77b6b3c44f17087d0
SHA51295945dc0a33f191cc0da2de3679589b15def364bb2d98368379067cb4eba1723219a600aae661300ea4bbdce1d4cd4f8f5596bbec8e24203215db163603f684f
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif
Filesize6KB
MD583732b1b7e43d182ca11890ccbbe184f
SHA18c3e3e51740cc7c6a4a25efc0fe25c3b2f6121a1
SHA256510fd6e2a7238b2710cb91f7dadce04f3e5581192b4891240e5a2ca74d431a38
SHA5124b0680aa88224604b65a46fe0334beeb77130004d826c1a6543fba967d5699ca24f7001c2aa575d75ef948c4e7abede5d11aa4d843a09758920a1204ebb5ee44
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF
Filesize26KB
MD54dc0faf87f8a78299fd7a6c101c109b6
SHA1dc236911925b7df73280c2ffb042757a94f1380a
SHA2561056f50c402a531889f075504c39ede2534d86eb041154f9c49b08323304f81f
SHA512e16ffc89e56bf95d12530d9cffa36876cd593c0799b5ede75a080758395ecb8a06fe47aa17087657d1d5d1b602425a995fb309f9906edfea726b81ee82bde14f
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif
Filesize31KB
MD512ccfdb821229f29dfe2af18315034bd
SHA1695dd90e0de31b41346941cf0c4185775d5d4f0a
SHA25687925c485a1e618f17487f544562d4d2595785a3c79fa221282339314c28a285
SHA5127fcf137815d81cbb259f1ec0b488937025f2bfb2dfd09ab10d707840df28e25b53cd0752779e32b9c7f0e715cdbe904767d358e605a9c81b94de5d83614ba4d6
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_TexturedBlue.gif
Filesize6KB
MD56967037cd6f4c9324643fb1df0d07808
SHA10a989c8ce59cc9344af677519760c432cc4310be
SHA25681301fc973d68b54bef0c76a7e17248c3f53525fb9767ccfd9d2adfd342d9c32
SHA5123e25856df55381bd28f0a40f74135aa83d67b001fcafcb224ad0170232d936662f624f1ea1d2090035e4a34e56cfe84ce65ecb7bf39ab575882956eae21b7d2f
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg
Filesize5KB
MD5332de38441a36eb84549a8a34a019523
SHA130dc15c09525d1e84fe8f2c6cfb250e953ea218a
SHA25668ed6185e8aa5db3b8c786eb665182337610132fe241159ef22c46718db83a01
SHA512e2bb9d52af25dcc94b3fae5c6969823e3eae2fffb6f59211d4fe0f90b3a76908df42443a34e672a0444f95148ddff3480281163cbe6a49f4aa4122bc76fdc78f
-
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml
Filesize247KB
MD5c7c5bad6ed6d89e0b4101f3f26dbf6fb
SHA1cdc99af5e41b6045a08c4c1049ea1bdc300721d4
SHA256a896c8f31b4189637400836780614e8d82b223903cf36ea30e901055cf1f43b3
SHA5123e1ad96a0d38ac1e2e032502796cadb460cb51175fcaf07c31c05c6e92a15b4d7ac8f7dcb07fdf17cff4e619e6eb3ad869e7d7295a11dbb783a55e8386adee17
-
Filesize
5KB
MD52f264164229787a132d04cf2f7a3bd9f
SHA13ed497992090f5d804d4c64c7d45bfed202b0cf1
SHA256cd9a2b28bf438925e2460d8b45f951d7e2ba40f9e4426ffdc41c7cfc86cd0041
SHA5124699707fa10b065ac7743b5327a1e2ff81b5a8104c71ab82bc5203b27b055ee0cf353dc45f10b64874963c359b137d3ec5e0ad1333828235fdc1596f69e7a321
-
Filesize
109KB
MD55bf436650a24b0f5feffb876595a7183
SHA143f02a64f16a6f52c971506cb867a8205fef3999
SHA25614e51ada0c428478e89484801b65b04f8d01c57fc57ef4b5133f9047cb7450be
SHA512f7d02cfad6eadab263dfe0c99e26386e7b404ee0272b8a49b3d38c1b6cab330ca1b516d844d0a93181c328eb2eabce184456fd977825503ae125dc8b4cf776d4
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize12KB
