gandcrab | e95ea5cddb3d3b12f01e3f9b509adf737f0881d99c2e1dfcf80c55e02ac74e9c

Analysis

max time kernel
84s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RNSM00338.7z
Size

14.8MB
MD5

e9c1cb091e11486b5596436e66d9d481
SHA1

0f5969fc4e0deeead63684173aee0bdd4fd9f73b
SHA256

e95ea5cddb3d3b12f01e3f9b509adf737f0881d99c2e1dfcf80c55e02ac74e9c
SHA512

326c201270f60e9ed6f4a1accab28cce8074b9bb6031376ca5c92333d94f00f31b9f2381c20060530ccd8fd8d78457c17d0aa0d4aa9a7ff707d0ee275b073e1d
SSDEEP

393216:ZVUTV3zucfN4p0dmWTyW5xor/b8xwCYTLe:Z6Z3zDfSp05Ty8ozYSg

Score

10^/10

gandcrab backdoor credential_access defense_evasion discovery execution impact persistence privilege_escalation pyinstaller ransomware spyware stealer upx

Malware Config

Extracted

Path

C:\$Recycle.Bin\KRAB-DECRYPT.txt

Ransom Note

---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/9666d3472d3d855f | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAJc3wDOkNr2ZKmQDkJ0GALOyAfHftd1fbMTR/b+E66uMrTk8t9pjpWhMRUP33YK0iYYCVEOaGAtQsZ6NLvbfJk2UK0eqTmAtgzED8FuyYwPT5zHul/LvI5qw5wkxvfeu0utWOgQuTSLVT5dUBsGWSf4HmIpRc+cwHiM6N7C4pISTK8Yv9IUeydtoUPRmRhlf/+Db3M1IreFU7leR+ssUbxur/S+G99HVEVGLBmwUCT5zKJX3Y4x2tjnTrDKwfy0/5mDGrqc2/iMiHTn9tcaWn+GObmRQT45pG3V0FnjR9BN7wUKYahifDMMpXZV16TD48eHY1uJrVPPk48hrrq2utpOSJPZ0lf8X4h3dOnLVhklPfR5xZbXGRWujj0+nCgD15gmmlj7a1lgSgth7zvbMaYMH2Rp0iCapzz8uf9NveneVpeIMuPt1CWjBPxcein4GlWkrirGZ3qEngY9aUgffPMMZlN6wPDUlijYqvkFTcKngGqSxy04auUB0dYUgFjtHXfyToZCYnhXgWJ76Gh6iTueuwFhuTzmGfvE0BRpq34klex8yUS2vbiuJmLkih3OZPfA0e6g53IyTGRhfV39jSkqrWy6ErJiBqCqlkfwL/bEh5YMV2Kc1W+I9ajjQGwP983oZZGZie0vLewmqo0Fv+YAIXH/+H96R2gRd/QHY8uUfMMtJI6CIIZnnxwPPHAfKdAe78agQvq03ndsvmBgqOV+BEFPrZDDLxwyneuV4NOIKJNWL9DNldGA9jLLLD1PnsToQj7Om7sag1zIXqNFSCTpp14ZQ32IOzGk7R/OO69uqYqur3G3apW27CiE4wHlO5cuPuQeZZ3cHJZUc0q1DfXI36dTgYWF6wd3kWFpxFiy2b62B8Ks1Wlx1utZdQgk6o/WGMsP7VZoiWWXG4LqQRTx48Gs/tRH4Xgvu+ZINnb6MR+KP/pzpAKQWg72+xt8K68E8O3gV74EE8Zpwi7sGjFjrIKknkclXNv6vOchVa/mTOFdCCdoJzUVZbStzbTv7+wpf3KxIcCpRQz/bLM4+ZX+K8YpDzOPOmz3O9dWYeavBo0a+yETR90cd80jZP+iG8xpLW0y8fuz39cDsUIKnt1QiO3TofCBGwrvfepgiUaV2ZtBQ/oqKoyw0Z6gWNsQX2u9YUs7jKervpGwh2+2sLA775p8qrebL4M1E24MvplJ863q118hnhL5Tg476n2lAXRn4IbST9kJ5eSykHrScBAtuQ8ARqD6BFbFGkORRCSmuq1JdRX8gAmH7FiVsdkNicKb3BhpJ9tYOcxfsewq2Bhy/pijT1CTFOlSe5lg+juJHlfdDhAiY3gAFqcOI3PdghL0H7fKkj7qgEMb9x4trfo6b5r7eNJ2g8tukDC1afzsXrWWZsMUQMDrSAtvutPluuAHtD6uKim6zChTFFNbGoCgQwsIasi7pjl+m0/YfJzn8d6sEbnfUJLBwzyW82GBI7UpIGOJcox8weNQgKd4G39plS60pihurv5p74mRAPq1vbQxD86j3gSI1j6UEuAGZcIqnWtumX/0ZeZPi937BjH5oY6fMYXI6tuYXuIqAMp/GgvsPgyXfKztl+XPgWu39lpOalicmLejlqMkHyzJWFCzlGXssa50U3vPNmhL1JCkM4wSIz9e7c3dawoTiviYhgxkvhO1hQNvFVsXa6yMl/VjeGBB9aKT4E/cRCfFGjOrjcthNk36VHlUSUf8ivkXINeQnz2V5BA3v0QwnhMxrGsUGCgyIPgFX9+2e3efuqL3tnbQ2uncj2yqUDF8mLQHCxXytLmPHz17FW5H1BY0jtl7YSNepYO2hEXdCmAk8qr+8hGSNw2EdKJLkSQh3xSZ0/mR0RlM8Pxve1PKBLsTEjsjxcJrFeR4wGSMxfEbduVimDyySCLIHI1tCmRI9dMFlS6uP1joC/oqhr3nNoVt1kVNq3ne6AoyMrN5GqbC4c55o0i7C831YdECEqRB87KiCDcTLVWe1eD5ipXaOK0x+PLgoIR/4TGgTA6AayMjpKr/x8wsrMt0nY++WX5SF6y5YVeBrqy0gTuHdE92V9si2OYP69EUCoQqRmyUWC23qbdZ7beoc1CCHPvv8D/7TZ1+myx8eY0CGZ/SSuUyVkDjFCuWSDhVeGf3BUEuw6rOvluwZufWFvx6+CLbpiyUzFeEiwt4XOkVUag+UqB/Il9yV+V9mn9bQfBQlkcLct6CtEGmyuAPrjiQa60NFS+t/VHVzTHADsWA= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZCTodRsHYa7ntWs7fcTHSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi6rF0kU7B5uLw/2U2FeshGtlYOFqABnPtpRHTEdwb9ycE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg70ZifpCxFE3v3LN+ar1wIZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJHzHpIOar+NRZwP9okRV/rusrPFzMP9PXYNh9gzrewdRb9tHf+DbmDW4OIcXpReLdQo9FRha1KO2vpgy2mFLQkzlAtXfjb5QmECiQ== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/9666d3472d3d855f

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Gandcrab family
gandcrab
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (304) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Renames multiple (305) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 25 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

ACProtect 1.3x - 1.4x DLL software 22 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0005000000019465-110.dat	acprotect
behavioral1/files/0x00050000000194d7-116.dat	acprotect
behavioral1/files/0x0005000000019479-120.dat	acprotect
behavioral1/files/0x00050000000194df-123.dat	acprotect
behavioral1/files/0x000500000001953e-125.dat	acprotect
behavioral1/files/0x00050000000197c2-137.dat	acprotect
behavioral1/files/0x0005000000019a72-143.dat	acprotect
behavioral1/files/0x0005000000019c6c-164.dat	acprotect
behavioral1/files/0x0005000000019b0f-154.dat	acprotect
behavioral1/files/0x0005000000019c85-229.dat	acprotect
behavioral1/files/0x0005000000019513-232.dat	acprotect
behavioral1/files/0x000500000001950e-248.dat	acprotect
behavioral1/files/0x0005000000019642-238.dat	acprotect
behavioral1/files/0x0005000000019278-244.dat	acprotect
behavioral1/files/0x000500000001964b-257.dat	acprotect
behavioral1/files/0x0005000000019c87-263.dat	acprotect
behavioral1/files/0x0005000000019b0d-261.dat	acprotect
behavioral1/files/0x0005000000019240-241.dat	acprotect
behavioral1/files/0x0005000000019259-247.dat	acprotect
behavioral1/files/0x000500000001964a-226.dat	acprotect
behavioral1/files/0x0005000000019640-222.dat	acprotect
behavioral1/files/0x00090000000190e1-114.dat	acprotect

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KRAB-DECRYPT.txt	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\2d3d82b22d3d855263.lock	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\25014.exe	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\KRAB-DECRYPT.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 6 IoCs

pid	Process
2676	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe
2564	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
2624	Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe
2524	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe

Loads dropped DLL 48 IoCs

pid	Process
2564	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
700	explorer.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2736	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2616	explorer.exe
2532	explorer.exe
1776	explorer.exe
2792	explorer.exe
2172	explorer.exe
3040	explorer.exe
2716	explorer.exe
316	explorer.exe
956	explorer.exe
2160	explorer.exe
1340	explorer.exe
1596	explorer.exe
328	explorer.exe
2880	explorer.exe
2664	explorer.exe
812	explorer.exe
2236	explorer.exe
1668	explorer.exe
1012	explorer.exe
2708	explorer.exe
1396	explorer.exe
748	explorer.exe
1376	explorer.exe
1644	explorer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\N:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\P:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\T:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\U:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\G:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\H:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\Q:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\V:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\E:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\J:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\R:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\S:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\W:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\Y:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\Z:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\A:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\K:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\M:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\O:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\X:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\B:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened (read-only)	\??\I:	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Hack3r = "0"	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Hack3r = "0"	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016edb-24.dat	upx
behavioral1/memory/2524-25-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2736-111-0x00000000742B0000-0x0000000074561000-memory.dmp	upx
behavioral1/files/0x0005000000019465-110.dat	upx
behavioral1/files/0x00050000000194d7-116.dat	upx
behavioral1/files/0x0005000000019479-120.dat	upx
behavioral1/files/0x00050000000194df-123.dat	upx
behavioral1/files/0x000500000001953e-125.dat	upx
behavioral1/memory/2736-124-0x000000001E950000-0x000000001E95C000-memory.dmp	upx
behavioral1/memory/2736-136-0x0000000002D20000-0x0000000002E67000-memory.dmp	upx
behavioral1/files/0x00050000000197c2-137.dat	upx
behavioral1/files/0x0005000000019a72-143.dat	upx
behavioral1/memory/2736-156-0x00000000030F0000-0x000000000328E000-memory.dmp	upx
behavioral1/memory/2736-155-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/files/0x0005000000019c6c-164.dat	upx
behavioral1/memory/2736-219-0x0000000003290000-0x0000000003859000-memory.dmp	upx
behavioral1/files/0x0005000000019b0f-154.dat	upx
behavioral1/files/0x0005000000019c85-229.dat	upx
behavioral1/memory/2736-233-0x000000001E860000-0x000000001E880000-memory.dmp	upx
behavioral1/files/0x0005000000019513-232.dat	upx
behavioral1/memory/2736-235-0x0000000004060000-0x0000000004190000-memory.dmp	upx
behavioral1/memory/2736-234-0x00000000005A0000-0x0000000000665000-memory.dmp	upx
behavioral1/files/0x000500000001950e-248.dat	upx
behavioral1/memory/2736-255-0x0000000000370000-0x00000000003A5000-memory.dmp	upx
behavioral1/memory/2736-254-0x000000001E9B0000-0x000000001E9D7000-memory.dmp	upx
behavioral1/memory/2736-259-0x0000000000940000-0x0000000000970000-memory.dmp	upx
behavioral1/memory/2736-258-0x0000000002E70000-0x00000000030E9000-memory.dmp	upx
behavioral1/memory/2736-253-0x0000000000930000-0x000000000093A000-memory.dmp	upx
behavioral1/memory/2736-252-0x0000000073D30000-0x0000000073E37000-memory.dmp	upx
behavioral1/memory/2736-251-0x0000000000920000-0x0000000000929000-memory.dmp	upx
behavioral1/files/0x0005000000019642-238.dat	upx
behavioral1/memory/2736-239-0x0000000004190000-0x000000000425C000-memory.dmp	upx
behavioral1/files/0x0005000000019278-244.dat	upx
behavioral1/files/0x000500000001964b-257.dat	upx
behavioral1/memory/2736-268-0x0000000003290000-0x0000000003859000-memory.dmp	upx
behavioral1/memory/2736-267-0x00000000043F0000-0x00000000044D4000-memory.dmp	upx
behavioral1/memory/2736-266-0x0000000002170000-0x0000000002199000-memory.dmp	upx
behavioral1/memory/2736-265-0x00000000030F0000-0x000000000328E000-memory.dmp	upx
behavioral1/files/0x0005000000019c87-263.dat	upx
behavioral1/files/0x0005000000019b0d-261.dat	upx
behavioral1/files/0x0005000000019240-241.dat	upx
behavioral1/memory/2736-250-0x0000000002D20000-0x0000000002E67000-memory.dmp	upx
behavioral1/files/0x0005000000019259-247.dat	upx
behavioral1/memory/2736-227-0x0000000002810000-0x00000000028F9000-memory.dmp	upx
behavioral1/files/0x000500000001964a-226.dat	upx
behavioral1/memory/2736-224-0x0000000000440000-0x000000000051C000-memory.dmp	upx
behavioral1/memory/2736-223-0x00000000742B0000-0x0000000074561000-memory.dmp	upx
behavioral1/files/0x0005000000019640-222.dat	upx
behavioral1/memory/2736-150-0x0000000002E70000-0x00000000030E9000-memory.dmp	upx
behavioral1/memory/2524-149-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2736-139-0x0000000000370000-0x00000000003A5000-memory.dmp	upx
behavioral1/memory/2736-122-0x000000001E740000-0x000000001E766000-memory.dmp	upx
behavioral1/memory/2736-119-0x000000001E860000-0x000000001E880000-memory.dmp	upx
behavioral1/memory/2736-115-0x0000000010000000-0x000000001000E000-memory.dmp	upx
behavioral1/files/0x00090000000190e1-114.dat	upx
behavioral1/memory/2736-432-0x0000000000440000-0x000000000051C000-memory.dmp	upx
behavioral1/memory/2736-675-0x0000000002810000-0x00000000028F9000-memory.dmp	upx
behavioral1/memory/2736-963-0x0000000004060000-0x0000000004190000-memory.dmp	upx
behavioral1/memory/2736-1009-0x0000000004190000-0x000000000425C000-memory.dmp	upx
behavioral1/memory/2736-1097-0x0000000002D20000-0x0000000002E67000-memory.dmp	upx
behavioral1/memory/2736-1136-0x0000000000940000-0x0000000000970000-memory.dmp	upx
behavioral1/memory/2736-1198-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral1/memory/2736-1212-0x0000000004060000-0x0000000004190000-memory.dmp	upx
behavioral1/memory/2736-1211-0x00000000005A0000-0x0000000000665000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\HideNew.htm	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-previous-static.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\2d3d82b22d3d855263.lock	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened for modification	C:\Program Files\Common Files\System\safemon.dat	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_VideoInset.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Program Files\Common Files\System\safemon.dat	explorer.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationLeft_ButtonGraphic.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\1047x576black.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_buttongraphic.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\mainimage-mask.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\ParentMenuButtonIcon.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\btn-next-static.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\KRAB-DECRYPT.txt	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-next-static.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Program Files\Common Files\System\safemon.dat	explorer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000016edb-24.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2344	PING.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}\InprocServer32\ = "..\\Program Files\\Common Files\\System\\OverlayIcon.dll"	Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D6E9E7B-57C4-4080-AAAE-5DC03C45B9D7}\InProcServer32	Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}\InprocServer32	Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000_Classes\Local Settings	explorer.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2344	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs

