Analysis
-
max time kernel
113s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 06:11
Behavioral task
behavioral1
Sample
dac11aa9a60e91e8370a216e95c059758a3dd0f960d354f71c7975abac675122.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
dac11aa9a60e91e8370a216e95c059758a3dd0f960d354f71c7975abac675122.exe
Resource
win10v2004-20241007-en
General
-
Target
dac11aa9a60e91e8370a216e95c059758a3dd0f960d354f71c7975abac675122.exe
-
Size
1.3MB
-
MD5
6036ccabba8a405dbc98cfa3171f4019
-
SHA1
dfffc5f90e5c4f207f5d772a1db64b13b6e003f8
-
SHA256
dac11aa9a60e91e8370a216e95c059758a3dd0f960d354f71c7975abac675122
-
SHA512
c8ceb801770756800abf2a57cd2a9e6245acbc7975ceed0adea2ce0512eb07229e452bf5e6e994ab37f7084ed0845f9308f903cba6cd82a36507897d392762bf
-
SSDEEP
24576:XN4EfsPHd9VbyiKSnKMnsNneRWrN2jHwTxbMmgCyq3eca44zpRPtHSr:9z0/0iKSnKYsNn4WZ2LwQNGeca4aPl2
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 4204 netsh.exe 3640 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation dac11aa9a60e91e8370a216e95c059758a3dd0f960d354f71c7975abac675122.exe -
Executes dropped EXE 1 IoCs
pid Process 1844 Windows Session Manager.exe -
resource yara_rule behavioral2/memory/2632-0-0x0000000000390000-0x0000000000680000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dac11aa9a60e91e8370a216e95c059758a3dd0f960d354f71c7975abac675122.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Windows Session Manager.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe 1844 Windows Session Manager.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2632 wrote to memory of 1844 2632 dac11aa9a60e91e8370a216e95c059758a3dd0f960d354f71c7975abac675122.exe 83 PID 2632 wrote to memory of 1844 2632 dac11aa9a60e91e8370a216e95c059758a3dd0f960d354f71c7975abac675122.exe 83 PID 2632 wrote to memory of 1844 2632 dac11aa9a60e91e8370a216e95c059758a3dd0f960d354f71c7975abac675122.exe 83 PID 1844 wrote to memory of 4376 1844 Windows Session Manager.exe 86 PID 1844 wrote to memory of 4376 1844 Windows Session Manager.exe 86 PID 1844 wrote to memory of 4376 1844 Windows Session Manager.exe 86 PID 4376 wrote to memory of 2848 4376 cmd.exe 88 PID 4376 wrote to memory of 2848 4376 cmd.exe 88 PID 4376 wrote to memory of 2848 4376 cmd.exe 88 PID 2848 wrote to memory of 2932 2848 net.exe 89 PID 2848 wrote to memory of 2932 2848 net.exe 89 PID 2848 wrote to memory of 2932 2848 net.exe 89 PID 1844 wrote to memory of 984 1844 Windows Session Manager.exe 90 PID 1844 wrote to memory of 984 1844 Windows Session Manager.exe 90 PID 1844 wrote to memory of 984 1844 Windows Session Manager.exe 90 PID 1844 wrote to memory of 4860 1844 Windows Session Manager.exe 94 PID 1844 wrote to memory of 4860 1844 Windows Session Manager.exe 94 PID 1844 wrote to memory of 4860 1844 Windows Session Manager.exe 94 PID 1844 wrote to memory of 2840 1844 Windows Session Manager.exe 96 PID 1844 wrote to memory of 2840 1844 Windows Session Manager.exe 96 PID 1844 wrote to memory of 2840 1844 Windows Session Manager.exe 96 PID 1844 wrote to memory of 4128 1844 Windows Session Manager.exe 98 PID 1844 wrote to memory of 