fb1a2435...a3df

Master Boot Record Changes

»

Sector Number	Sector Size	Actions
2063	512 Bytes	... Actions Show Code Modification

C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\QoAY92J30os7vCHc.exe

Sample File

Binary

Malicious

»

Mime Type	application/vnd.microsoft.portable-executable
File Size	18.00 KB
MD5	94828f8e3eb621af18230cb781a01725
SHA1	56c44fe9252f1ee6099848ee0cee4b3dc22c704c
SHA256	fb1a2435bbdf97962fc8de17a5778d46b13f858e2fd412f429fba3e08475a3df
SSDeep	384:M3kVyC+zerrmTvklbqIkz+2dRwNeZfUW8:M3kVUedb4Lw48
ImpHash	f34d5f2d4577ed6d9ceec516c1f5a744

PE Information

»

Image Base	0x400000
Entry Point	0x405c1a
Size Of Code	0x3e00
Size Of Initialized Data	0x800
File Type	FileType.executable
Subsystem	Subsystem.windows_gui
Machine Type	MachineType.i386
Compile Timestamp	2020-03-20 22:35:10+00:00

Version Information (11)

»

Assembly Version	1.0.0.0
Comments	-
CompanyName	Microsoft
FileDescription	SSvchost
FileVersion	1.0.0.0
InternalName	ssvchost.exe
LegalCopyright	Copyright © Microsoft 2018
LegalTrademarks	-
OriginalFilename	ssvchost.exe
ProductName	SSvchost
ProductVersion	1.0.0.0

Sections (3)

»

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
.text	0x402000	0x3c20	0x3e00	0x200	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	5.24
.rsrc	0x406000	0x5d0	0x600	0x4000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.12
.reloc	0x408000	0xc	0x200	0x4600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	0.08

Imports (1)

»

mscoree.dll (1)

»

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
_CorExeMain	0x0	0x402000	0x5bf0	0x3df0	0x0

Memory Dumps (27)

»

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
qoay92j30os7vchc.exe	1	0x013C0000	0x013C9FFF	Relevant Image	64-bit	-	... Memory Dump Actions Go to Process Go to YARA Matches Download Dump
buffer	1	0x7FE9410E000	0x7FE9410EFFF	First Execution	64-bit	0x7FE9410E000	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE9411E000	0x7FE9411EFFF	First Execution	64-bit	0x7FE9411E040	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE9412B000	0x7FE9412BFFF	First Execution	64-bit	0x7FE9412B020	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE94221000	0x7FE94221FFF	First Execution	64-bit	0x7FE94221030	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE94271000	0x7FE94271FFF	First Execution	64-bit	0x7FE94271040	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE94272000	0x7FE94272FFF	First Execution	64-bit	0x7FE94272000	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE94221000	0x7FE94221FFF	Content Changed	64-bit	0x7FE94221333	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE94222000	0x7FE94223FFF	First Execution	64-bit	0x7FE94222000	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE9412B000	0x7FE9412BFFF	Content Changed	64-bit	0x7FE9412B100	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE9410E000	0x7FE9410EFFF	Content Changed	64-bit	0x7FE9410E6E0	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE94222000	0x7FE94223FFF	Content Changed	64-bit	0x7FE94223020	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE9410E000	0x7FE9410EFFF	Content Changed	64-bit	0x7FE9410E760	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE94222000	0x7FE94223FFF	Content Changed	64-bit	0x7FE94223164	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE9410E000	0x7FE9410EFFF	Content Changed	64-bit	0x7FE9410EA00	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE9410E000	0x7FE9410EFFF	Content Changed	64-bit	0x7FE9410EAE0	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE9410E000	0x7FE9410EFFF	Content Changed	64-bit	0x7FE9410E6E0	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE94221000	0x7FE94221FFF	Content Changed	64-bit	0x7FE942218D7	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE94222000	0x7FE94223FFF	Content Changed	64-bit	0x7FE94223450	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE9410E000	0x7FE9410EFFF	Content Changed	64-bit	0x7FE9410ECA0	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE9410E000	0x7FE9410EFFF	Content Changed	64-bit	0x7FE9410EFD0	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE94272000	0x7FE94272FFF	Content Changed	64-bit	0x7FE942722A0	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE9410F000	0x7FE9410FFFF	First Execution	64-bit	0x7FE9410F000	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE94271000	0x7FE94271FFF	Content Changed	64-bit	0x7FE94271040	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE9410E000	0x7FE9410EFFF	Content Changed	64-bit	0x7FE9410EA00	... Memory Dump Actions Go to Process Download Dump
buffer	1	0x7FE94272000	0x7FE94272FFF	Content Changed	64-bit	0x7FE942722A0	... Memory Dump Actions Go to Process Download Dump
qoay92j30os7vchc.exe	1	0x013C0000	0x013C9FFF	Final Dump	64-bit	-	... Memory Dump Actions Go to Process Go to YARA Matches Download Dump