pid	Process
2624	Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe
2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe
2524	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
2564	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2564	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
2564	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
2796	taskmgr.exe
2624	Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2676	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	540	7zFM.exe
Token: 35	540	7zFM.exe
Token: SeSecurityPrivilege	540	7zFM.exe
Token: SeDebugPrivilege	2796	taskmgr.exe
Token: SeDebugPrivilege	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe
Token: SeShutdownPrivilege	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe
Token: 33	2564	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
Token: SeIncBasePriorityPrivilege	2564	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
Token: SeShutdownPrivilege	700	explorer.exe
Token: SeShutdownPrivilege	700	explorer.exe
Token: SeShutdownPrivilege	700	explorer.exe
Token: SeShutdownPrivilege	700	explorer.exe
Token: SeShutdownPrivilege	700	explorer.exe
Token: SeShutdownPrivilege	700	explorer.exe
Token: SeShutdownPrivilege	700	explorer.exe
Token: SeShutdownPrivilege	700	explorer.exe
Token: SeShutdownPrivilege	700	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeDebugPrivilege	2676	Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeShutdownPrivilege	2616	explorer.exe
Token: SeIncreaseQuotaPrivilege	2912	wmic.exe
Token: SeSecurityPrivilege	2912	wmic.exe
Token: SeTakeOwnershipPrivilege	2912	wmic.exe
Token: SeLoadDriverPrivilege	2912	wmic.exe
Token: SeSystemProfilePrivilege	2912	wmic.exe
Token: SeSystemtimePrivilege	2912	wmic.exe
Token: SeProfSingleProcessPrivilege	2912	wmic.exe
Token: SeIncBasePriorityPrivilege	2912	wmic.exe
Token: SeCreatePagefilePrivilege	2912	wmic.exe
Token: SeBackupPrivilege	2912	wmic.exe
Token: SeRestorePrivilege	2912	wmic.exe
Token: SeShutdownPrivilege	2912	wmic.exe
Token: SeDebugPrivilege	2912	wmic.exe
Token: SeSystemEnvironmentPrivilege	2912	wmic.exe
Token: SeRemoteShutdownPrivilege	2912	wmic.exe
Token: SeUndockPrivilege	2912	wmic.exe
Token: SeManageVolumePrivilege	2912	wmic.exe
Token: 33	2912	wmic.exe
Token: 34	2912	wmic.exe
Token: 35	2912	wmic.exe
Token: SeIncreaseQuotaPrivilege	2912	wmic.exe
Token: SeSecurityPrivilege	2912	wmic.exe
Token: SeTakeOwnershipPrivilege	2912	wmic.exe
Token: SeLoadDriverPrivilege	2912	wmic.exe
Token: SeSystemProfilePrivilege	2912	wmic.exe
Token: SeSystemtimePrivilege	2912	wmic.exe
Token: SeProfSingleProcessPrivilege	2912	wmic.exe
Token: SeIncBasePriorityPrivilege	2912	wmic.exe
Token: SeCreatePagefilePrivilege	2912	wmic.exe
Token: SeBackupPrivilege	2912	wmic.exe
Token: SeRestorePrivilege	2912	wmic.exe
Token: SeShutdownPrivilege	2912	wmic.exe
Token: SeDebugPrivilege	2912	wmic.exe
Token: SeSystemEnvironmentPrivilege	2912	wmic.exe
Token: SeRemoteShutdownPrivilege	2912	wmic.exe
Token: SeUndockPrivilege	2912	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
540	7zFM.exe
540	7zFM.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
700	explorer.exe
700	explorer.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
700	explorer.exe
2796	taskmgr.exe
700	explorer.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
2796	taskmgr.exe
700	explorer.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2564	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
2564	Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2676	2188	cmd.exe	35
PID 2188 wrote to memory of 2676	2188	cmd.exe	35
PID 2188 wrote to memory of 2676	2188	cmd.exe	35
PID 2188 wrote to memory of 2624	2188	cmd.exe	36
PID 2188 wrote to memory of 2624	2188	cmd.exe	36
PID 2188 wrote to memory of 2624	2188	cmd.exe	36
PID 2188 wrote to memory of 2624	2188	cmd.exe	36
PID 2188 wrote to memory of 2512	2188	cmd.exe	37
PID 2188 wrote to memory of 2512	2188	cmd.exe	37
PID 2188 wrote to memory of 2512	2188	cmd.exe	37
PID 2188 wrote to memory of 2512	2188	cmd.exe	37
PID 2188 wrote to memory of 2524	2188	cmd.exe	38
PID 2188 wrote to memory of 2524	2188	cmd.exe	38
PID 2188 wrote to memory of 2524	2188	cmd.exe	38
PID 2188 wrote to memory of 2524	2188	cmd.exe	38
PID 2188 wrote to memory of 2564	2188	cmd.exe	39
PID 2188 wrote to memory of 2564	2188	cmd.exe	39
PID 2188 wrote to memory of 2564	2188	cmd.exe	39
PID 2188 wrote to memory of 2564	2188	cmd.exe	39
PID 2524 wrote to memory of 2736	2524	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe	40
PID 2524 wrote to memory of 2736	2524	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe	40
PID 2524 wrote to memory of 2736	2524	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe	40
PID 2524 wrote to memory of 2736	2524	Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe	40
PID 2624 wrote to memory of 700	2624	Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe	42
PID 2624 wrote to memory of 700	2624	Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe	42
PID 2624 wrote to memory of 700	2624	Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe	42
PID 2624 wrote to memory of 700	2624	Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe	42
PID 2624 wrote to memory of 1036	2624	Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe	43
PID 2624 wrote to memory of 1036	2624	Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe	43
PID 2624 wrote to memory of 1036	2624	Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe	43
PID 2624 wrote to memory of 1036	2624	Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe	43
PID 1036 wrote to memory of 2344	1036	cmd.exe	58
PID 1036 wrote to memory of 2344	1036	cmd.exe	58
PID 1036 wrote to memory of 2344	1036	cmd.exe	58
PID 1036 wrote to memory of 2344	1036	cmd.exe	58
PID 1036 wrote to memory of 1596	1036	cmd.exe	46
PID 1036 wrote to memory of 1596	1036	cmd.exe	46
PID 1036 wrote to memory of 1596	1036	cmd.exe	46
PID 1036 wrote to memory of 1596	1036	cmd.exe	46
PID 1596 wrote to memory of 268	1596	net.exe	47
PID 1596 wrote to memory of 268	1596	net.exe	47
PID 1596 wrote to memory of 268	1596	net.exe	47
PID 1596 wrote to memory of 268	1596	net.exe	47
PID 2512 wrote to memory of 1376	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	48
PID 2512 wrote to memory of 1376	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	48
PID 2512 wrote to memory of 1376	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	48
PID 2512 wrote to memory of 1376	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	48
PID 2512 wrote to memory of 2916	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	49
PID 2512 wrote to memory of 2916	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	49
PID 2512 wrote to memory of 2916	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	49
PID 2512 wrote to memory of 2916	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	49
PID 2512 wrote to memory of 2276	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	50
PID 2512 wrote to memory of 2276	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	50
PID 2512 wrote to memory of 2276	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	50
PID 2512 wrote to memory of 2276	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	50
PID 2512 wrote to memory of 556	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	53
PID 2512 wrote to memory of 556	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	53
PID 2512 wrote to memory of 556	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	53
PID 2512 wrote to memory of 556	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	53
PID 2512 wrote to memory of 1044	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	55
PID 2512 wrote to memory of 1044	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	55
PID 2512 wrote to memory of 1044	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	55
PID 2512 wrote to memory of 1044	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	55
PID 2512 wrote to memory of 1016	2512	Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe	56

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00338.7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:540

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\Desktop\00338\Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
  Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Modifies WinLogon
  - Hide Artifacts: Hidden Users
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Users\Admin\Desktop\00338\Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe
  Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\windows\explorer.exe
    "C:\windows\explorer.exe"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\Desktop\00338\unit.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 0.5 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2344
  - - C:\Windows\SysWOW64\net.exe
      net user administrator /active:yes
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user administrator /active:yes
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:268
- C:\Users\Admin\Desktop\00338\Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe
  Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C REG DELETE "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1376
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
  - - C:\Windows\SysWOW64\reg.exe
      REG DELETE "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableRegistryTools" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt" /v Start /t REG_DWORD /d 2 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2276
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt" /v Start /t REG_DWORD /d 2 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C net start Winmgmt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:556
  - - C:\Windows\SysWOW64\net.exe
      net start Winmgmt
      4⤵
      System Location Discovery: System Language Discovery
      PID:2244
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start Winmgmt
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1044
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v EnableBalloonTips /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowInfoTip /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1016
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowInfoTip /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v FolderContentsInfoTip /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v FolderContentsInfoTip /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v StartButtonBalloonTip /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2908
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v StartButtonBalloonTip /t REG_DWORD /d 0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C wmic product where ( Vendor like "%Malwarebytes%" ) call uninstall /nointeractive & shutdown /a & shutdown /a & shutdown /a
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2308
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic product where ( Vendor like "%Malwarebytes%" ) call uninstall /nointeractive
      4⤵
      System Location Discovery: System Language Discovery
      PID:1620
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /a
      4⤵
      System Location Discovery: System Language Discovery
      PID:2412
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /a
      4⤵
      System Location Discovery: System Language Discovery
      PID:284
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /a
      4⤵
      System Location Discovery: System Language Discovery
      PID:2772
- C:\Users\Admin\Desktop\00338\Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
  Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\Desktop\00338\Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
    Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2736
- C:\Users\Admin\Desktop\00338\Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
  Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:2564
- - C:\Windows\SysWOW64\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "880947124-2012016363-841212853-1411965581-285219658-1681589459-3257734521875819570"
1⤵
PID:2344

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2624

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:2532

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:1776

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2944

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:2792

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:2172

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:3040

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:2716

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:316

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:956

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
PID:2160

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:1340

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:1596

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
PID:328

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:2880

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:2664

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:812
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\KRAB-DECRYPT.txt
  2⤵
  PID:2672

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:2236

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:1668

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:1012

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:2708

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:1396

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:748

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Modifies registry class
PID:1376

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Drops file in Program Files directory
PID:1644

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1632

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1096

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1984

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1960

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:984

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1036

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2344

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2008

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1796

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1336

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2688

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2300

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2872

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1556

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2204

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2328

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1728

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1836

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2724

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2452

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2912

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2440

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1716

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1736

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2760

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2696

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1812

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:496

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2888

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1332

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1808

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2116

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2800

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:880

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2156

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2732

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1540

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1464

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2728

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Hide Artifacts

T1564

Hidden Users

T1564.002

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\KRAB-DECRYPT.txt

Filesize
8KB

MD5
e1a3e3a71fb34a632f37b6ae0d210780

SHA1
6b50bde3532723895c0d392425c952cf13163334

SHA256
e4bdbda9483b6cb7e726921ce78f07c5c7bec278b997d27eb6f55598b643fe3c

SHA512
69b3ae044be0135c0d9d8879587331709d93e3075f83b224dfaad6911f407cea8941133a3153aa4e016cbdeab8f6815c22c46455ff7fce4b6dcf6c6f6305c414

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
352B

MD5
71638742e05283b995bc0672266a8027

SHA1
59f34016d8d1dcc20f9271a2828d8bcfc13ceaad

SHA256
3f79c803478fca8deb659a693fb9fc618e1cbecf9e51177658b4d781b571a700

SHA512
e75e900bb0943bd2447e61ca561cd293995c3276d431a8bd9654661285ce26f877d7a102488f8f63cc17edded687943de429721391aeb2401d00d6abb5eacd3f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
224B