4128 1844 Windows Session Manager.exe 98 PID 1844 wrote to memory of 4128 1844 Windows Session Manager.exe 98 PID 4128 wrote to memory of 3484 4128 cmd.exe 100 PID 4128 wrote to memory of 3484 4128 cmd.exe 100 PID 4128 wrote to memory of 3484 4128 cmd.exe 100 PID 3484 wrote to memory of 4692 3484 net.exe 101 PID 3484 wrote to memory of 4692 3484 net.exe 101 PID 3484 wrote to memory of 4692 3484 net.exe 101 PID 1844 wrote to memory of 2384 1844 Windows Session Manager.exe 102 PID 1844 wrote to memory of 2384 1844 Windows Session Manager.exe 102 PID 1844 wrote to memory of 2384 1844 Windows Session Manager.exe 102 PID 2384 wrote to memory of 2772 2384 cmd.exe 104 PID 2384 wrote to memory of 2772 2384 cmd.exe 104 PID 2384 wrote to memory of 2772 2384 cmd.exe 104 PID 2772 wrote to memory of 4988 2772 net.exe 105 PID 2772 wrote to memory of 4988 2772 net.exe 105 PID 2772 wrote to memory of 4988 2772 net.exe 105 PID 1844 wrote to memory of 4232 1844 Windows Session Manager.exe 106 PID 1844 wrote to memory of 4232 1844 Windows Session Manager.exe 106 PID 1844 wrote to memory of 4232 1844 Windows Session Manager.exe 106 PID 4232 wrote to memory of 3400 4232 cmd.exe 108 PID 4232 wrote to memory of 3400 4232 cmd.exe 108 PID 4232 wrote to memory of 3400 4232 cmd.exe 108 PID 3400 wrote to memory of 2548 3400 net.exe 109 PID 3400 wrote to memory of 2548 3400 net.exe 109 PID 3400 wrote to memory of 2548 3400 net.exe 109 PID 1844 wrote to memory of 2076 1844 Windows Session Manager.exe 110 PID 1844 wrote to memory of 2076 1844 Windows Session Manager.exe 110 PID 1844 wrote to memory of 2076 1844 Windows Session Manager.exe 110 PID 2076 wrote to memory of 4204 2076 cmd.exe 112 PID 2076 wrote to memory of 4204 2076 cmd.exe 112 PID 2076 wrote to memory of 4204 2076 cmd.exe 112 PID 1844 wrote to memory of 3460 1844 Windows Session Manager.exe 115 PID 1844 wrote to memory of 3460 1844 Windows Session Manager.exe 115 PID 1844 wrote to memory of 3460 1844 Windows Session Manager.exe 115 PID 3460 wrote to memory of 3640 3460 cmd.exe 117 PID 3460 wrote to memory of 3640 3460 cmd.exe 117 PID 3460 wrote to memory of 3640 3460 cmd.exe 117 PID 1844 wrote to memory of 3064 1844 Windows Session Manager.exe 118 PID 1844 wrote to memory of 3064 1844 Windows Session Manager.exe 118 PID 1844 wrote to memory of 3064 1844 Windows Session Manager.exe 118 PID 3064 wrote to memory of 3980 3064 cmd.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\dac11aa9a60e91e8370a216e95c059758a3dd0f960d354f71c7975abac675122.exe"C:\Users\Admin\AppData\Local\Temp\dac11aa9a60e91e8370a216e95c059758a3dd0f960d354f71c7975abac675122.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\SysWOW64\net.exenet stop MSDTC4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC5⤵
- System Location Discovery: System Language Discovery
PID:2932
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- System Location Discovery: System Language Discovery
PID:984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no3⤵
- System Location Discovery: System Language Discovery
PID:4860