Local AV Matches (1)

»

Threat Name	Severity
Generic.Ransom.Small.773EC97D	Malicious

YARA Matches (1)

»

Rule Name	Rule Description	Classification	Score	Actions
OlympicDestroyer_Gen1	Olympic Destroyer destructive malware	Worm	5/5	... YARA Actions Show Ruleset Show Match

c:\users\5p5nrgjn0js halpmcxz\appdata\local\gdipfontcachev1.dat

Modified File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	106.27 KB
MD5	92e128dcb152d05f07faf5da64bd1c91
SHA1	2174814ca563fc2b9679fffbf1b40bdf3ac9abec
SHA256	11437a99f5f9c0a6df09c64abc8828ad3ecd8cf4fa601340ded86b8945edff43
SSDeep	768:i8HrbdvVyZHgTl7ho5sZWN/Ys9byFRQ+AwqGuGyZoVyOF7rrlqTIyMnm:/pVyZHgTl7h6tKR7AwqlGyZQVO1Mnm
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\CGMIMP32.CFG.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	6.69 KB
MD5	6fcad9982ebc168fe0fe2beb250286f5
SHA1	aca14aa0b11ac7a54cc900e44babf628dd050c65
SHA256	410e121532634a950595aa767159f5d4b6c937bcbb63ccfb7eb644df0929b9b9
SSDeep	192:hBjNUkttY3l6reb3iKoEzILzmSO1t9zjeQMe4:hBj7t7MrSO1vjeQu
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.EPS.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	14.75 KB
MD5	7ece27677f7e4cbec1c2c2e7e4873cd6
SHA1	7befbd9ded7d8d0472416d65214810fab1926a0e
SHA256	cbcbde6abe83ed4976cdd8d9e3164a37ac25ef800e9cd598a24463101abfffad
SSDeep	384:+wU+ylzG0wn8ra0PlD/S1RpRfKwwtKxzqBzRB//DJiUn:JU+ylzBpaES1RTfKmlqBNqUn
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.JPG.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	1.08 KB
MD5	82f383446817a34a084ae657eddd8492
SHA1	7cabbe40cf4081b458de7e45cfb60c80161d3dff
SHA256	ec9b00b5e00d6df6dfffc283398dc599c4596856420f0aa90bdd30de8930fb5f
SSDeep	24:PDtJyWYyfHSfB9td1tiGo4WhtkBivbtv8Jmh3IbrzXGGlIlB65:hJyOSp9P1Tyveg3yrzXGoIu5
ImpHash	-