MD502065828ba0bbedf5f46fbefe301e8d6
SHA16b464e9ee775636c70d80a00f56322642b9657ac
SHA256f23e900f115667442d606c2b0d33aed32f87bd9c3f80347ff2175590694cb7c5
SHA5123bdf68b156882fe8ff28021fb900b43e9acfbf54d73c3cff2830508daa22c28fc6a26312962a7cebfc188b8148c64cace4330233b95c481b03c42ac69d1dc2c9
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize8KB
MD5abea79a749ae9a46014dba9a6f22027e
SHA1c1b5a4e7f8a2e8ad8512dcb090c3940cd3069801
SHA256c1c2875ca756c0452922a1ccf27e2c1cd9ceac092224471ee63c509101047cc2
SHA512ae5de7ac45562113fd07299790fe4fd5b43fc9127920921c90803ccb1aeb7c8c1a31ac61566495425fe39b1ce02278a96584bbf6824ae6e0aa390e05aae00cfe
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt
Filesize11KB
MD58ecd5e07508a52708628158df22f58f2
SHA1ac0be020883068a9a0558894aeca7a819a665135
SHA256ffdf1a4238a6ca91fe45b8813b893e13b0b388f25c6683a162e6d78e93cc48d7
SHA5120c8af790112b6fe5991528b415b9ee653cd49eb41f241178ca6231c9816129062a2c10d83d037dc51bebc920fe29278ee44c1dc9dde78e712063e1e5f003dacc
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA
Filesize7KB
MD5f2d8654312d2660842ef0b37d4339381
SHA17ae59d2dfc5291eeae73c139d7b25aaeafc0002d
SHA256c4d3148109beef331f11bdfbd264d70459eee8f59d9463efbd4e9c5dbaf567e4
SHA512b2f2da30634278870d588e5efd2346d4777907f68686dc204813a890813e60331c71b28cfd592ec777d673147c30d695bc8080971df4967e5aa219fa91c8e233
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA
Filesize7KB
MD5372672697cb4fc0ec8b95111ee9b0bc5
SHA12f80ee8e7dbb03068159fedcaa464f2a03d8131d
SHA256abc14989960d78120a3b8ad8cdb8c84a21793a32313cb60e3e7aa98f75ab600d
SHA5122e49e98a9c08564a840dc7229e729029b93a9a6f99c9c1c0d21cd814e660daba7dccb987207a649ccfb6450abc4dd31734042e9d7f7d97d52622832095cb445f
-
Filesize
610KB
MD596842d552de9382667682d8a9fb02f7a
SHA1a9e7621ada9156a923546974797165b657d96c80
SHA256c4144a2c5481fd7b9788a4fec031954ff9ca12740f95b242b95639b8be6b50b4
SHA512fe2a93393988bace44d10b1ff6ac2575a469a67e6a556713c875edb9971e544aa62e5aa640151e6a05d2d70b4ec112ae684eda58ed75fdb1feb122fc85501fdd
-
Filesize
1KB
MD5148b9eb0a565c2a9226ec3285fc116da
SHA1c1e0f4cdbc93c93d61ba641e18491a8f1abd1061
SHA2568837381085f30e63714e45a07a0b2bd7c590e1008bc4b23b19db71034d89ef63
SHA51265cc0f8720d0639271481c867c71214aa5fbbe73346ecd546ddef676f7ce0c6f9b36cd79c16d207efffa8b55468ef80dbf86d9c8ec01c8e6c679acf844b3262f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite
Filesize48KB
MD5d2b03ddf71347861ee32b5bd9566b66d
SHA12d0d0cedead781cf685b67411a4acea42096e3d4
SHA2566b3ead336965f194c36db45be4da905cf61fd96b668791dfcfdf22f9e4c67647
SHA512e9363bb94ba55b3404614b2f42feab2a5f44f06082e611d86b8f7698db399b96938313dbc8ac4deb9a520084ca85eaa0c3cd9f9bfa910051f6fc0388f2d3f0c4
-
Filesize
5KB
MD595aa713c2b8369f92260e6aabbfd30c2
SHA102118ff95b20b61ae2014021fb5caf93b4c78150
SHA25629ca68ba176300fe7d0b1ca13293bbfcedde3cbce60fab214979422738b244e4
SHA51265e7bf55f4196510db511efc3e60520e098e31e9a8f516691b3ed6230d42504ac3d6f744f4fa87097ba3f93a7834f52d1d36af5ca42a5dec84820b7983250df2