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet3⤵
- System Location Discovery: System Language Discovery
PID:2840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT5⤵
- System Location Discovery: System Language Discovery
PID:4692
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER5⤵
- System Location Discovery: System Language Discovery
PID:4988
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\net.exenet stop vds4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds5⤵
- System Location Discovery: System Language Discovery
PID:2548
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3640
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\net.exenet stop SQLWriter4⤵
- System Location Discovery: System Language Discovery
PID:3980 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter5⤵
- System Location Discovery: System Language Discovery
PID:2412
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser3⤵
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\net.exenet stop SQLBrowser4⤵
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser5⤵
- System Location Discovery: System Language Discovery
PID:1232
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER3⤵
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER4⤵
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER5⤵
- System Location Discovery: System Language Discovery
PID:4544
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO13⤵
- System Location Discovery: System Language Discovery
PID:3708 -
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO14⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO15⤵
- System Location Discovery: System Language Discovery
PID:4416
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvDX9.x3d.[[email protected]][3B12106D].locked
Filesize768KB
MD550e091893eec02942c29f6c49a754153
SHA1c644569e16e59893a6e2d1bc36c55b7d0e956785
SHA2561da77d5d2c4244b5b78af983a92ee56289d3910c77efae1db1daae77aed24135
SHA512c61a7f254e5de6d88e80ff0304d7464a23003530daec45fa704d71147ee4e223aa107a3fc9196cd9a42b198c0de3305eff396c10c4fae7484a51c2d9d504962d
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\vi.pak.[[email protected]][3B12106D].locked
Filesize384KB
MD537b28f6df0c2d289e2e44ecf7396776f
SHA1a16e5d63c1b7cf3aecedb9ae158bb258e97d8a1d
SHA256beddf0c17d38d8529789a228868fbe53ecb4d99ab4b41741bbe734f18d842956
SHA5125552c1906b21ee30a540617f77554bf983403ba3f4ef7939ae1a895de348d6da6883b89942ae949c8fe68b208092f8608d78e2e2e54a11d98f5a655bca7a7657
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\bn-IN.pak.DATA.[[email protected]][3B12106D].locked
Filesize975KB
MD5fb8ae7b2f5d1004b7877c4b1ba47ff84
SHA1462684bf97c715b45ee3bc6107fa907b1c41adfc
SHA2562cc2c3f09dc97420c0a25619dc396d80f8bf1bc2eedb02bec2d995b1327da927
SHA512fa5cc09f861a99bc6bc6528e5a052639010250125612758ba28b5b123afcb23df47f56e20b9f21abb5cd09be15c560ba75feff1f35b6533009ca5ea0dcdca369
-
C:\Program Files\7-Zip\Lang\hu.txt.[[email protected]][3B12106D].locked
Filesize10KB
MD5c3d762498176ceabad71bec8643bf11a
SHA1244e8cff263e1dbfd3264580e6bd300ea5ed66a6