C:\BOOTSECT.BAK.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	32 Bytes
MD5	c6cd72668b9be2740021cc45e28b2ada
SHA1	ecea63047df27918f5eaeb6c1704d5847bfe742d
SHA256	8847f2b59a53caab8a6aa18ec80dadbac9f342a45f420051d01e1e06a2f2a255
SSDeep	3:1X1cqBF21rn:1X1TD21r
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\MS.PNG.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	1.69 KB
MD5	0c89a5371c8652527a765f47b16485ef
SHA1	bf6cb306aefbade56462f0aff2b02b3c88ae9e36
SHA256	a263324b6d5d4fda0d6d6acb79842c2f995e5768a0fa3bae524ce40586c76945
SSDeep	48:/9DLXJK2MuIQXP4Zq35q7aSOT1zetLCXvqe5:xZ7MSUQDT1KtLkz5
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\ink\FlickAnimation.avi.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	32 Bytes
MD5	db2465cc14f8c97130736767e86d5ea4
SHA1	fd59732ff7aebf56d3075f148f49c717f3b1711d
SHA256	f826b5d1458822ba2f44719864e137cadcc93fb70b73aa400949f052924ddc53
SSDeep	3:LIOX/WavBZCkwoS:VXeU8/
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-correct.avi.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	32 Bytes
MD5	55862d60c6d13e4a80856fd8b1237431
SHA1	668cfb9e70616261b11e9a05d785c1d0c63abbf7
SHA256	6b094d86a8891ef7ec34788afe43884d97a0b8bd18a2f9b7b3121dfc4c6dee19
SSDeep	3:UBBmsYRlvAsyP:UBBURlYTP
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	32 Bytes
MD5	0d579977488d781acbf55de1099b7520
SHA1	f4978aecf9b55dd8e377bc0b4d281b1db86a4a57
SHA256	4af1266d955cdcad8bad3f89ebb550b4e4469817420b1d3339ae3584234dc9a4
SSDeep	3:deVj50U7jS2:vU7jF
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-join.avi.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	32 Bytes
MD5	afc9797ce139710dd79cac21727f548b
SHA1	3d5e4cfedbe7faa16d11274d7c725f919ae2b76a
SHA256	bad3355a21f0728207256eac73cb4deb15828086f9262cfeda65332db8053cfb
SSDeep	3:SuZlZun:Vzun
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	32 Bytes
MD5	25acc289161119cefa59d6c36cbab85e
SHA1	d2ebae87077805e5eb3ab2bc486af43639c37494
SHA256	394b0f84dfcef78bdd6b51e57da5768ce976d10a5491af054d890d32c7a6d2d6
SSDeep	3:eVKZoWUH:egWZ
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\delete.avi.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	32 Bytes
MD5	ffdc81c2aaa9a9f7e4ce4576ac8ae849
SHA1	b80dbe184c236436117d8a50ce238296e6de7477
SHA256	6340d086091a65d62cb855af7b211c37495f8281556fe44754116d9a847e9adc
SSDeep	3:JG5pcQXgbn:c5pcl
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	32 Bytes
MD5	a0b376c334b54685a80096f995f7b0ad
SHA1	c62385a76b8f483e299f5bb6cfda3b7a151d0a63
SHA256	ad4ef10f03fb8af440743d544343dfdd3aff293d10b2d3c351a03af602b5bb46
SSDeep	3:WTY569veKgH:W669GKC
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	32 Bytes
MD5	0502dc933667ea29beb35e2bf2ad3b67
SHA1	b4a3ccd2921e6df0fbd6878d131cc60122b28008
SHA256	22787e28d03ed8a1a34894d5330a870fd15a76c3fefd5f192a0aa517d8538c6f
SSDeep	3:fGtmo3JVAV:Smo5y
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	32 Bytes
MD5	ab76183ffa8a7da858a3601d62efb5c7
SHA1	d064440002efc61cb89efcaf67c87202ef4f6f03
SHA256	c68f998f1e4c1fa7b1b71349bcc3a8e28a9a9dc93eee01b5f1fce0f1322c889a
SSDeep	3:n+tZgfygQ6wYajQCpz:BygGjX
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\Smart Tag\METCONV.TXT.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	1.13 MB
MD5	c56de0e262bced4cfef6c13096e627e5
SHA1	2b6ddd6e5ea7d07d214f4ba8d71b91645290da6b
SHA256	e6d3a1e033f3f9650c557a1144c2a6c82be64a0af7a9dce70f51a81b67022af1
SSDeep	24576:HbvuXPiN47+4VcC2HxBPLhp1zpJHrIvKmFKs1QnsKpSnMvIjOCMCDA0bG3d+Z:6VlcC2HvFp1vmFj1QnpM9OfqMm
ImpHash	-

C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Decrypt Instructions.txt

Dropped File

Text

Unknown

»