MD5
0bb0f8f0602623d75f3ebdbe38cd78c4

SHA1
d163e5c10f888cf98f85c6be32ef0a0715cd5728

SHA256
e82b31160324f998ffa909e5deedb3584414de73de59b4fd4b319a45a1c2bd98

SHA512
6334aaf5094623d78b8da40ea73c424590f1931e4a53089b34b294bcaaf1a087d85ec8dd556a2681f319f437e1081d69025c6109c365c10b7f52453e6f50048c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
c4b6a8ceff0b4dd2853fd87731a3bfea

SHA1
9dc450897f6a13cd9ea5d02090389e826ec5a3ee

SHA256
528a1b0e60f80239b6f41e5e151bef789b49844de7e463a5b159a3ea4222b43b

SHA512
523b4f759655775a9fe4d34344fb767f09cde55c1f84563a3fc18ece28b029da8aad41b927710c3103d953ce74cd86f4c4d9854df0da98969679eab9db176073

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
5827f4ece21a005974a6cc73545676f1

SHA1
32dc2b7d9d8c3bafffee4cd22893350e42188141

SHA256
cb6146ca54337ab89abf134a27db3922eb3e3670ec50217a27e70f5abc10cc3b

SHA512
c271705f39b8360fb565b471cbb961af6afef92bd24f3169bf1cf7890f6f430075ac7fa2455ad04f47a3d9258ea8e7c420f6d900f0ac97b9a9e2bc7ef874202d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
9228f469e30517dcbc04bf443eeb52d6

SHA1
bcb4f621f8aa6fa8735d22e6983a44b8876017eb

SHA256
ec4f4eb750d761c5ffcc2876bb0fbfb9283e5de023e1db7456e709ee90469647

SHA512
44a7704cfe99d5e0787f78e06e36f74f64df99aa0ac97b6e3fc980e95151b90ce009d1356888753e7bd12b9701bfac6ffa75d3357ba4a9780472c70e09b852dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
0b61e020e531cc2c3138e92229d126cd

SHA1
758453bb48bbd95fc87d458e0b2627f497235120

SHA256
fb513dc5afe1cb166e10d76d756aa4a7ea71babb425e2738d9ddfc5e07efbf01

SHA512
4f24711a3a1413a8b8b572a9590f337e6cea9f51be893baffc57e270fc859e9abedd34ce738b33eba99d1d5b452859cf7ff4f79538eb00398959cdeb19012fd6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
112B

MD5
61a759443871119aadaa34dfbd69866c

SHA1
fc4a0b41c95db691b8dbefd4f459fa0538fa5930

SHA256
7e43ee38c681b53b78fd73c939c28aa11422cf1a749a637b726f0cc8947946ec

SHA512
d67b0ef2094b4ecc9596c88f2a4ef796d315ee59dc2bd15a5b1dc35974afe6bbcb368b9aec8be41a581c92c4007352556982f99b8e0161d9201e43c1e14b38a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
1bcfff5f186f85fea522b2081a66d2cc

SHA1
5608d693fad7896a1574de02bee77a5fb64cb20f

SHA256
8d8b2ef08db61f96a8212353223c1ed71a87b1e267aa19369b33cdd73ea96204

SHA512
76751b37465597095fdd1b1b5cca8a1fb00bf0565f754006b81c7885349bbbe2a19ea52327e1819d8b70bd7c3c94770348183fc75ba3929d71800d526fc2c004

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
155c0035a2f2499036c30e3e8ce2d98a

SHA1
b3b5c6b6a234a2ce06fd8230400b3c1e5b705576

SHA256
c48d6a5e3d7f425aec180c44c50e49af379383d4abc50691d9cfcdb1178948f4

SHA512
f38af3d7403c2214b283d696bba24c0c80bf30813ab31ba335d62fe36b9b95f729d58823610752960ce06804c7e4dac6790e8fecccce0b3f090ff0a06a1ca9d4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
f85145cc7f4b29a04e242834f28ff485

SHA1
71775e80f182598b1e9c6011b0d1e5c3a4a74371

SHA256
e7e5d48dd9e23e3b34225bc0c431982181f8c63dd0345d0cfda0dc80cbdcf010

SHA512
7556a25dc98a17753289f112b88393bc4cac4434dd1367b9f1c3a72adcc69d17f0673ebee17ac6cbb764020e6ad2984fa7f5919104dbb7a5e50938841bafc083

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
7e522a864e1c4ed2fb523a6df087654f

SHA1
582a657745fd5402285b9770738892b51fa647f9

SHA256
76c00bf12ed66351fc4ade01b820a8b2312ec58aa0bf7bb25a425581448ea508

SHA512
c72b1f80c7b5bab7f52e13eee861a0513e89167be06da58048a5ffd5e49f245144da9b0f6a50937d9996988b12a6802f94a3a2ba736f25c1d2c75512b346d65d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
900cf152cfa4ac6df24d5a93d80c64ce

SHA1
a0eea00ffcaff011ccca7842fd9abe5ad5e09bcb

SHA256
eee71aaf5c81e6e3c3fa358e3ae40374a0d6ce320c8d719678499945825213d7

SHA512
9e61f51d041161592e45a18279c7c73315e31bc6b8386f8e3993c9eaef8b05d45a51336a9770600f7f52d32cc2939ea44be8f3ac6c50c1968701e6adca6f8411

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
49754b9bd4f8db9dd6e1c318eb1fe47a

SHA1
c6da11d869825fb161861de0e89ca5b78e16edea

SHA256
67affe86f290ac618dda982e17ec4e87290763606e5415b17355dde77554d0bd

SHA512
3c5019b3b54c7700d10b3de4984482d16bacc308c3fa7c37fa86a843aa192e349d76cc3d299a2ec57253f91bad9e86f6189d7697bfd70432df4648ce15e2694c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
b3ef46b7edfe7de49c127b5f356c370c

SHA1
4cff2cf8e30a9693798032a43df94e6189faf28a

SHA256
fb6a31ad8dd993df04d8ed30a88dce5fd476aab6da42b414b5aa3b4c6abd375e

SHA512
0855a6d5d6b4878a236beb5ebabd688940835b4afd336c1d537a44512f8b52e9447b2bd21cb31dbfd3a68260007dc5f1a7f04cacc68cf5da8d6fcff84bbd9b19

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
7KB

MD5
8f5577c8e1db8e08f9c0b6c44638251e

SHA1
143d5b4d574474a7f59301049ab3c736fd9e1506

SHA256
b7182f7d68fa589a910190efec8c97d9841e0fd5b365925646abec46e4717ea5

SHA512
ccf26b477beeda362635f0cdfa4e2ad6923a90a8f5e8818e15bbe532fdd3262b225909d1c9e3727ad079a0128c9d9762a4c5d00607445f14651cccc900863fd9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
336B

MD5
d8f1b90c88fb9bc54b17366a29175acb

SHA1
f85f4d07418654f4842192382c162e4d42bd21c7

SHA256
b3c43330ada9142cf6d9ee37c6b055138c510251602c124ba5b03515e2d50fe3

SHA512
74158cb9f4654a8c814a2f18076dc94b4479f10efd7079bcb7c4bc08c29d325e23022765108350668137b3364399ace377e4494c128b19bc5cc93bd116cb7296

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
240B

MD5
e1f7cf35a6ee4720fda01724625bbb10

SHA1
7c2805988f28f004e000b2d4189780fb2adc6587

SHA256
156c2dcbb13b1e3b4e3b0c00770dee1d5a16831f2936a15a2822d2c7c16e5911

SHA512
3be60d544d64e6b7b603b966c84cc68bdad940ae8290ff1cb3a29875d5e87551d21f789127f4998d960206c361c7086982df4033e97fcc2ae5e9b49179f28e71

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
402a3e4af633b45f2628b20228a5e553

SHA1
891c1988e05e083b8cd1c57df3c49abfaea56a4b

SHA256
0f2c0eb6e16196108bb57535f468d4209b147f093af44b950f234d30729c34c5

SHA512
f6794fffac7ca56645dcfb6aa007ec5b1645f57bb8e49ca67a07e179e86db25129a4809a959a8dc9e6034078a3b09151030e1a54d369461dfc957670078268c0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
816B

MD5
cf4c2f771e802be9bbab1f6d6daa61ec

SHA1
82c6af8b6d6cfa8b62558e93b97bbfa368241c80

SHA256
dfb991b1116495d485f4a9fc9e1b982f96ebee078de859e30d9cfd0198ee3fe2

SHA512
a94c8fa329f3c5696a03439428462f34829fe447d354cfa36daa1d827fe2f87e2156e055a2161dc907c86ca4910759535b5f406108ddac5bbc69e20b6290f4ad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
2e12fe6ab54005573ddf5e8eb3270b3e

SHA1
db8e6697ec8b350f1cb22f2650bbfcce5d827254

SHA256
06f32f0ae65984a1fd3b3650f06a50eb99121f07b5c34bec7a0e8f36615d0121

SHA512
fdea4fda9fbc02b3886b8f3285e4282f73432a2e2f12a391f27a3541093c45fad5180af709b1a15766e28b0f46e10b4ea1d9a14815f2b06fa9af1f46423b5d6b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
cb449c88c9cccf5b6384d6b60314ebf7

SHA1
14a477b5e6daf94e7eb0f920a0dbc387927a6c0e

SHA256
83bf83b99dffa338d09368af40b9bc9122c71de5c9b319d912996a696701b792

SHA512
8356bc3055a2034c1a76d291f00b3b6829de55dd3294a60bf9f7def7f641f211ea68b83713ed456d2b61e750e7219bfeab8b96f6ba0be38c95fd0354d2bbd72f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
c131ffdeca46fc140c926286f2822422

SHA1
423e7cd0b109172f043a2835131f82e7e27ba431

SHA256
f88113c91e457bbd1f8f14fca5bead3b11fcc9f065d4d8af8f00c0452fc39cc9

SHA512
99af3aefc29c9bd30daed43cd52c05f91bca441ffb21c2cdbf218807699c7b93523a0b967c1c17e29bb0bfc54999ffd315e4c6457aaf749aec2bddd2b4f34839

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
896B

MD5
34b030c7f58e16983885927603537120

SHA1
b22b6e098d9919ac1cbf2f46823d4fa85075bf91

SHA256
440f9a7be6690b61a4e2f8f93f0f126cd82a9fb5014daad9281693e527dcd179

SHA512
5c3f944453620c61686de46a394d718f0c7456d701f5287de81526bb3b92cea36702bd323b9b99dfc19303a77eb859a51220796fc08e99360a03f5a4a3b79d8d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
864B

MD5
6c85fd954587a737f6056cd951708d94

SHA1
2c8567566a65bfc4dcbadef3c721ab9cc7f49d49

SHA256
9b1af44b9a36c2d3188059ca1295fc5a519677f36478a5ce70567cc8c3abb2f4

SHA512
3fb73207f98bc1d87d5a637a476d539cf4ac5a36716563eee539ebf249c24ba77699050b3066744bc99cc31a33a15682322c3ad230caff783d22c8073b8ba2d1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
864B

MD5
1195984b7bc105975061d678ffac140d

SHA1
65bf3f9e99f417663dd84701a1fd7b55f6ce15d9

SHA256
12ec73c8efcc637926f0f5d60d1cff8d75272a93a5f4aa38c150df566cb47a8d

SHA512
ff037a2452eb43fed46280ccf91f4c0a155c3cb61b13f9b7705f3a4c1285658eb886982942886f85674a6cce703e44c57b6d9b6e41f1e75cfc56e111a8825b1c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
30bb34414eb55937538d0da9c0018d04

SHA1
5ba12e83001df11a8bc604b841537600dfd83670

SHA256
7748520561c30740c27b0495fa5d0f8f3e07a45f76f425060f12ba876ab9962b

SHA512
f4655522db83b2778c59ceb36baca93682f43f854bf6760bb20ede89d0687f71b4edd686e634468af7654543339c0ab485ee940fb8804e36830b02fbfaee6a51

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
864B

MD5
bb333aaa681147e277de48bde4edc902

SHA1
98e7497812be4471c97dbed08612fd081540d363

SHA256
e26d5aae5bf619c0bf2ff2b58d4dd00814ffdb2503ea41cc04b39e1f8840e92c

SHA512
ef8d82216464ee7bf95e11dcbbf5d51cfef83641304ea4671685c48de88ef987fe73162af9cf6decf72fde5effa05225975ff414c658b12ef93d66dbe9380ace

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
848B

MD5
7949ed2b4f03bbb943d580daca0b9d30

SHA1
44eab57224489adc88932114c08ef4b3b9e64c8a

SHA256
3394f8274573fd388ae927d8a4adb3e003aea666d5526aa28294e1c7c8818acf

SHA512
84545c496ce4b920a032dc982d3788edd9d2b3c10c417593114bba247b35d95b7d5272e261f1cb8222541d5cefa21d5395713082d07863406a4ddecae3e8d721

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
880B

MD5
be62e2d95085e38cd7073b5005f22f00

SHA1
a90113d612f3f9e3b8b1a21ad5335b5d956f3191

SHA256
9b3812e18f87ffbc46eb3c7006090499fd93c6a542ed7f3c87a84c08738c91b2

SHA512
0c579e50492cd2c68ec31ea0d269696877e6d267e10aab98396f21d15f0c94c8aeca6c38290f956ffa9619725af8bfc3fa1a54dfc76e35c67c820224962f9f86

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
848B

MD5
28a9ce78048dc3a360f27251c8a7c538

SHA1
01a4edbdf8814d002ef268a5e2e1f757966e61a2

SHA256
bd5fee9bf850ddb1970cf3d4712cf04ae158539f839b28533d0520c4cd2ca43c

SHA512
0d40fc6cf4d0b1faade675d8babf340075861c3294a36454a1cf33595ddd34764c7811685023495b93d32c61baf719c16988900342e5b8f5558238f233ebf22b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
864B