SHA256befcd539a39bf5bc41037fcea1a913e44e505d97203285d712a7891804f517ba
SHA5128a38d53ba8e0d1fc2494deed1284e50716465c4f802fb4c1ee5c58f327e4be044d0ee07bded41bd03abd957a9d16710747e6c6e967f43cb956da7fa217cfa835
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.[[email protected]][3B12106D].locked
Filesize2.2MB
MD5f7b9d3776eb72491f941c0598cb38061
SHA15b079baaa1d0721bcb326f7b7550e7da7504b2f9
SHA256e987bf0f704585a98b7381e33505388450812b225c318485a086baba42bd6a7a
SHA51211186622029d6ed9ec6ef07b7b36949eddbe82c19512705738a6e9863205b748f28b3110d66fd9c0cfbabb00abecd302c14e29cedf23329406706036920e3a12
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.[[email protected]][3B12106D].locked
Filesize2.2MB
MD5e40a10282070629c0a7579b33e7c4d88
SHA1d3efe5345ea76009d25d2b52f979752ec0831b13
SHA256b02dd109d66f892d98b3542e1b97b9c1a1964dbc980b397bd77e85ac42b7ea49
SHA512bbd125e92aaddf726e4a9c4453a8d4aef1a9968acbcf685daed00fea4e32084d29de96ec461a6f12a96dea0709a10fc7bb4823ae2ae77482eb573fee2dcb0ec9
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.[[email protected]][3B12106D].locked
Filesize358KB
MD5f60e82c21efa661cf93fab0bd8458b3f
SHA10f89994172f20ca24be04dabaa7b60134ad96f12
SHA256067270781959f9649d528de0c8c76ca6d1f6494ffb24b713708d8fe7269a0a28
SHA512d11b2bcc6f8c162168208e931cf0a528142c8cceef474c872e6c5cd4681a82d638dbd3d2192fc31f87b1e9087c6415954ffc8631897fe7a922c14555f0518f11
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fa.pak.[[email protected]][3B12106D].locked
Filesize717KB
MD5dc08fb1bfaf9ad3c13d9ad0c7adb673d
SHA1085c0f45bc78897db31075f28d825507f56c8546
SHA2567412bb81ba387dce8fe79fd6a2a3e5a8b46039b046280a8c7e16f45353a2efd5
SHA512692f6cd12dbcbecffaf7b6057e2eeb92fc907f964340410a34eb719dbe6e00200c73ee171fba3c8a04d91d48a78aa7a65b09f0f1e8ac1651ad6fd7015b259583
-
C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.[[email protected]][3B12106D].locked
Filesize31KB
MD59de53883fb7947780a13804f15866cf0
SHA16b6c4fb8c851c4579b22dff3896f8717c408eef5
SHA256223db2a5d3492502f25746a04db3e9a3a98d6d09390d5fa6d5baf25b7a195a07
SHA5121df76c89d7f9f955a2741b34dbd3ba123450cb5b94d8968260d0dffc9bec6799d7af399880ad178e55cae1b3ac4686b0c0a19d95902ceaaa193ac73867db5942
-
C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar.[[email protected]][3B12106D].locked
Filesize561KB
MD5e06c15304917bc3dd292756081b927d3
SHA17949478ea0b9a69cb01b8f1d2ff10c409a6cc1a6
SHA256ae4682cb0f5447d7d3e95030e25ebf01a13980812e392b8c93349a439a23c6f6
SHA5126a2b89b799e8df77c348ac39d22539331052f2ff04e885c24eb6356c0d6994a023dbfcba6bb67051cffc05d825be35fccf3783c44d1c763e57134892f002f1b5
-
C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx.[[email protected]][3B12106D].locked
Filesize1.3MB
MD5cb90bfe5b43b99c08bb76c698ea69f75
SHA16f965734311b413818ce47ebce258448d788f4c7
SHA256b55eee683b1a3c2fdccddc96997a7a3809592457e7a6dc5939693c8d6a69c161
SHA5125a99d8f72d63e5d4d922525eb47a7bc5f858b58b67d173eb0b02fc53ad067fe1882e0e076ac45f6c58527fb17f6d9edbe482e2378f35a3342c3f7b32b4e03bd8
-
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.[[email protected]][3B12106D].locked
Filesize326KB
MD561f277388f90b5e5f0cc694b07e9e2a1