Also Known As	C:\Boot\en-US\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\Decrypt Instructions.txt (Dropped File) C:\Boot\ja-JP\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\PROOF\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C\Decrypt Instructions.txt (Dropped File) C:\Boot\el-GR\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es\Decrypt Instructions.txt (Dropped File) C:\Boot\nl-NL\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C\Decrypt Instructions.txt (Dropped File) C:\Boot\zh-HK\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Publisher.en-us\Decrypt Instructions.txt (Dropped File) C:\Boot\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\EQUATION\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\Decrypt Instructions.txt (Dropped File) C:\Boot\fr-FR\Decrypt Instructions.txt (Dropped File) C:\Boot\pl-PL\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\Smart Tag\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C\Decrypt Instructions.txt (Dropped File) C:\Boot\ko-KR\Decrypt Instructions.txt (Dropped File) C:\Boot\cs-CZ\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Decrypt Instructions.txt (Dropped File) C:\PerfLogs\Admin\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\Decrypt Instructions.txt (Dropped File) C:\Decrypt Instructions.txt (Dropped File) C:\Boot\pt-PT\Decrypt Instructions.txt (Dropped File) C:\Boot\da-DK\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\Decrypt Instructions.txt (Dropped File) C:\PerfLogs\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\EQUATION\1033\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\DW\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\MSInfo\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\Decrypt Instructions.txt (Dropped File) C:\Boot\it-IT\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\MSClientDataMgr\Decrypt Instructions.txt (Dropped File) C:\MSOCache\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\Decrypt Instructions.txt (Dropped File) C:\Boot\zh-CN\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Decrypt Instructions.txt (Dropped File) C:\Boot\nb-NO\Decrypt Instructions.txt (Dropped File) c:\program files\common files\microsoft shared\ink\zh-cn\decrypt instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\1033\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C\Decrypt Instructions.txt (Dropped File) C:\Boot\de-DE\Decrypt Instructions.txt (Dropped File) C:\Program Files\Decrypt Instructions.txt (Dropped File) C:\Boot\ru-RU\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\Filters\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\Help\Decrypt Instructions.txt (Dropped File) C:\Boot\tr-TR\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\Source Engine\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Visio.en-us\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\VISIOR\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\Decrypt Instructions.txt (Dropped File) C:\Boot\fi-FI\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\OFFICE14\1033\Decrypt Instructions.txt (Dropped File) C:\Boot\hu-HU\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\EURO\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\PROPLUSR\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\Smart Tag\1033\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\Decrypt Instructions.txt (Dropped File) C:\Boot\Fonts\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\DESIGNER\Decrypt Instructions.txt (Dropped File) C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\en-US\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\Decrypt Instructions.txt (Dropped File) C:\Boot\es-ES\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\Decrypt Instructions.txt (Dropped File) C:\Boot\pt-BR\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\Decrypt Instructions.txt (Dropped File) C:\$Recycle.Bin\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C\Decrypt Instructions.txt (Dropped File) C:\MSOCache\All Users\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Word.en-us\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\Smart Tag\LISTS\1033\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\Decrypt Instructions.txt (Dropped File) C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Decrypt Instructions.txt (Dropped File) C:\Boot\sv-SE\Decrypt Instructions.txt (Dropped File)
Mime Type	text/plain
File Size	1.87 KB
MD5	3e8cea4281b4bf0ce65e5d5e51d8af3d
SHA1	bc2ac569b768312b1d6bf8aec67e4db5c19ed078
SHA256	a6bc0988f6ee344cab3d0cb66ee53d3dcdd5dfea170abfcaccbe81891f95d920
SSDeep	48:DibNcv0t8wi9fXwCztTJ9gox05kZYLDF9LFMdw+XC:+Dt8wofgChTUo+5kZwHC1S
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	32 Bytes
MD5	8030f694520548a771c0962bcb457778
SHA1	8068d7f078c09728dc95ecbf0b42b60d1d33fcfa
SHA256	7fe2a52e24b8285bd4a622c6d0449b6adbd9cdb16a5945a89d302e6319e6606c
SSDeep	3:uYcih3uBzecSn:uiheBScS
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	32 Bytes
MD5	81d420ac35142a1c71267513894df5bc
SHA1	155d42c1e2a38fa5fd314f1a973113547aeefb4c
SHA256	eeea53f8ac2f645d9e2e12c0c78a39a5efea5c064ca3dd9bb147e1f33629bcc9
SSDeep	3:8PcvAnwZly7Msdm:8PcBZlJ8m
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	32 Bytes
MD5	3efcf17d9d8d481cc0faa93ceb190190
SHA1	0b7aa3b2d5b5a3ade1546a5453b94decbd2897fe
SHA256	bc9b018f1063583e9e7b49f6d840440816813dcd2e181788b58381700579147a
SSDeep	3:HUU2J6sh:+J6c
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	32 Bytes
MD5	8d8c0ab7df87460f5225cea81cc0a94b
SHA1	9b84cc250817b78d05997d86c3b5574062a7a453
SHA256	bce871d20e0e5b0980d61dbfc9d25a0e9aac5f73d6cef5f8b99003be47f6941a
SSDeep	3:MDn5hj4PrItOUn:MH4PrGOU
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	32 Bytes
MD5	df1e10e97f5602f68d8a5fde361383cd
SHA1	b1d5bb8e2b6c91ac76a2abbac81b3900540fec8c
SHA256	cd25774ecc2ca22e6b6d33d99880e709183b29fbe31b051bf6787573b186c206
SSDeep	3:gLJxBfz8sgAn:g9xpQsgAn
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg.enc

Dropped File

Stream

Unknown

»

Mime Type	application/octet-stream
File Size	32 Bytes
MD5	3a7b911fa830672e1c2f9311feedc892
SHA1	42c68261a954cff8f1678f09be8a5398e9fb1cf6
SHA256	bdbb4759e82bccfeeabd8bbde0d58531783eb4d2bac4fc843fa17613dfbaf152
SSDeep	3:VXvo7DdY3I7nn:Vg7ljn
ImpHash	-

C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg.enc

Dropped File

Unknown

Not Queried

»

Also Known As	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg.enc (Dropped File) C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg.enc (Dropped File) C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg.enc (Dropped File) C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg.enc (Dropped File) C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg.enc (Dropped File)
Mime Type	-
File Size	0 Bytes
MD5	d41d8cd98f00b204e9800998ecf8427e
SHA1	da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep	3::
ImpHash	-

Remarks (1/1)

There are no files for this filter

There are no files in this analysis

WHOIS Domain Information

Before

After