MD5
c4a6c18ca8c300664d5514bbbc2f8f0a

SHA1
5be316f361f396b829743a11397a97ccb36a3c21

SHA256
8d1da442d798169b2c98c5bb1d4d41062461080ad8c808c12dbc0108d0c3fdeb

SHA512
c779ae6d44673d6cd956f50fab457847cbd8ce34607e13ced963f6fe972a717b2a9034e9d16110acfc2610e54b40c9d1787c029adc3ed60386eeb3b9bc0e8648

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
864B

MD5
45c6a32130287e95cd230369fc35da80

SHA1
5a1085d56dff2524b1994f0a311826dd0911f2a9

SHA256
198f909a8a22a13293ca4d5b2241198192ffdc2e25f8a3a50ac595d1dabb20f5

SHA512
646eedabc98ee9d32cdece5c883f37c5b5f90ee4444f249b8bb2d8eca97f67130ebfd9730039bce281a01b77e7203de33a6e49f02f7c3e7e2e0405303fa13665

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
864B

MD5
a736c4bd39e902325a50d104654e5175

SHA1
a3ca2cd9eaa60269cce34dc23c84159fa86c5861

SHA256
51a768c4b07e40d49a3e6bc2b0105980ba70f8443efd94eea806d9fbbfeaa3bb

SHA512
e8802de76f29ad4b8926a5a73c054c28689d5c0673ee18a196a92d1d7b7dbdce0b9a7605f3485370a3458583ce93274656819d7d2a167f9fc96fa64111b82c06

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
896B

MD5
3767f230e5b018b230501d97fea27c26

SHA1
8673f4a902cd3959cddf37436432cb2139aca90d

SHA256
94db4e8449ff5af8312b727d70cf28e6db93d389cdd2c6116fd48459a4488b61

SHA512
abcf810372708ffedcc4f84a4741b445cacc22fec17f09383165e9d342d23662d2020fa0052a22ebae6df7c97222ac9d7b718337b3f794f39a5d8e2cefec1d33

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml

Filesize
247KB

MD5
b7b72f23ba089370546db2cd35fa66df

SHA1
f58f4efc4a9c7d57a816db88b09d8afa4d825626

SHA256
729a2bef41f179c8c83c3ffc1c1edf2030f427dc9e310ce930a627b0dc22e2c3

SHA512
f08422b7264b46f2477e4eba6b7f852e2c7cd1736d740ccd3226814a1c007c2d03450e349a3f81003e752c1c2fffc4f01e80f1141a56b9ed49602f179d4393e5

Download Submit
C:\Program Files\Common Files\System\safe.dat

Filesize
631KB

MD5
3240d73d8fbcd35eaf18e86adacd24e0

SHA1
6a36a22652aa17a2fc9e47a97ebb15187695215c

SHA256
9666bc0693c13514a763f8dccc854facef07154e28e64f5711b84e92ee1546c9

SHA512
004a703632e46abfe722c64d72d1f3c8fb83ce3b08b296a4eed7a51db71bb8f6f1cd54d3090b57c6272e0d0e0ab5b5e9fcce62e2c5165381f09d4d2a07ff8a8a

Download Submit
C:\Program Files\Common Files\System\safemon.dat

Filesize
207KB

MD5
84ce62cc88285d109c3ae0f4a12f04ed

SHA1
7aeef48a71a179a37d449642b0dae8c006e0054e

SHA256
68996c046372147c1e05869fc5478c391b41b243dd0beca564c863153371459b

SHA512
107974d9a500bdda4bfd17dbd44430c1d72f4f965b08874dceeefc66cc23f654d6e36f2920f4a47110edc4886cca6fa2aebc1f2e5fa125ad9e1f411f856ea4d7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
8df925aff7534ba844b1b8e8dd85f6a1

SHA1
90c3ecc7dd4323d9f1aab375384842e8cb96789f

SHA256
0e361880abfcc5e8b32b3ef4bf5b9af5e0db192e3f81da2f035e63d5ddaaba29

SHA512
7db8609dbcc561d1485ccd468c9e812ea879541efcf0160ec9cf9bd8c94f9808a8763022a752f7d7a0f8f526d99fb082db634aef7f2b214444c1bbfbfeb0ff7b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
274463912623bb83370beb1c21753ac0

SHA1
8f69bcbbb3031e21f3443d9f6e29e805e578934e

SHA256
ccd288fa527d6edb02508f2937d0489fe7ade88eecd9f6ba1b2645e9a7cd82b7

SHA512
6ea6999ce5d1aecaa1e423eb730ef00b700594b59ae433ee6f587aa53dea4e7e181f183f811fdc37617e3d8d0a68a05d0353a24afc4eb80d71acba5211a11c4d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
3113cea63d6bb8e6d2dca955ece7a8c3

SHA1
9dab61972188ca5a70eb09fba510d58544ecf341

SHA256
5a7a5df1c89200facf51e55ccd7a9e5fda5140e8ce32521e1a136b90d7bff089

SHA512
ab53f11f756c9ee2a6b42da39b4b47121222a48fee80d7580a7c1eaf3c472631b92cd2acfb76d5bf25c304559fc23bcc1c8db9570d30230d5acb4c2ab9fdc249

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
8bca02d34bebcef3ed4fe1ffbfdfa789

SHA1
72a242009e6c7ba38edb61e5619c08c76690b516

SHA256
0a7b53d0c414b1e3ce5520bb6a59e9a6662d7f554fc4b5c1da0ea0ff4875bbd9

SHA512
2f73f7f459cab53bda20842d8dcfff25e409147bd4faba5bde27fcb15c4206bd4e0340c6c41e34d1d733539215c26a37cb745a1ba8e9e67b155fefc7e2329880

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
ace385ef14d809e9722fbd249344657b

SHA1
0e0f65435fd0f69ba14fc442a6aefb0c0a796046

SHA256
4f23204ae0f9b67a9cbfc671ac5f6f4e6ba14b9dec0f8d7fdfee0e0bd18e53c8

SHA512
9207b9f0511078dd0055107c89d4096acb1fb188b1e38ec5b888dc45e7fbc2b40319c97de3a2a578e3290323179aace1a6cdbc42360771595070751c47ff2c0d

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
8ab1a1fcbf706f1462a6f4dc0a2c42a9

SHA1
da5c080e763132bfeaca03b382650c5677329031

SHA256
67a2a92fe5a82d77aa09e3d0ad0f971cfc57248009c5c3c9d338fbe6cabb7c00

SHA512
554ace2f20eca68cccc9230876c368299b557726c50f29044f3198a525d7cff52a34c7c66d387a8454a2f4837eaab59d42a08fc59bb8da302821da868d45e55a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDB54.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDC8F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25242\Main.exe.manifest

Filesize
1KB

MD5
ed09f4127e27f4a9c806e2c4c79d455c

SHA1
88b257aaa5fee787ec388976bd3de3c9c468a981

SHA256
97f892c90ffb1978df13e22a6768a424e95793314c89427a063223634cdd3c00

SHA512
b6732ced3b76633dc899fd9a8f7f89c8d89f7d2392aeeac8bceb6c66357952ac0667aee8d637d7a93aa1a807f5820114f4ad0386f80cdcdf3350c4408352ed3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25~1\_hashlib.pyd

Filesize
343KB

MD5
d017532abdfe0a1a0d3db34d496b4b5b

SHA1
b2ec9e5c748a3f34e7185ff88f6697b6f40435f5

SHA256
b62439af70d43c1155042f907f54b1125a6a8d75cb4af185acdf9e8b8dc3f9ff

SHA512
60d4c52484c1ba34c59525e3418c38e2392651be04cb2552a072ad6db1f52555aac3db767a6a823841f528fc28d3969a0c07bbfb783c93d93b47c74b5c77339e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25~1\runtime.cfg

Filesize
1KB

MD5
d59c6ecab8570ac08ac48d0cb2872786

SHA1
f1ae705f44d0dcf93fa79c3ac3d5683023b52645

SHA256
298e61efbd3a402e5060b2225b7d62d5df0a106a049d593451b7091faa49b603

SHA512
72d785fba2930b34cb4c65cbdc63bb59f9b0bd9ff03ecfd41b56bd292cdf219eff013a03f7141cd67ef5ad0292a57b23a2e1415e6191b9d0ba4b6f19d1bad24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25~1\win32api.pyd

Filesize
33KB

MD5
01bc9fdfbbbea7e0be665b00b337f621

SHA1
3eb076944e1d11d10cde4f809cb82a44991d1d11

SHA256
bcbd63c2a80cfdeb2aac4468bcf294a201db1d2c91d41f20ea505248607d429f

SHA512
a61a5cb729c7e1e50f4207151fc51d355243d6be674beb547f78e8af56064031d96fc46ac04ea6141e4a548a0bc69f503aac1982d8a263ec25c45ad468233458

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25~1\win32file.pyd

Filesize
35KB

MD5
cdfaf507c150ca98243a97de221efd4a

SHA1
be466669bf58beae04ea2a478b2393aa76d4ae27

SHA256
c21b2c0ebcc3161fb43e4045896d0bbf67e0c5f59c9fa4de5674b91781dbdd29

SHA512
9b9384499095aabdaad8ba1f060afb86460003ae9d378f0e25212c3b669c2700d6b35154d78f8f7c60be7b6adf4aebb34428d55612f02def795c79d1177e86b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25~1\wx._core_.pyd

Filesize
184KB

MD5
2b3d6abea3284c442053b2791ee6a44a

SHA1
fb8ff2deaaebc9f2aefb53ba436fc3b7a7b726e2

SHA256
2563b791046e9d04c792d3414070c77014cb76ea4d4a5272b1e1859ea0e86656

SHA512
725c28aced957a9158644612e6d92c8dc5cc6d1a1c684862e18363c08047e766162276544eea43b2480ce511c64f1c0fc48235149ca96a943a5f162f92bc7423

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25~1\wxbase30u_net_vc90.dll

Filesize
63KB

MD5
4b56e32265fe62fb66de88f69d5040a1

SHA1
d2ad84c1b2b951a0fd86972c7664753b4784395c

SHA256
a76bb74cedc0102c4449c48c26a085e2bd4ba68f5abee5c1abdc7eba7cadcafd

SHA512
da23f9348bb75ca7e5e8b4d3851def8f4253e71b4312eda1fe5351859480ff153dda690b4e66225711fbe4a815bcc1d41347d9b867ff292d9952032dd6a483ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25~1\wxbase30u_vc90.dll

Filesize
862KB

MD5
01f43663e9f90ba379a1b2a0afc379a5

SHA1
1cdd446c0f06686a0a70a74093902f14896a1894

SHA256
ba7aaff3e1a0368a7fe754c40a1944e33d2b4d727f343e3a0caec80e78c94f48

SHA512
d62d7c8f15234c7c86eddced663c5d9e6b932d54f069a062f599b8790a81861487c37d78b868b86d1340049a482ccea6015ed47ee0ea164de161f55f793f22dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25~1\wxmsw30u_core_vc90.dll

Filesize
1.8MB

MD5
fba36b620fe82a4a25a8fd6d2b37e206

SHA1
187c35319ba684426cbf4ab028b7860d051d0424

SHA256
c334e02bd7a259a15d09d1fb9d3da5d90047d6785655e1728bbcf3600e9842de

SHA512
2814e7c3734a01f9d077c423c566145064871a6b2811f925a0eb47090b7d100c2aa00043abc960a89006d0b25029a09e61a3a77ee76dfa1f7343c91ebb31df25

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\KRAB-DECRYPT.txt

Filesize
8KB

MD5
30686f6f27460930a80a5c79fdc72d14

SHA1
62e5751de13f318385f289b156785024d7b939cb

SHA256
2fe6c32cc73129df5f507f95b81952aacd7084fbd4188bd1221545f88311f66f

SHA512
8dc784d2d077a28bc475944ab7f065cd2c17f445021dad8656f82bf5fc4598fb22e49ddadc355fa518dc0dec299db70d4821c9b3efc901d4ec102388d1fad522

Download Submit
C:\Users\Admin\Desktop\00338\Trojan-Ransom.MSIL.Agent.xk-df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737.exe

Filesize
623KB

MD5
a93b8e2d5292a52d6dbaa3b34c81beee

SHA1
10a2a89542eccc52da2d44f182a45cbba1f9ed12

SHA256
df36e2aaae85f07851810a829e38a82827252fda15d4c4410da085d59ce38737

SHA512
b0016cc77c500c8d9203681268bc178f1f89d2e0b22d6d16d2a5a3e1a8538cb8b6cd736ceba033fa2c38c6e0f0e45bd431589fbe0ca67cf4f3d922dc918297bb

Download Submit
C:\Users\Admin\Desktop\00338\Trojan-Ransom.Win32.Bitman.adnq-3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c.exe

Filesize
1.7MB

MD5
35a4eb78dddd95840c00708c9d268dae

SHA1
9411809fc22c9c365aec66da300ab87c519f4f6b

SHA256
3ae7d7991933d0d16325bf9aef13b9e8fa9f5b59e9af83d8eb19324ca8f5501c

SHA512
dbf1d4b396eef96de3dbde0e7cfb7b72eb1118d08f3b564579ad8dbfd81441eba196bb9dce2d66ad0deab7fc9e841e7ae5b0dd91217e46b5aa957851f900c7e0

Download Submit
C:\Users\Admin\Desktop\00338\Trojan-Ransom.Win32.Blocker.kwyx-a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f.exe