SHA144b1690cdcd75199ba8db48216940ede520b4aa6
SHA256bf0493a3892a8a5be1f5da8e31c8c62c2d6e0d589f746c1f1a3e7d1f437ffd23
SHA512929f323a8d83b46c0476ff74bf5e17fb492f3f3d3a2b5d843b4d847345f950743ba78ffbce3c6791e8e721a1dd7949b91a559e5804f00b4df40f2597e716ec0b
-
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.[[email protected]][3B12106D].locked
Filesize327KB
MD57f81feef9f9a24192b43a9af524ff472
SHA1a946059c83d8074f87b03d96eacd72de9d2752b5
SHA256032a11478e1bc66578e754a8d945d10aa331272300090b20a15ea41a5f9769b3
SHA5129905d07ffee8b04896c4df8ba63393e7215a581bce2b6caa62955a01fb522ff8f0803ab5815eb316fd72f7b47abfcf89b5e1fc3b52e4ef8113501f9451d35229
-
C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.[[email protected]][3B12106D].locked
Filesize344KB
MD554ad1600430e5f2d952d5fe658a42082
SHA1f1518dfeab6d19528772e9f0e11ea5201f5c0476
SHA25673e5b03d2b28520bfaf5557b130d8b3e5f9e4b3016095731206c3a0b1c376433
SHA5125fd8073f3e60dc10beb735672239ede03726d3c6c9af5c59aaa350b3eba1a53caf4523367d3de1a77aca54e33c1cc0bb13a722b88acf4cf10648bf13cff0bc28
-
C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml.[[email protected]][3B12106D].locked
Filesize331KB
MD5bd5df1b3ce14a017e89e94f7519b3128
SHA1d99a9c538002be1d6910f1f7fe7ffa58fc795444
SHA25619777bd99bd7e41b030fc297e190df3f3d0f7bccce8717f6eea3896d48d522ae
SHA512e982cb0c4bbdaf02e3ee4ba5f35009be31cac912d96870ee4fa21125b78cc5b3d3c5cb21a3cb5ebd4bb99fc82d8830d9a3ec9825b0a082012518421e4b2b5562
-
C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.[[email protected]][3B12106D].locked
Filesize705KB
MD507f79e6ebc2d93dba4d45a61341c3768
SHA1379f1b1e01f2d4b833f27e58ebd0c87482fd6d7e
SHA2566c46683fdb691b5e4b3f9eb6db139e42bb21def8a308d6fd795c688e714ce07b
SHA512376b78c4f302dd14acf31d00bf71c4a267ac151f58684f7f206fff83adb83f0f7e24683918a7ba2b47d3c4e598153c1e966cd096f33cb9479516f40b3ea4ec40
-
C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.[[email protected]][3B12106D].locked
Filesize454B
MD59c35b2ae3f9d92dc3795e5fc7b77c6bc
SHA1ea948c00a43fd2d5b8c41e78aac8e8e4bd0e7da5
SHA2568bb0fb916f2af3eb8b4ceba3e39fc781d3f2cbec1a86f6a9ec5117a78fc15bba
SHA512f1a8b353b903ee24b7c5a3619b3b1447f9f6c9ce03a200fa0c901f3e9347a1f2b2667266232fcb95818bc26444ab33f0f585a35e2682a2d804c905343dbc3593
-
C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.[[email protected]][3B12106D].locked
Filesize1.3MB
MD58915ef639dc30e0ed3d7df4fc1a051a1
SHA1c16c002d60b03d1dccbfd1b2980c1e22c3991a64
SHA256d102ce00c4098335f768aa64993e76726e9d8edde381675627f00f1409f35cd9
SHA512d100575c8de6166d3a3324b1286962f231fb466a600d1c5ca70e346f9095cf4fb4c0ae28980c40de210e9b0216afd9c1b6e78ec60aae88e79095db9fd91d068e
-
C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.[[email protected]][3B12106D].locked
Filesize68KB
MD56ad26818d7fb1a9c8a959524ee87f803
SHA192fedfdfcd1cea2778b1f2930840b4572eae3626
SHA2566bac6d9a618db15498b09267efc42377739c4a0f8733ec82725e3ba47c683f4c
SHA512436e409c57cdba366b39bba5a5f1b4c6cf079ffacff222f9797907f432d293a8fdc3ac48215cdfa284f1ddbf28a4f4993a700ddcfdef9d2c9aa05cf031d0070c
-
C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.[[email protected]][3B12106D].locked
Filesize880KB
MD501b58221dace62d89bc7c589ee1781a0
SHA1fd1fa0761ee0bcb4242022c5c38e8dc6ba12de9e
SHA256e6ee7ac44510c0e893115a05110f47752f2bd7f4f3bc601d4da0d01a594e8748
SHA512c8aa805e167488ebd85d01bf7ce36a7e7f98a94fd5cf137f9ddde2dec81532f172d6221ea97fd3229bfe60437b1cd6ab74d07d5cd1217d10569e2ced9e8e2e26
-
C:\Program Files\Microsoft Office\root\Office16\OFFSYMXL.TTF.[[email protected]][3B12106D].locked
Filesize735KB
MD5bb8e6240ebfae92807a2bd0feaeeae3e
SHA1d3a37d87e90762a1aaea32c305212ea04f8a6d0a
SHA256853d71f98db9426f51b2d6d6ff7caf073029bbba8df5e0ed3c12277c5094e1ba
SHA51248ea759d6ae5cb5f076c7755dd9b3fb6c42772edd39b0c12fdbf72c160bcd6486d6fff9ca5d889f7c0efb27a2af2f13185ba09063d114919d278df77912edb99
-
C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.tree.dat.[[email protected]][3B12106D].locked
Filesize128KB
MD54136a35af7f137f2f3e459df44b66441
SHA14d240051a2550804a172a6069ff530c385fe67d2
SHA25638a457f21adeda1e652e4274b45b4f31eb0c5bcd4755075443bb22c2f39a6d5a
SHA5121871f72cc834b9194e7a73dead6b1ed0547a550ca2941b0fe93f9b185bd817a6b8b5dfe4f1b587f091fbaee45ad3b4445b2475a360a7b66e4b89f7f995a08d3f
-
C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF.[[email protected]][3B12106D].locked
Filesize14KB
MD54febdc56f1538fcb38e271faf0d988cc
SHA13eb83962e72a1dc276249d590f68fe82b72efe40
SHA25694f0dab02f67a181541ca8966b5699db98c4b11d57e6c9b1cede155309f76829
SHA51213f5d4d2f9fa996c5b4c18040f0bcb51fe465c4241ba8df38d3dda306b38c4f4f78f31b492a2623c20dacd13e18825ca18387ecdc2c0e0a39ac9b4a8d9dd9994
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCL.DLL.[[email protected]][3B12106D].locked
Filesize515KB
MD53c69e0d6a35976bbf051215665a4ddd5
SHA1dba471dff0892060eae3879ee10a07ea1bcbccb9
SHA2562050564d6d0a0ed86b868be49c724275d1e9d2137a142103416a4128c08c9dc0
SHA512ec6cfd274f7db9692534bdc0ea613e963cba167ef2ac2511a12060ace90c95b656221fbd8ca2eedc5ab6b3a4e2a9ecf2a429f254bdec39ebaae997096b98a9e7
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\concrt140.dll.[[email protected]][3B12106D].locked
Filesize320KB
MD5afbaecc249d85570f37df50d87c62db9
SHA1f4388897f298d148b63eba90966ad9ae53d9c1bd
SHA256badc086b6544ea5940f54c98252b07f4a0c554a343cb97f072a26c10ab561be6
SHA512ca55a1cb3dac8511044f1643e09b5ce283b1cb3a15407011ee959437ea25fbbb2d173e20087553fd2d124f9f19673d96d19805598dc1b83431779ea758474894
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\FM20.CHM.[[email protected]][3B12106D].locked
Filesize256KB
MD5cf0ea9b2e8f57297cfbb7b657fd9f7c4
SHA14268c1bd078d7dd57e5d735a5c502723e66367c2
SHA256668f2099973b67952fa1fb4862a9ef216472bb4a0ad91d9fadb1d63a734f4cf8
SHA512591fc0c43bd95ca42a392855f7733d90712f0f8d4be9e872860c7bfa7c49ba3c88de145967d7d32ec8bc093dc3ae4bebb29b7d51c761e67006c8dbeb63a51bf2
-
C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfc140u.dll.[[email protected]][3B12106D].locked
Filesize832KB
MD56037787795fd36126c3cf565745f087e
SHA1ede72bfbbd03bcfd1bd22291fe6fc089fe931bab
SHA25699268ded385c6cb2a708b549991a88c68209335532ac98c460c9f6c6a0c89941
SHA512345b095d97aa8ccdd7f50b6dec56185d41d23750371141312054fc46356afb001b73cf9b572d5bd294fb53716975b341d00342d043c83977f413c7a0127b7aa6