Filesize
2.9MB

MD5
bd20d8afabe658816d06301b8f367c7e

SHA1
ca99a0cad332fbd5346dc17cef334f741af2f007

SHA256
a64dd2f21a42713131f555bea9d0a76918342d696ef6731608a9dbc57b79b32f

SHA512
f9068ca38b1af6990cef61f8a83c50484e1085fa1a0f102a8bc7e225e580444d1373cef78e8a03f22a85a665c89c59542a9f0e5d8c21c055df49e4a5a16f5ae2

Download Submit
C:\Users\Admin\Desktop\00338\Trojan-Ransom.Win32.Crypren.aeca-f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6.exe

Filesize
7.0MB

MD5
3beee8d7f55cd8298fcb009aa6ef6aae

SHA1
672a992ea934a0cba07ca07b80b62493e95c584d

SHA256
f0c292785905838d08b27bb99ab260b43fd8de580de80017fdaaab3c3d53d8a6

SHA512
12bd64d10620c1952127c125e7beb21b3727d8afb6440d48058785267b227a534ee6112d84372749496481cb6edb5c90eeb159689b443fe0f10f4a9202a83a5f

Download Submit
C:\Users\Admin\Desktop\00338\Trojan-Ransom.Win32.GandCrypt.fcn-9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe.exe

Filesize
3.5MB

MD5
74126d85cbd545fa8018c2f67346ad86

SHA1
9852bac6662d524379468d8d6b0d51cbdd840c60

SHA256
9e5da4b7f92cc06af3807b49581e7b896ae19406bb0a2e1b7991f3ef17b7c6fe

SHA512
a50043ce6b185a3b15589e74f9d926faadbb0de1f2a8147fffc81b8f1896c36360668c66995d6782a3b5e3ae2a3e6182dd823b2b55af302630eb902f70e1aa39

Download Submit
C:\Users\Admin\Desktop\00338\unit.bat

Filesize
211B

MD5
7edcf3410ad65c4679636bf1fa9b9a67

SHA1
ddc2b4067088e4e5cecc875994ed50330e19831d

SHA256
4a10eb1c56f6b709e9c81cc2e3ae9a2cc1d5e02f1bfb0ae2a0651884d5d79456

SHA512
49663750fb9bf587c49b54b0e8964fd2474e3e9182290373e0144bc7525ca04203e2879726923a1c1000533db4daed5bcee384e1f5e317da3100622641a52fab

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\alert_sml.gif

Filesize
64B

MD5
23065ebd19d9f96e62b3e8f59ca6b2d7

SHA1
75478de2827cfb40f45fb54f63638ec70ed54953

SHA256
6a713977e15cdc18b3a345666560b505b65bc7f5841bf7c25aca6451d8fcdfb5

SHA512
a171265127afe0b075ca0d0c771389f236df523d06238e36b4b4493d9a77d7de6b5432861f9c7488c540b0a00b881162dbcbc8886145f69032b3c1b92f4a36b5

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_leftCorner.gif

Filesize
80B

MD5
b272e6ff36931c1d8b7fdfed079d976f

SHA1
273c8a7889950ad8bbeca8664ea8476f937e0093

SHA256
e1e9762e637fd6c17cfb62869f4ae0aaa85700398f5873bbb8bf1e38d8c086d2

SHA512
06700cbe87fb6ce00997ac94b8090f2551b22f2c372dd8ad7b23a0cc3aa172612656866817d5ae41fe730d5d3deb5c4887894af26cf2851296f404302df78333

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif

Filesize
80B

MD5
5a1397571b1981144913d2f8b196eff3

SHA1
e71c3f6362b4cea60bb970dd2db2684c0a21d1c5

SHA256
1e303d04789925b463d6076201415cf04a47d258a94b336f54a228f8b0fba4f0

SHA512
49271d2ad44cfe81f1cb7de7efd4996c6f6806fe357e72a687b05c0d2825bc47cd4550ed850daf7570ab569723490b2312f05ba240ac0e979f28d22abb4f4b3e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp.aspx

Filesize
6KB

MD5
5b0646bb60320e777592550ec463510a

SHA1
1398083feebca13462160010308638ab26d48e14

SHA256
60864ea7099b10ce072e83bca200702b5d3b38be3061b4de01471648bb787eba

SHA512
e2f82f478da389829956836d7bd0d404cd1676fd321f81a2618b351ab3cab4d0be784a77144c9ad42c149d7b05987697ae036e7970e21115b884f2db60ee85d7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx

Filesize
13KB

MD5
607ef9e4fa685e9b1a605555d7221d88

SHA1
85a3e9480daca523b44919603a0f39c925913050

SHA256
e871bd77234b685e1b5e8d0c27f5d7eb998f95fa18669fd476483c63944a8f02

SHA512
ade88dfc2f4a1204489ddad86fa7107d606ed1baf596e0aa2088c5742a8706f1a263624240efbacfe5f45a817a38827b5d1c698e8e2427da09041dde0d2dc203

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx

Filesize
3KB

MD5
edcbb203b6617251be945987f8772360

SHA1
04f6cdaab6cb2024215afa665759afa34fcbb09d

SHA256
55c01d3f2be273adad9f26b18f231be6a5d34d8363686e204de4b3a3bc833800

SHA512
f33885be3416fc18d9e01ef720ff1e3683447895790176961d6f49cdc70800a57a8f55dd21caf345d7278cbccef5e97af2e24cf42e960f4057f93719d5c76310

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Provider.aspx

Filesize
6KB

MD5
5db79af2f0b0c09a19f8d85341165440

SHA1
ce244cdc2f9bb8f9e62b919626759d853a516006

SHA256
ae8b3126f9c569936bef02dbe021b5a6a209b2cb130807e56ed6f09b01c0873d

SHA512
5ac244480db702d886e4370fba608fb1016c81c6fea873d52c7d649aafba2cfa1dd15907140bc304f25c4a0d23b5c092cec9b829198803dbf1c3898d1fda4182

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx

Filesize
10KB

MD5
0fc3dc26586991b8a810fa0db07d67aa

SHA1
58ddd6bd65d3a4e5aa2286e4315f852e38ffcdec

SHA256
c48ae7e5760dd4f0f74233ff29d379c9007610b3d229bbcd4d181fb0f42cc9f7

SHA512
92585297d318871f6777dfc840cf21cbe8a5f2cfd0b26650a6963b87cf777f810369607e0e9a408b62c20599779bd5c309cd4bb6c40af887945fb9f9ff866aad

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx

Filesize
68KB

MD5
ce2c8565e84f4868e20b07e4f63bacc9

SHA1
6f45473693347abb19d26d212742888ce53b3e56

SHA256
48fde54d92eec98f1577dece4395774e813b18b9db88b5c568366481c4469737

SHA512
e65c8250c2ec0749b5fe0527937031dbc8e8d67e524dc2bb32636eecea3b59d534bf4a1a680c9934f10530ca9ed75555011e0ad419af7ebba506f73e2d509158

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallCommon.sql

Filesize
24KB

MD5
caaa4bc3d6efd044f4f09c348365f709

SHA1
4ef67c0ee39a3c24b40b711ddc9337381e012bea

SHA256
92089d95c3e69a0973a1171679b62523feaf8c65f4ab5c8206d387205cffca8a

SHA512
cead4cbc6f017410a3ca5666e2829026831bc21398b04f6b468ef70ccce25cb0f8040f45e40009dbf806b668f331660e6ddaedf31085a237c250c85e9bdb7340

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallMembership.sql

Filesize
54KB

MD5
de81f1dd0faf36adc393b4b883c91959

SHA1
6e8b8a5122170368373e2548ac1dda5db9733834

SHA256
e62f183aae1acb109c8b3ae337005dd94c73a6cee3ef2486f270976e29f63116

SHA512
c7114d644254d8f2ad54373cf8e62cdb65c3eed2cf80266d06fd94c11169663c7ed9355e975ef57cc9374ddf21c6ba829ba97586f5f8524856b72a5f003ec0f3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersistSqlState.sql

Filesize
51KB

MD5
83a9196b927f2761b315328a7fd06e37

SHA1
0d2f6614c567590ac0c1e3ef1ece7d9ec852337c

SHA256
346a5d58e08ea341f785f228d39d2009238de021678bb871b42fb764c9dc5d47

SHA512
2b3d8a1e499b40fdd686315515af566aa47554745bc6418efff6e1e1d4b7aba3ae7a3c601b45f1be89c4829ada288364332b88b41eb451ee6d17425b9addf0a9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallPersonalization.sql

Filesize
34KB

MD5
1aa4e30729150469efadc1e0895c33c8

SHA1
ee97ba7d82cff5012563c130bbe6de718458b63d

SHA256
9fb9175a2ea10c87c413d8a89cb54a53c6ad0a3fd8a1623e624552c338edd70e

SHA512
0ae4a76dacbf33d6b75ae5c4fb7b907f85dd6655e09cf5d53a8d7a485f74c237c0551e5213696da9a2dfa55bf596938ce83f0fc52b6885d6b167c53ab96a6db0

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallRoles.sql

Filesize
33KB

MD5
5b9f71dc4805a02a323e85d1ade55a48

SHA1
c1e90a2bc8fb8a71f06f3fa8797289f7a4612951

SHA256
4344350ef883f53ec22be7432b95c4b0f64e43ca4bec9b4a6aa73b189fe2f567

SHA512
85431102ffc4f1d476a0fa8e8dc9fb89e33b4e153736b8f6bccab93d90f9d269eae16da8760a1816704c938e2ec042731af7c0becfb257c35ac990ae81e8d267

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlState.sql

Filesize
50KB

MD5
47d9b174e0dc712b3c7f2fdbe6959fc4

SHA1
9c954bae8b1404a894fc5ec721351d0a964275d8

SHA256
8a3c4d0c0fade7af1f7ba362383c149aec12e3980a00cfa13646e7c13c36910b

SHA512
dfd50788421729041aae0a14f9a919cb0187f86efd3bea1e1f70450199d825a42aa7d7dc266b32e152faee543393c5845aa7ef2d568206a75a420b9ce18ef711

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallSqlStateTemplate.sql

Filesize
52KB

MD5
766579be2773757be80e644bd766d099

SHA1
c43437e5a1d2c25c1ced2d1b06785e51cc089318

SHA256
d183e49cdca04dd70449e701aeceded6fecc2725944956b350e0f9aa7fbbc227

SHA512
d6077c70c56003f6eb4c859ea8f13f586f5a7bff77480dd4e0374dad213615209169f4baf5eac471d76dbd4db63c4c0eed742041cae80b3ad40a92eca54edbd2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallWebEventSqlProvider.sql

Filesize
6KB

MD5
5d88e4ad03402443f7fa5632664dfb38

SHA1
7aecc1cbb5ac4dc7aaaba1fd645360cc4b05aab1

SHA256
c8f9be78e54700bebb6accac1960dceac4e4abaabb824da35a5d44035a5ecae5

SHA512
2ebb8091ea907b506e05c58593a769f072a9dbafe4a8400a7f8c9ac1c153a608f7659cbd51d178eb2f4534f070874d48bcfdb7764236015098a2d8f456aee531

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallCommon.sql

Filesize
3KB

MD5
9878c7bdafd236c9c3d07e7b1f93e856

SHA1
f90ff0367f0871694bbbb2583d5b36325027bf6c

SHA256
4362509d7a6376beeb305f11816981dd5da468f09380ddece72722505e25d914

SHA512
b20e9df914bf8027b55485a911476ca0c6b07f8790c9fb6b8cc80596ec5d6a1ddb41dd36e66f7259c03457de72b2f7372551d61ba27b25d21b71b80717bce3c7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallMembership.sql

Filesize
6KB

MD5
bb3ec946e760626365441a53c2d68229

SHA1
67e98439258a5574a2019b859e3349b9f7c19727

SHA256
09801f010ae950cf104d0371ca776de2d54596e0e0c6a36da61d94cedb24bb2b

SHA512
975ebaef23440452afded52f22cd3e05c4ff1bfcb6fd498febbe5261d5e375f052ad25bcbc45820523f0b77463049a8ca879a2ba11fd917e8356427fbdeceb57

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersistSqlState.sql

Filesize
9KB

MD5
e0e865859b69ee1a6bc2a8b2d323d7a9

SHA1
11a5848f9a0e97ed594caf527bc645b48b9a08b4

SHA256
855ebc9290a27714348a0dce7be8bc29e7787b32404e5d82d34334d4adecfeec

SHA512
5f773283a623884404b2efe075adbcd11ed0af55c7e889d25e0ac7fd31e247424c78f1665def9c642c3a3981fdc2bd6f17e0d1af396a3240eb9c0beca6428eb7

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallPersonalization.sql

Filesize
7KB

MD5
c1b7b12f7026b79d77f893e78db2bfa7

SHA1
c2bacea85d14cc8343901dcc41b783cd46a57183

SHA256
22bd18260f5127300ef4c17537f2e4ac30eb5d6d0a0e16646a7a6f084cbb96b8

SHA512
20b217c3267dc25eb87a628ff29fff609ae59314ab989ef973ed2aac308b44ae8e336817a71cadda68845d70d6d28e029cd3cedbecbbe76367677bf42e4cb185

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallRoles.sql

Filesize
5KB

MD5
b4b9d7a5ff29d2546df79d3c561a0104

SHA1
b43a47684c931cde8be1061603a7b7e6041a7ee4

SHA256
69709c23635d51d9b5dad2fc22559b54123880627566d65ab072ee089b699f83

SHA512
a221e94137b3256e652a2cb5c047f10feb44f8b83c7dbe6d8ac5dfacb95e4a1d9148760172e6ba800689caa107258901f53d0d1ef5cf9fd2943441ffd9f6a31e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlState.sql