-
C:\Program Files\Mozilla Firefox\uninstall\helper.exe.[[email protected]][3B12106D].locked
Filesize311KB
MD54e93de655aaa2758f31d7db5d9d0bfbc
SHA13076bc227fe7232cc39334fa95663f518d5a0871
SHA256fe41a1fd00f0825429de4eb4e7ce1d4783509ce0687b3c9978dbad622e1dbd2b
SHA5124388863afa4264d103932719578bcbff5087d7fc7a85305cf5812d9dc8ec183774e6704908112825f60579d59cec74255f6bc628c18420fb0a10ba761613532f
-
C:\Program Files\VideoLAN\VLC\plugins\plugins.dat.[[email protected]][3B12106D].locked
Filesize192KB
MD535d6180ad548595824174ec35b003b5d
SHA1ed836f8c30aa53e534069aeb6cec10b5727a17dd
SHA25617f3a05035ac827afc7407e45056b3e9d406415f664bc7b603d7b5d30abcd668
SHA5127a5a818f98c20c2f1cba5bf59ee4883d9d13d10fdbfc73dda2ae846fd3e48cbfdb3737e91465f0877ffde9c0da7f0e012f568bff3b55e0f96b7f2b0625e66f24
-
C:\Program Files\VideoLAN\VLC\plugins\video_output\libglwin32_plugin.dll.[[email protected]][3B12106D].locked
Filesize21KB
MD524cf8a50bcb6d0ccd12600cd8cf8f569
SHA1287d1ad3c01c658d23b92644f82da7e2e556359f
SHA256480b5d7065ca79004198fa7a5ecfde594a0c602b2269fff60a97967d834af82b
SHA51251a181d9736876de6d8633615edefc711f5dd8a591b72c9da62b496e93b8d3ef5fb9a171c4860e58e498818c16054bb748b7ef9670142cb710e286d47860ce98
-
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.[[email protected]][3B12106D].locked
Filesize1.6MB
MD57cfd3e6b9cc5b9808658f2355cac1fdc
SHA1e5357641b1b494f2c39080f4bba4916566725e57
SHA25626f607ac5bfe545d7ae2bf369221924e332c5cb59d88c14a3b6a44acaee23971
SHA5128fd1a69d10331cf719cc47cf14ccd3735db8cfb488fdad2fafcb98f24908790d28814888c0ac023f1c9295fbfb90493993800f381dd7d38494398423bd0f6057
-
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.TypeConverter.dll.[[email protected]][3B12106D].locked
Filesize738KB
MD56c4f54c9b4691f17b3d4186123a15163
SHA11a258e2e5ce4165c0559a9b1a71a6e1ed319d6fa
SHA2562c87fc38d74b35eec283485160c5c87725e370e2fe7b95497a4f0ca7300cbf26
SHA5128d5dc275a73f2f0dfe54b97a277af654a8276a908d4e08787d9b3f01e1fda9a004112ba1dfbf5a1bd600dde94ec9b917925a98e5c1d20a89ff638dfaf63b3bc8
-
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.[[email protected]][3B12106D].locked
Filesize1.8MB
MD51a95a9ec8a2287a1cf53f9c64a1a7d48
SHA1760d34c3eeb65b73736fe916bb7f94bb37960348
SHA2563075e29aba9f2ed97e8b15f45dfd695125e3a1ccfb0647badb0b64b8078f6676
SHA5127e6b7114c0d21f9079116938f3c6ff86fdbe79b15bc9ac02a504b50197e43cc3a4630dbb90edc1b6d98cb02787411f764eeb5e4c6aaeafe2298b8d00bb97da00
-
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrgc.dll.[[email protected]][3B12106D].locked
Filesize656KB
MD5a3dedcf98e21cd98551c16573275ebd9
SHA104420c57599bf157c81500ca246b66982b160f18
SHA256e70be7819f098d740923a1bb02fb63cbc1917f0a27cb1eda55cb55dea9716734
SHA5128b9a7cf41c28ddff495fdb3b4f7cf72e50dc1b65f53f45c6029018a83dfde208f9e0f02d5527c8b5c67c4aa148558b5768f652d8b2ed8a3f4a274d2f34452067
-
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.[[email protected]][3B12106D].locked
Filesize158KB
MD51a0bfc03184eb14969c8918d13f10851
SHA1453b4790c3cae7d2f8336103e8d1bd87d951b2ce
SHA256df67875d1e5e460fd1a2b483bdbf26d523c72089948d655213fdd45551174374