Filesize
9KB

MD5
3e1191f233a0b49e7afd8282e9e8d14b

SHA1
d17ba397a90c38c45fe3a814babbc6189ae071fb

SHA256
4a223a72ff74890f5b4331db74772367c5caf9b841ea0a5622825fd411eed7f4

SHA512
d051c030d1ac1263d46676cd5bd0a9faa9366bad51af04e6000360ddc6ecb82e232e043f323621504f2a2f7b32d4e4eaece497726fb59335ec60d546e092607f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlStateTemplate.sql

Filesize
11KB

MD5
ba42716b10dea0e7d68dbad5ca55c255

SHA1
e1cf27aad065a7ae8ade775441d1d3b56eaa1afc

SHA256
ddde1ddcec7272656ff655fb6e67c07c51dcd0376ee94a3622099681c198cd5d

SHA512
847ab9d7c55621f24c3f7501874bc02060aa927f7d04905d769223f1f7ab9e50368cf88bbfd662c690bbbcd9076412b657a777046386d0154e70be489f8cc093

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallWebEventSqlProvider.sql

Filesize
2KB

MD5
54843e4ab38ddd0a09c64f22bc827f3a

SHA1
b5bddfbf05cf7f71dd3f4371102be4e0216f350e

SHA256
982dade057a8e60884e67fc5fa46c18b41cb612e3443ac3ca91fd1dc1065be4e

SHA512
a40d693174b10b046e1e958b74f69e1479d9045e267da2c5cd47ffa5f241d85de197f0548edc7d9d3ec4748aaf6a2d7c1d576e30107a21fcf6d2a3af91bdb40f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx

Filesize
3KB

MD5
f462fb5d82334ccaf2c59e2b5a622e4b

SHA1
577a1757f8f50d2837dd22aa4cabe15dfc92f5d7

SHA256
82ce5e707c6c9a877a7702c9224d9fefdc3c080feddd0d7e89bfa5301f9f094e

SHA512
06a4f23919e4611b18c6332231ab32861b31f0704303dff42abf4ba7e8a868acfefb1cd1186bf2210cd6eb6b1a75a36bb176ac2a59a1d79d8752c7ec94e31464

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx

Filesize
2KB

MD5
6a2ca787dec3ea1aa11766db15c0303c

SHA1
bafc9c6067f9feb3cced1373c3cc5e86e6102b6b

SHA256
09d1f509fe0bd92d5dd274c604d5af003f847f42bbd321094aa1a7a4365ff60f

SHA512
6f585bf8af1aa28112cf8e7a8de81a95602eb61e71c8690b498b2df7ab43141792b86443e588f561334d0c9f730afcc17a8003f106ba56f7dfe6468b2c184bbb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx

Filesize
14KB

MD5
ed4b871301f9e29c436f45ae1c5bb7d4

SHA1
bf74afe3ae19113f201892b1c2137ee865f4b312

SHA256
1ea515820b3a5bfcf6e3ba6aa66eb8c2383cd5f95e74ed63047e68529feaf39a

SHA512
1a3a2c1d34abd36ceb75a8172b6d85622d0dc3a2ecf3efc31fb7bd5cd03d6ee0d8f4e51c19844ff447bcab24186340e101a244204974c2713a14b86c496227eb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml

Filesize
320B

MD5
1200253f7d8f4d1e7f64f3d3f9575863

SHA1
a37a6be07662063c179b8f7daac1105578e642b1

SHA256
d32c8711f25f532d2c9417c3702c9510d391f2afaff9672bdda116c27a051272

SHA512
33fc3d7e27da0ef9e4769380e8b883eafb3e6dc3209f7c8a874e54894a3e12d550021028ee0118d50b2593d26360db0a1e823f9afc4ed64f10ab56164df05ad9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
9d707cb13cc12ddb20f33ed53ea03f6f

SHA1
c7c09e7b66f24b46897e38f2d06210b4ff792b1a

SHA256
870a0bf0a4fa7ebf78d1c78ca2c33d1c0256402508185466a1f7082e91d712ba

SHA512
c7acd007d7f29ab4a6bd7bc6fbda2d439eafe67536765827a7cc77a1c4b5e12f5d439845b39389aab83de07415d7a4c1997ac0835120f7fd4bc1b92876c788fe

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
23502c28cf86df4dbfd38f8481aea24c

SHA1
9332f38047f59d0e92ab9fa97b45e3099b8894d3

SHA256
b9790156d52933a55014cc7b240896d55fc802e28aaea7eca5de18bfd9870b21

SHA512
ecafbc6e51a5db64c3ec12bb91b73638123ffd0bc85a916dd8ccde7648387e5d3c73b27b217575aceaaf3e0e96226138542e74cac9afba770731d584a511cf69

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
960B

MD5
23d3fc284051e0f39af336fc1c5358cd

SHA1
f523d8306391fc08466712a798443cda76249ea5

SHA256
8f075376db752363d0321f4f75266bd28b9ffa11bcfecded63bf7a32b0786784

SHA512
213bd958364a1bd7f1033cb5938db8cb5447207acc674e92c21ba56b09e720cbdbe10eaf3b7ddb875a3111ea4a3f096ecff7d557c0617c3c2d5537b4887f6e50

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
128B

MD5
cadf4fc9283999f1e80a539d50ed8845

SHA1
b37a4d11a3ee10cc9c64ad446e1346d063423700

SHA256
03727dec10f6d59628b8f3f9e81cd083c893bc93c740c28fb3ccbaf34d28f13a

SHA512
9832e271e10603b1bec287fcdfdc8b4fbce954458d038185572d7601df5cdfcae7a29ae0b15ff571e2369f77e787f9d5fc66ed66bfeb7d4d790ffc2182d93d11

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
bdd297a46dec6e3eec4759a129460e37

SHA1
5aef938f058528e063a71b142a2c688bbc6c2aaa

SHA256
1f1b4fc5d21dc0703c6cafb1a6aa2d919ac125b89e96e9edfb5e507b64213bab

SHA512
81fdc87cafdc120d47677c6e6eccb0856ccdab93b3bf8f70ae6329bffdbfcf0d1c1c34cf52f42503985cf163eb6636129a8a3acf86d7a5962e521f3471b73b1a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
423be77338e818156c12755af03dc5c4

SHA1
c1007a7c0a9a55f9fb4cf934b6258a05db867107

SHA256
83d26fb41245837f914598e3186bae1f5254b87f4a0e729ae9c44e0f3544628d

SHA512
c2c45b4966c8af26bf92098634f2495a141d8845fecfa72fa3feab6b5b55d16318f77d24db9f924a6b0ed5620985aeca3084f36228a8dd5af842f44662e05ad6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\deselectedTab_1x1.gif

Filesize
64B

MD5
2d24fa48700193e2f0c5f4a90585cd7b

SHA1
ac7664f61ee5aee5e8c7199bc800d600bf144e73

SHA256
de1847ea5fe343d567f15b753dfeb4f5c68f36620c174ff444b81e804eda69ab

SHA512
9348ef9211ccf323f7d4f3dca605a4afea410eb44f8eb160808765dfa2fbe4cc6b28d6516022548e691b12748f6eda563611e5392551d844d1d6269d201040c8

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
928B

MD5
ac852f819d6a64e52fbaa8068a0b21f7

SHA1
775eb1ae21ec44ffc65fb7d9ccc1d437fbca8c0d

SHA256
de4439e133159385c790908539de9571f46290a775529ae1fcd45c61367e4157

SHA512
bf8701b2ef4a308ff69097e21bef7bba9f3e9c1e045913e308eabc3e50ea1ffbd14a09f5858da90275999a6fed9753f41bb9a19339d4613a9b9e5851d01c0479

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
96B

MD5
5325641214ed3899a283581e12d27f82

SHA1
df8fe6cc2b879950fa04613a50e877345126b950

SHA256
6fa59b6844d519b7f8fc23f1c54ffde9524beee05e9c3e390fbb06111afb12af

SHA512
b3f8531c09654da57cd81ca6004decb33abc67e473f75f1ce4bb6f30cffba58a06359c79e32e40a967889c0a76867f21f9aaeaaefbd6084a86a992e877db6710

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
96B

MD5
6dcd50d46b57dbe99a4993be0f38837d

SHA1
82e981aa4f98d2dd2531c6b50d3e82ffbc3406a4

SHA256
98f57d66ba80be5487ab7612fe172c26a8bf7fb8b8776aa76b590389b3afc34a

SHA512
c39c4ef662ac907574bfa63aa2560a5427de82674a8fbe24437086c1a4968927e188c958f00894aa8c8e80a305384b2b213c94b0ab8f3621efc6726aecf8d513

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
336B

MD5
e41377b9a7d3029079f0bcfd48ca74b2

SHA1
97185804db3c39c34cb333622c38e2e0168b71de

SHA256
7185f16bbc362d2481f866c0dd376c6ed3439160378101eeb2cae808a75bb1ca

SHA512
b5a33161e4db598db80f26132ca2e795c32e272dff61f094f54e2280d5ab70e6bfcdf2e4843b28b18f73943d65e2e100fdcc0d5bb18781bd6349971a1374ba9b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
fd919752149e62e2bf3a68ea3bfe310a

SHA1
2f3520f5363ec30695f00d9fbceb94d9d8752061

SHA256
2776fc9bc6df9af9b7553a2330553a214f173e422e442e32995550b33602426f

SHA512
390ac8d912ad8634272d0bd0c98427c7804e3604c1f4bb47237c1af195bb5754e77656e3f6bc6349f8a3ebc35436eec555ccfabdad1dc74d26f298536ad91a88

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
176B

MD5
e22ee03de4d22879dbc09c25e987e275

SHA1
6298d309e65a91ce0bdc0d65c63339ffd1a5d31c

SHA256
9451c576a5c8f38f123f8d667cb31fd883144e53b92be295545ef31686746af3

SHA512
b4259f87f8addd38f20724419fdf31f2b7c03e314e8219ab306de78b4be38de1cc9ad7fd6e79367e306322b3629ffe256812006b5d923199d72225864ef3f714

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
592B

MD5
2c4229fab0b3d795d6a1021f83b8bd33

SHA1
9adbabf6d11008144e783c44fee9896518ddd17f

SHA256
85d8573efd868234361d59d28f7f42e7a3bf4065d409d743c24ca1bf09475d84

SHA512
02bbd91896c748ea03273f8053f9cdb2c942e94396477ecd3c252191fd3d9269b211fb01f1a82f8ffc6d36320119bc00c13e68f258e94abfa063e3775ffbc81e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
128B

MD5
4abc55c89d75539747cdf16df4e2fc6d

SHA1
31788ba368f5fc8745f1796fbc435bcb984e01e4

SHA256
62ede19951c39e6884504c9d23baaa85149c5f92350621fbd2b693bad5eef822

SHA512
32b9dc4275c50e4a6e441e76a6c72056f75579704f5eae1b2b750b1ea645a4e17ae319eaa04e0e9737a9f66d7cc4abd1e75857e57f0ae5611df780980d925ccc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
2e827f33e8ef41a6754a3dd62542334c

SHA1
ab70f3052ab5d9539c06bb9fa7e856a7746f5b48

SHA256
f2c4b9e64ebd1cfd5ac88b4e36151306627c86fbe2334e6b5f2cd7958eab0db4

SHA512
1288158d4aa86570b85c05cea9cc6bd6ca505af9dbafdee43b1e4ef6f5010e804185e6ffa89d4aa44d731482141969fafd2560715b1b4f0e5a191add6c037605

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
896B

MD5
06662513e6cb50cae7034d20197a875e

SHA1
86b26b8ea47d89e8c98760c0f1bae670059a0a84

SHA256
d1fa3dcacc903da7f306afc7575358eb1e3f4458d4cdac402049c689dace0cdf

SHA512
ac30ac37ccf38db5af3697b225a657fab8f078ce301ab14abe22af417df6408e424ad1fd02d72acd0d9b01dd999485dfc97e8062407bef406fb97fee7d56ce08

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageConsolidatedProviders.aspx

Filesize
12KB

MD5
aec1d2585c3f6205f97ab6fbdcd7ce49

SHA1
ba738bb2bde816caf9080ad977977ffda7150d49

SHA256
91ce474a3741d8f09e85c2722617eaf409b79435398d276573af1525988c462b

SHA512
580d5c8b8cdbda71cb02d8811522581dc082a6e1afc13f5aedb8f43e41c7c8a0bd6a8164ba781f0917d4ef7497108786b7cd1364283e1076dce6dde7fded975e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx

Filesize
9KB

MD5
863a2116dd325c2ab1142900959eb60d

SHA1
754044f2ebabb4dae822fa5b5d72bcb1b9e2c225

SHA256
d3d6e1a49cadf97cfd0d3f3c1b221d3141d8664fb121b719da8cdc3ae9f9f658

SHA512
3e424ebf15e5d9327089e2750787d298b3607151d931c8b3a922c8362b61968253038686e64b7f4facb3122dedd66f5a0ee4ac8500b1fb936d4ab1f52b59a3e3

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx

Filesize
2KB

MD5
3d2d330dcad9daebbf9daaae0ebe0149

SHA1
6328ffcb29165db7406e49393c95dc5086318099

SHA256
bafd54645097366b8faa51463629cced886b1b7c0e66155aaa19dfcb1f5662c2

SHA512
1d8060cce69242d55337db19939760fe1231299b40a00471813526457689971e2f98892270f04a221d76a6ffbc9dba839e010c77cfa8d405bc8ea8f67c008bf2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx

Filesize
10KB

MD5
e0ee9b1343eca405d78d6a4315f643f5

SHA1
1c27d5de3b86e8e498a391b81a7620f7b0002f84

SHA256
0c31f35b5a4d4e6f864914a0c001833fccb964f26ac4bd6cc56c793d1f257fa8

SHA512
9aaee7737739ba50c08cb5c10c8edf210a6f0d43ab37600c6e90f3ed82e3f1678e3122b5ca56c9f4bb080837309e8a82967676260b62788e4a671c57bd75dc57

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx

Filesize
21KB

MD5
143a8af669993870cc524ac288bfee4a

SHA1
5e671cfa4b0b551d987c6b2c6bd6f977ba03aa78

SHA256
36934bcfcd04e35fc98530850987d50f4ccfc6789423729881d10b3821e659ed

SHA512
f6d12f3f8529f6a61482ccc9de6ff62dbabcfe0a0bfb2b9a69fb3a47b2b726643e2f6f51846ef05e2ee6fbb1a554a317dfe1108c57b019f8d91f03e82ed644bc

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\editUser.aspx

Filesize
11KB

MD5
fd962af7e245a05961420192f8ba3df6

SHA1
acb01ab8f12843a8848759f96a15f1e18f677842

SHA256
a3ce2053bf8a0b518481b12cf80a35dae3ee9b4d1dab2555e3096d48d5d92208

SHA512
4cb885ac1337fddd438fb89c2e78a901e89dbc65538307c76419a9a4e896823e483de6a5ac3cd3e89756027af744c41ccdc1a98b18a9ca51fc1535c5bc1485ce

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx

Filesize
10KB

MD5
003675271e5d5611d3682c0e98566b45

SHA1
a1d2fb85cc7908d977407236e44b9d87991a1372

SHA256
224616b640f0976155752cfbd24cbb4ef80d24243a4382cb9fb7caa27b859cc4

SHA512
a260db24965d104d85582dc56b4eefee06d2e86fae443acedee94daa898220c5389b973b269d7afb1bcbcf6c749c0a1d98b5e3333bf7871912cfd59abfae2cff

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security.aspx

Filesize
9KB

MD5
a7af8a7c1859b1786c33a330d10d1e5e

SHA1
3bd41057022b1945df5400d8088e172ddcf4448c

SHA256
763a12a9cb2fe7c5fa5530dc99221c8a817a70604979fcc9ead2d93677e86637

SHA512
fa1234a9fc5a0f9ab94eadb76ef226b9e0b8b1386af33ba1021878c7866ace8fc51f5898cfa409677d61661c5966ef70c37f73581ed541b6f55295f48af94132

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx

Filesize
1KB

MD5
41d4a89d1f9877a83745e28b45a43027

SHA1
e42683517e3661ff472779ccfa72fccef3779b5d

SHA256
9a0c082fbe3ad4eb17168d84dc47cad2872f64b7a1e6ef7b62a9dc0336481d1f

SHA512
8aa595cc7acf15c97a998577ee62f68f763a1b3d2da175e7550755d4886006f2ae283f30c4b85cc25e187d7842ec60a46dc6d754135b4b745b4951d256a0920d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx

Filesize
2KB

MD5
472e1727d1e54ff83a07d7f7c0916a7a

SHA1
aec17b766aec272c47a00dfae2a2a5c04b044601

SHA256
e454fa630e1dd2b28d11546efc08018fc6adae57d0f1f04b4eeb6f968f93855f

SHA512
eb2a2542add83ac0810c85b0e1f7085376e7664d1c7ff2658e422772d9b988935c141d76187ef87feee486768a866caf2e2ff86e2ee90f1c23e4d7e09a0e38bb

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\default.aspx

Filesize
4KB

MD5
a22e8b9b72601fe25f6093e28036d44a

SHA1
ac2e9e3e46d91e94ea94db32b9c17edff3b9fdd6

SHA256
457f61966d3210c8b20bee140fb6bf03a85029fa438545e9a1fd42b632315322

SHA512
a76613e1cf758666f82b2237bd829f0ffd2129a31dec3e5148f83671b5ad097d4cb98dd7489774a67f98f43560aacbfce4fd3191bed7ea18873c2ac3d3962991

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\error.aspx

Filesize
6KB

MD5
cb772d0492c674961cb967b835790189

SHA1
771bd14f4dd45db23e6f5794c983a41ab3c74869

SHA256
a65bb08919870d0b76d7012313c6e497106989bd2fc203a357c54b646562275e

SHA512
f692b19d6b80555154562ce9d64d2d5333a67dec98c7c59c9026f4f92aa9db5ac0a3a2748e113e53e9a26a8698da573f4b63673566215787d0db26169fea714f

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home0.aspx.locked

Filesize
1KB

MD5
3513114fc6f4790d8778e64485a45c9e

SHA1
436e073f230da204c9ad17bdcb5be78f767dbcd4

SHA256
7b2c866c1b90a29a3576904b389e594ec698ac28b168c62f3e6a4a2f0babf01c

SHA512
021c16a9a1c25b68f389bc123a09d11db1444e027769fe23024d950414cc4b11c41b11232f991b7be8a8c1b8f3c38981d81f5de78f3936dc1f9dc73bc54f363e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home1.aspx

Filesize
752B

MD5
dd089bc4636cb913fb959b9acd2e7dc7

SHA1
0a82aa0de5c39e38f5cfefdc698fa39496fb0395

SHA256
bb2f7829d7922e0f69de69889ec54fe2d5c8a6275ba4758070e2032fddf1f3d9

SHA512
52c8d5c8c5c98fdbebe7173b6bb60faac5bfdaaa9c08040720b7f7542ec62d309f9eac14a24b6de32a50e556565024e07a74bcbd7f722d847a9f9bd3a2bd6aab

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\home2.aspx

Filesize
1KB

MD5
92870e832b8e19f831ace3e115e45c01

SHA1
3b7a8423f7c766bfc1356db26f686e77f2ad47c5

SHA256
2ff76dbf35c2f296820d44f839b8d03c696c12167d5d8e5d83dce00c97addb1c

SHA512
f9b8efc22261a2b12b3d85b2f81226f3f70b815caa5ba6e3722800b0a2cc990831e0166033c7022c1c0cbebe314b3c15162a565b56a36abd3e4d43c3240c5078

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Logic.sql

Filesize
23KB

MD5
a09e07985cfc4dc044537467223089b7

SHA1
011efd6d939585d92b250a6160f2dba5395fa871

SHA256
edb4b0a400919affc4d96e9a03ad918c857f57cea16420b285bb3ccdc13f743a

SHA512
0057453e52787bc5ec265e8d880a21aa7aa0f15a76d087489198728e853a352065ac153d7e4001f2707f45d8847f0df578751114cefa0d3a9fb01e8c39f3871b

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\SqlPersistenceService_Schema.sql

Filesize
4KB

MD5
c91349e0b6b6c20be353dd7b294239db

SHA1
2d424bf6c5877128e8f3e5e2bdb50346882f918e

SHA256
424786899f332334dc6734ca31735826dd17355bdb66b6b1b3dff49e71eadf74

SHA512
c78cdfe315ba90b6cccac55c30686394fd4af381522924c836e0cde5371981c8e71fbb21d86b72277da49e95fb789f98f6e755777cd331ba533bd7a51b59c59a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Logic.sql

Filesize
372KB

MD5
8fac39dd38a4f7356607066c0d24faa4

SHA1
ecf3bf6859a49d3dce814cccac9e05fb876de2c2

SHA256
7f2d9bcd8db9f96b737a07b81489d4feae986e198a4bea7ae66cca906211b00c

SHA512
cb0b9f4f4c89b5e8b450502a213c4bcb61975a97042cd25cd49631a59dc1d2b3c37f4b3993ae07266f6022e8ec8f7ef944bacb52b4e106d92de86753ed6f018a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SQL\en\Tracking_Schema.sql

Filesize
49KB

MD5
9b5a3a735153fb116cc2ebed223027e6

SHA1
84503d6e82166944141306b353c6fb23b062d4d7

SHA256
b8723045df55ba1c3c9a50c31c45078b247e94439f0b946d1f6a3b9e4a2dbddc

SHA512
7d5e0bc5d967313854a6eeff534700bb0775c780a48ae92147c2072a4b1446e3f2ff07775e07d6ed7e988bcf2f67223e5e3c092fd014cd9da968cf161dd0ed0a

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\DropSqlPersistenceProviderLogic.sql

Filesize
2KB

MD5
f2c6d1f85ebfc8ff16a589ac332c72dd

SHA1
22bd89d0873466727de7a27bec5b178668c348b7

SHA256
f25994230d9ca7441d1020a390293dfa9979d495af7f81a344a535620c91d7b4

SHA512
ee699a077a14a6630cc36917e7fd75d10cb91a4b9959e0ce62c658ae7308e4290203c96e327617c90a2cb03cfd79afeec55779874c47eb74aa7819785cfc1eda

Download Submit
C:\Windows\Microsoft.NET\Framework\v3.5\SQL\fr\SqlPersistenceProviderLogic.sql

Filesize
13KB

MD5
bc2665f5e11a4e5d7fe519ed71faa781

SHA1
aab89de4c18aa0a1bd71084c60c439d789741090

SHA256
5a709ecf34f71177560efba280c2988a3024f7f4309ac20bc168a6764ff76e62

SHA512
e3588e515bb920c0f0dfe4b786b3a9925fed1ffbecc6ef976a79d50b93d98fbac9f9ffcb83045d29413d22fbafb2016ce746354cde5d8c20466c0ae78ecac623

Download Submit
\Program Files\Common Files\System\safemonn64.dll

Filesize
207KB

MD5
17d94533420151d4f1af7ca6e9652df6

SHA1
af511753b6082a04aded94d1ba1aca037559f698

SHA256
e7553b6931998d2d4359162bae14054830f8f69be9d2de3f445158d5caa113b9

SHA512
8d4d4d0c71a432c326305a20cb6b9362815f6cd7cc7328ac632ecdc233f335d1119039b1cadef78d10ae40ebc1ab75c8e93b45cb34265a1ab53f3efdc775ce76

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25242\python27.dll

Filesize
879KB

MD5
f3caec450b53d793c44bf5b1c6d202d5

SHA1
e156b4c6284a7b493febc956014de524b157ab4f

SHA256
ddacdf039b0392425b01b783e958f2a918caae7877dda1c98da48b664ef5ff09

SHA512
3e86b4522e1f167b73c6477277bed52b7c418d675fbd13ae8916bece9b0dbe081a645ce58da11aba10d463f32af75582abe906a468f291cf38ce21ad2d36a6b3

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25~1\Crypto.Cipher._AES.pyd

Filesize
16KB

MD5
5e86145a6de363fa7c98304ad117428d

SHA1
cfd94e3415de661add7d89ca88d8034f189f5e72

SHA256
18a3dba419252417f7bea8e1d2a4d804aca8d00fba9f54dd598266c2f38c4f9b

SHA512
291581a86f444c870eb7af253df1b399daee5e557ff031aa1dbb24271ddd89a415152571e88d30c2516c2e3719e5ccda49fdab12cb6d0645f6007e5977429a45

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25~1\Crypto.Random.OSRNG.winrandom.pyd

Filesize
8KB

MD5
efe96e08e4b8b5664648cb0c01d4249d

SHA1
d897340b727433f7d7d04e91afc0ae9adbb7e9ee

SHA256
28bfcfd50af5d822f6dc1b42790695dafeef0f0d9511a4d62934ffa0681fe941

SHA512
007f22ea691890628165f1cf1905942defcfb86ec3a0e145b902f563ec8680823a8af8b5f1df54be229891a76588a5726b0ee2d30e5d7edf553c6a0dc51b4ad9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25~1\Crypto.Util._counter.pyd

Filesize
8KB

MD5
be8798ede5e6f3404662b7caf6da87b3

SHA1
d0e6151ba9045a404dd0cadbe786cb5f407eb6f5

SHA256
3fe8dca5f22729b65730a6aa1d830ab83fd5dc16aa2b16be5bde83c888498f69

SHA512
1c2aeca88996424ec9aeafdb5dfab514c1aaafe65d46a10ada874162ce151336a756d25bd0c911695b8597050391222ede430ba73daadd02ff10d59b641d7794

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25~1\pywintypes27.dll

Filesize
51KB

MD5
68bcd7c3e9cfd782c83023ff5711b3c3

SHA1
2cf4792bf583909178492f3661e8f7c7af7c2b90

SHA256
b219ef4d28995f8f01961f89c6f902fc27ad8ea304995de2ffb7db6156f7e76a

SHA512
7ac2192f341e9e4b89cb3a88e0c406bc138252d3c0e2fa0b7621fca26fe564fe53c7199ed2917e81e8d01af321b4c4f4a9bbec04ac218e55c6839d770600d1b6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25~1\win32event.pyd

Filesize
10KB

MD5
a2b1f6883faf70aca23c644ef203cad1

SHA1
cbaced2f02273e439f55b0c681e77c4298c125e6

SHA256
046db0343f3a55310f6167f23fcf7ad0fe599297f445774c60500fdcb0a90d13

SHA512
5bd27c66f96286e3fd25892d89bab9e0dc611f40740f9fee5c99e22b76fe07cc68ebf8cb49a1b1a4ce861d0f4eeaa51062752d78869acafee10a784ef2fdfcd1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25~1\wx._controls_.pyd

Filesize
128KB

MD5
9388215f7b0bea9fc164648b116ae818

SHA1
e8155ef5953e685c787bbabd493b197610c735a9

SHA256
59afefed207f4aabfd2fecb1e91cb32f2989c8b699ed11614bb371de566db1d6

SHA512
157f16634ed8c38edd727698f62a9c9e7b49e6a64c91ee734e6cb5013f05376ad3f34c3cf3c223afaeac062fb01cca03604d8c4551647b755418e688e40b40e4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25~1\wx._gdi_.pyd