SHA5123cf4a71217fc11a4a8e2d1c9c7a03f62ed218d68638e99935516e668d0a68e848e94742636b727ba5845ec85d14d88312d6cce216bd1798c537cca0f665935bb
-
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.[[email protected]][3B12106D].locked
Filesize457KB
MD5dddb48d9852e77bbd9d81ec2a978ab92
SHA1d0fca40f2261217378c433a70e2953f936908b4c
SHA256842985c907d927752538e93d714cbaa1429bff17e6112b2fcc4a785a172e86b5
SHA512a64476e997283950c37622b34cf21e68adfb544e3c3269ba2fa316094fb28dc668264132cb5a2ac97afe7e85b6a3119dec59635cd0aabb5add38d1b55c21ad41
-
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.dll.[[email protected]][3B12106D].locked
Filesize1.4MB
MD57699a6e6049304b6d200433d87ff9241
SHA12ca1cb0c584271dff9b117916b69748692a7281e
SHA256b31ac033778b0326f922e4a4c441fb888d3ac7b95af50a706a9cd0095dcca8a8
SHA512281d2035c5192bef59122242e352953dcea7904fe5a7b8afbc8483e94befb5f62a0ffdb6fe84e140ad45b279a6c3ca4f7d871a047ec01899b25472e9ea1d92b9
-
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.[[email protected]][3B12106D].locked
Filesize2.0MB
MD5e14c9f940baa79c2f8d1cceb087f077b
SHA1ac8a6bd5b9a16c706c787585eb32c02770594086
SHA25648d37ce4b7233e296bc805db9e66289288bfbcc0fa626d7ce1c3f91918e02371
SHA5127f67e541e4505d36edb3da58c851fa1e14bd51fe06b627df43e6cced361f786a07b2bc0287497deab64c87f0b7693542f242ac5d95dbcb34f99c8cbc353e01be
-
C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.resources.dll.[[email protected]][3B12106D].locked
Filesize362KB
MD5a1cc66aa0fb05d708e71bf52781cd975
SHA14c73a3ccc2f7233b0fb565b17fcb5e76c6f5d957
SHA256b9768a69698aaa3712b24fc2e69266ce993a7351bc8f261a1a53a08a7014478d
SHA512a48618bbac9e72baa3e356f22e7e97c1939ca67855100d786379329a44de73ad2a7809b9dcb485dd59a552a02ce226050501ebac1c5a6edc3b30fea0d1eade58
-
Filesize
8B
MD5e3a43b27b5231a7cd2c976ef694ca5d7
SHA13cc2364f916846aeed7568577409c5641c2738dc
SHA25619ac932d4dcb5ab66d4a1772c720cf5fddbb2cd267e7a4ac91d79feb278a1419
SHA51299de210d4ed2cd5f3799ee0ca4a89f4fd147e97cf0357b3ac2a45e1b94914b6002f5a507acdbbc6a06581f94b02b3f0b1a118b8d7777541a75c626499ceb76f0
-
Filesize
398B
MD57640b900cd23a328d556fc8f0c1a70df
SHA197ab351a651468ca91f08a378f18d33a3b1faa61
SHA256b349e94be86e29b64822353e9684893104570feb034d14a40cf46c65ec68eb0f
SHA5126a46f7503bef4c1530235a75121d2c69e45f29796d697db726af9e9bc990d0274835cb5f73ba39467f66ecd12a0293db01ac94a3ffd017160fa19cf7035406b5
-
Filesize
1.3MB
MD587efde0aec222a8570a8b60bb4327263
SHA12c88a8379f607f24301323427a50cea2caff2584
SHA2568ca2cf319849d514ba1b56b400c682328411273847a6f88e91891ae2f8b347fa
SHA512d7ca3438b5ad7cf4925f79a2cdf69d97a6bd6b104a4070c4850558142a1f7d7eb701fc59a65668d1ca7a5ac7d69a491bb143760a8f30665954b3fc6686774af8
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\vcredist2010_x64.log.html.[[email protected]][3B12106D].locked
Filesize86KB
MD5a477bc052ce389328a4493f11c448761
SHA1fadfe1856f78fd396f72562e2ef1fa03e9b0eaa9
SHA25623950094dcfeaac2c9d5e0e2a4f7c9d3eef688bd2b6fed9e53ede2456cd4ee96
SHA51215974a6528cb40cad8400f70ee34e462b09e10da5c67ab4ed2ec3cb864048254fc35354e33eb51c9b8e79d600b462b88df4bd7258722b71efbd42e08c65b32e6