Filesize
117KB

MD5
b74b7b859f0f4c7eaf03164bbd52e0b9

SHA1
a3add60754b36f75e9f82add48f66ec9bc563202

SHA256
1caeaae47de759b389920a56fa1f1fd592ea1e216d6ad660695b623f73d200bb

SHA512
609a0cd858facce4ed5756e84f5e3ea7783ea004aed6b7b3290a1c16b92937b44dd0fde8189575e7a0d99baed29ca01663f72ee9fb85ca53cdc4ee2a74a7bb43

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25~1\wx._misc_.pyd

Filesize
104KB

MD5
01d588bbc82b326d47f33101b982639b

SHA1
c83e68c0567fbbb1160d50eb5a5b9cb4044a51d0

SHA256
150200cbba5348448f4b061b77b9051e41698f6fbc917e59e1b2b2cd15f2304a

SHA512
7950adc337016388c223399ef7d66644155f0e10574ee67736c6f3e7aa828a16bad9ea759f355f2961b4b22f2d0ad56108bdf3eb2a2e4d5d2a85062db85d6961

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25~1\wx._windows_.pyd

Filesize
97KB

MD5
63743283e2e36d935198ad80a67a5ba6

SHA1
1bc783e0ac43af9705a8eb21690570edf5cffdf8

SHA256
19849d9a3c885c366673bcb928056a47c9bf57cf5cc2b203fc136642790b2a41

SHA512
e7df31dbfc6b48c23513a849a6b7e0c5941405d696c005e08621c2bb6d4e77b8febb4510d4a53e1d069cb2e494f0872104728ee28b3bcff69ea9f1d5bc7de910

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25~1\wx._xrc.pyd

Filesize
33KB

MD5
474240cdeeb249f7fb40b0168f4f270e

SHA1
4d897dfd6da5536caa5e6a31db424faa6f587fe3

SHA256
6d3fe48fc84aecba9214d99b693e0636929885a49c82e6f61195de1b1a023767

SHA512
ea9e875eb576ead3b8088b39ab46530ea833a9474c90fb438e28f6de0d0ef3c857da9ab991beb3b9c951b95f734df5c3e8d6f6fbcfa60b07e87e7ce0c7e6c48e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25~1\wxbase30u_xml_vc90.dll

Filesize
55KB

MD5
1fd3f08e1a22898d9147d451762457b6

SHA1
9c559cbf3db6eb0c43a5fcc0accb5ec8f662d889

SHA256
1d568dd4f32035ee499b0d9ea5efaded818892059c4047adf04f6a9d7e8e78e9

SHA512
2a8b19b69da7f01e8475b07113eba68eef8af8fef8d35caca02b105d42f6e6ead66482d1f28a84d67cdd63218e511b518cab447a11e692aedc1b7900923e1adf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25~1\wxmsw30u_adv_vc90.dll

Filesize
469KB

MD5
56dc4122716ff24e7beb1f871477e699

SHA1
53d2d920a75ac8f36cdf5fa1552b60baa0d366de

SHA256
24f6893c513a084811452dd380895cc76081eebd40e269f233172a3e27ef043a

SHA512
1e46039a8f2378a35d2e7dcf2929c8424d5417c9f4bfb5fd78d3853aef32048cc56fbd5411b4517d1ef7db5424b943e111e19b007d300794a350bcd9bb8d3975

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25~1\wxmsw30u_html_vc90.dll

Filesize
196KB

MD5
6542be957cbf8aae0e634aa958a5b8a1

SHA1
406320761c051f6171da1680317e1af6308ac3a2

SHA256
3f9a8b41a5af27931c286514e5bd4252fed9997fa75f92027fcbb2edacd8141a

SHA512
2a08189206bf76db9de2f21af193a3c18b0bccd350dc2fec16fec0428bd5307ce3b26aed3fe79258647d79657aa3eb75bd1e35e0085f300791e41002a2934c4f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25~1\wxmsw30u_xrc_vc90.dll

Filesize
157KB

MD5
39631fc69b270c8cd787bc81632ad0e0

SHA1
e5885286c3cacdaf6d217b65f39c9c6409118f74

SHA256
05ecc3a61868b14497f0c2a23290cace3e60bbb6f281d4baa28e4861216dd844

SHA512
404dc377b3f954fe3f17040b874a743b602e254e33c2c8c7fab8444791d194ff2d1e3205e02cee9331db9368392ebbfad11580f0e43f2c272253936c688d41b6

Download Submit
\Users\Admin\AppData\Local\Turbo.net\Sandbox\1.4.2.7\local\modified\@DESKTOP@\222.exe

Filesize
1.3MB

MD5
0cd228213ef9c41b148d7bee47f96d60

SHA1
aa1414c48762d3b644fcc9188287c68ff4d3c91b

SHA256
11d1b6677398a8be3fbf91d9f040a3174ea72f9b416fa8db1d109058bed01c1b

SHA512
e1b802f1ef3058c3744e3211970ed6409cac12837e294458b4aa819dfb46ca6bed724bdbfbe7f7a04d5c16e8f3cde01078ffd09c5e3176b4e4df23542e1a367d

Download Submit
memory/700-172-0x0000000037140000-0x0000000037150000-memory.dmp

Filesize
64KB

Download
memory/700-167-0x0000000002620000-0x000000000265D000-memory.dmp

Filesize
244KB

Download
memory/700-471-0x0000000005820000-0x000000000593B000-memory.dmp

Filesize
1.1MB

Download
memory/2524-1240-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2524-149-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2524-25-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2532-1081-0x0000000002650000-0x000000000268D000-memory.dmp

Filesize
244KB

Download
memory/2532-1086-0x0000000037140000-0x0000000037150000-memory.dmp

Filesize
64KB

Download
memory/2564-86-0x0000000010000000-0x0000000010175000-memory.dmp

Filesize
1.5MB

Download
memory/2564-72-0x0000000000A00000-0x0000000000D43000-memory.dmp

Filesize
3.3MB

Download
memory/2564-102-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2564-101-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2564-104-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2564-99-0x0000000010000000-0x0000000010175000-memory.dmp

Filesize
1.5MB

Download
memory/2564-70-0x0000000000A00000-0x0000000000D43000-memory.dmp

Filesize
3.3MB

Download
memory/2564-71-0x0000000000A00000-0x0000000000D43000-memory.dmp

Filesize
3.3MB

Download
memory/2564-87-0x0000000010000000-0x0000000010175000-memory.dmp

Filesize
1.5MB

Download
memory/2564-103-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2564-80-0x0000000010000000-0x0000000010175000-memory.dmp

Filesize
1.5MB

Download
memory/2564-75-0x0000000000A00000-0x0000000000D43000-memory.dmp

Filesize
3.3MB

Download
memory/2564-73-0x0000000000A00000-0x0000000000D43000-memory.dmp

Filesize
3.3MB

Download
memory/2564-67-0x0000000000A00000-0x0000000000D43000-memory.dmp

Filesize
3.3MB

Download
memory/2564-108-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2564-66-0x0000000000A00000-0x0000000000D43000-memory.dmp

Filesize
3.3MB

Download
memory/2616-1071-0x0000000002FD0000-0x00000000030EB000-memory.dmp

Filesize
1.1MB

Download
memory/2616-880-0x0000000002630000-0x000000000266D000-memory.dmp

Filesize
244KB

Download
memory/2616-885-0x0000000037140000-0x0000000037150000-memory.dmp

Filesize
64KB

Download
memory/2736-1198-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2736-234-0x00000000005A0000-0x0000000000665000-memory.dmp

Filesize
788KB

Download
memory/2736-432-0x0000000000440000-0x000000000051C000-memory.dmp

Filesize
880KB

Download
memory/2736-963-0x0000000004060000-0x0000000004190000-memory.dmp

Filesize
1.2MB

Download
memory/2736-115-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/2736-119-0x000000001E860000-0x000000001E880000-memory.dmp

Filesize
128KB

Download
memory/2736-122-0x000000001E740000-0x000000001E766000-memory.dmp

Filesize
152KB

Download
memory/2736-139-0x0000000000370000-0x00000000003A5000-memory.dmp

Filesize
212KB

Download
memory/2736-1009-0x0000000004190000-0x000000000425C000-memory.dmp

Filesize
816KB

Download
memory/2736-150-0x0000000002E70000-0x00000000030E9000-memory.dmp

Filesize
2.5MB

Download
memory/2736-223-0x00000000742B0000-0x0000000074561000-memory.dmp

Filesize
2.7MB

Download
memory/2736-224-0x0000000000440000-0x000000000051C000-memory.dmp

Filesize
880KB

Download
memory/2736-1097-0x0000000002D20000-0x0000000002E67000-memory.dmp

Filesize
1.3MB

Download
memory/2736-227-0x0000000002810000-0x00000000028F9000-memory.dmp

Filesize
932KB

Download
memory/2736-250-0x0000000002D20000-0x0000000002E67000-memory.dmp

Filesize
1.3MB

Download
memory/2736-1136-0x0000000000940000-0x0000000000970000-memory.dmp

Filesize
192KB

Download
memory/2736-1213-0x0000000004190000-0x000000000425C000-memory.dmp

Filesize
816KB

Download
memory/2736-265-0x00000000030F0000-0x000000000328E000-memory.dmp

Filesize
1.6MB

Download
memory/2736-266-0x0000000002170000-0x0000000002199000-memory.dmp

Filesize
164KB

Download
memory/2736-267-0x00000000043F0000-0x00000000044D4000-memory.dmp

Filesize
912KB

Download
memory/2736-268-0x0000000003290000-0x0000000003859000-memory.dmp

Filesize
5.8MB

Download
memory/2736-1212-0x0000000004060000-0x0000000004190000-memory.dmp

Filesize
1.2MB

Download
memory/2736-239-0x0000000004190000-0x000000000425C000-memory.dmp

Filesize
816KB

Download
memory/2736-1215-0x0000000073D30000-0x0000000073E37000-memory.dmp

Filesize
1.0MB

Download
memory/2736-251-0x0000000000920000-0x0000000000929000-memory.dmp

Filesize
36KB

Download
memory/2736-252-0x0000000073D30000-0x0000000073E37000-memory.dmp

Filesize
1.0MB

Download
memory/2736-253-0x0000000000930000-0x000000000093A000-memory.dmp

Filesize
40KB

Download
memory/2736-258-0x0000000002E70000-0x00000000030E9000-memory.dmp

Filesize
2.5MB

Download
memory/2736-259-0x0000000000940000-0x0000000000970000-memory.dmp

Filesize
192KB

Download
memory/2736-254-0x000000001E9B0000-0x000000001E9D7000-memory.dmp

Filesize
156KB

Download
memory/2736-255-0x0000000000370000-0x00000000003A5000-memory.dmp

Filesize
212KB

Download
memory/2736-675-0x0000000002810000-0x00000000028F9000-memory.dmp

Filesize
932KB

Download
memory/2736-235-0x0000000004060000-0x0000000004190000-memory.dmp

Filesize
1.2MB

Download
memory/2736-233-0x000000001E860000-0x000000001E880000-memory.dmp

Filesize
128KB

Download
memory/2736-1211-0x00000000005A0000-0x0000000000665000-memory.dmp

Filesize
788KB

Download
memory/2736-1210-0x0000000002810000-0x00000000028F9000-memory.dmp

Filesize
932KB

Download
memory/2736-219-0x0000000003290000-0x0000000003859000-memory.dmp

Filesize
5.8MB

Download
memory/2736-1209-0x0000000000440000-0x000000000051C000-memory.dmp

Filesize
880KB

Download
memory/2736-1208-0x0000000003290000-0x0000000003859000-memory.dmp

Filesize
5.8MB

Download
memory/2736-155-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2736-156-0x00000000030F0000-0x000000000328E000-memory.dmp

Filesize
1.6MB

Download
memory/2736-136-0x0000000002D20000-0x0000000002E67000-memory.dmp

Filesize
1.3MB

Download
memory/2736-124-0x000000001E950000-0x000000001E95C000-memory.dmp

Filesize
48KB

Download
memory/2736-111-0x00000000742B0000-0x0000000074561000-memory.dmp

Filesize
2.7MB

Download
memory/2736-1207-0x00000000030F0000-0x000000000328E000-memory.dmp

Filesize
1.6MB

Download
memory/2736-1206-0x0000000002E70000-0x00000000030E9000-memory.dmp

Filesize
2.5MB

Download
memory/2736-1205-0x0000000000370000-0x00000000003A5000-memory.dmp

Filesize
212KB

Download
memory/2736-1204-0x0000000002D20000-0x0000000002E67000-memory.dmp

Filesize
1.3MB

Download
memory/2736-1203-0x000000001E950000-0x000000001E95C000-memory.dmp

Filesize
48KB

Download
memory/2736-1202-0x000000001E740000-0x000000001E766000-memory.dmp

Filesize
152KB

Download
memory/2736-1201-0x000000001E860000-0x000000001E880000-memory.dmp

Filesize
128KB

Download
memory/2736-1200-0x0000000010000000-0x000000001000E000-memory.dmp

Filesize
56KB

Download
memory/2736-1199-0x00000000742B0000-0x0000000074561000-memory.dmp

Filesize
2.7MB

Download
memory/2736-1214-0x0000000000920000-0x0000000000929000-memory.dmp

Filesize
36KB

Download
memory/2736-1220-0x00000000043F0000-0x00000000044D4000-memory.dmp

Filesize
912KB

Download
memory/2736-1219-0x0000000002170000-0x0000000002199000-memory.dmp

Filesize
164KB

Download
memory/2736-1218-0x0000000000940000-0x0000000000970000-memory.dmp

Filesize
192KB

Download
memory/2736-1217-0x000000001E9B0000-0x000000001E9D7000-memory.dmp

Filesize
156KB

Download
memory/2736-1216-0x0000000000930000-0x000000000093A000-memory.dmp

Filesize
40KB

Download
memory/2796-10-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2796-1432-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2796-12-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2796-11-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download