aa7d8be213152f35b5bd6e74f60cf14d5b7a88909ac79b7b25e6bf5b60ffad46

Analysis

max time kernel
90s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11-07-2023 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

busavelock96.exe
Size

332KB
MD5

881eb9957ba912beb13685dc507e7724
SHA1

b4aad9a1adbe5ec389c15502d57440d0a29bfdb1
SHA256

aa7d8be213152f35b5bd6e74f60cf14d5b7a88909ac79b7b25e6bf5b60ffad46
SHA512

9ca26fcb63a3d6bad459c0d386638b4f1c5d07ab1ebeeb6b958adaae77fe9f277ceafd5a050bef1bb34b6b5aebc0c2a314334ecd4b610bcad296e2d4ceb79680
SSDEEP

6144:PbDN9i3aojIaWQoFeyDw/VG4g189vjHBqVYGpLRztkT:d9zOWQoFLDw/VNuoytkT

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">AYUcd0cS4Je3Z97t+y0XhHGxJl3OLB4Jz7evweRgsVDzvfNWJfZtHnbvrk+qTbai/YK55E/cUzcmyFn+5RaLeFuQ2itokTOdP2mcNgo1GQMLmTqtvCT5/aj0zs11ah3lZc3GPKrgblKT+N+XZr/2/tIhceeBfMGctAt2WFB3hYxVzUUSizJ6Lqh/WdcQHQyneDBArpBnKDcCprUP5HTNb1jmtoG1tlghetLgY2RpEYJuoKRNCFSvjJY9ul+sp7vimcJMBHgYmQ3GveIpvRAMVvlu7SZG3yMvHFR3GtqjS6Usy52IV4FYTGbxH9RSP8Gl6BMAXV+HyibiE5vQ9TK9o7zT/u1PrHSoAysps/YqzD/q2nBgBfvgCN5Y+8S6l3CAQKoBItBPbLNc6H5VrX1WrJBUCIReAFEhs+aBO8bP8cmJPRpQvHErwFply5A+loD5kGCAPckYjvdWAUv3+QGlH2GCwMPBMfqY11F016Wj9IRvJBD56r3C6gjC7SXyDYQ9yWrCTkfbSKiyxM4OFvrZ4z6a4i5ljGJYZJ3nT5FJ7nR4BEcTqk+D/CfQ3HDeWoB3reukaxOY40XH2bo/lBf5gNE800tqfDyaLW7V4HW1b4/bMWE1PYl8tkcH9AuJLYV01mWsV1kSnjm1iKhTmWEDVaoJPuuJtyMm13q1fiiY2WSgQHicrH6ubNMqJTXZMhgTRGmEwegvc8Eu1GgI5GlklGUorKs1M2RfSJOzkSUjrUUdNhf0RehGvw7GQbuc0JsMNezJT2Binq5RSFLYmPDkNEPvL5NAFd++667Cv10ItLarGrzHwQetUdyzA1KQHiN+E4j4nkfhHq0HeYCE9LFptsFi9k6Ke5dD/d/cC/JM9oQckrT8X/ZaO1m+3AKm2n/I/npoeN9sdwM9wB+BCpu+SCSto0wHmGEgu5mYS3DwWJOIMXpEldcAZSVIEvnh/N1e+eV8gekF3hMrsb5tKZH+yaqQIeEfLGeaOQy/UB7pA//pBfB4HIJf2a/YyjTSg2kGkqFLZ9vKX3fGjucudqrHZOyVuYn3vl6hPXoKsenVnfo8AyNnMg+6he9OhXrlFQMUfGq2NnZXzuIv27CmvMVFgremF9BLpzniARNEvy0UtrIWX4SMyxA+lX+VXxQpZh+rcrmwifDOaS1cHMzUP17FCnyrkBnfP9dyafTEgBYPV91LTJc9Tv8QFK3oGzCjK/eydSwrmLUngYvv4DXTw2XsEsqG6EfXqmzD21q6kjeRdj+BqwvfRlJfjWzr0s9/cnRqYLrdfRsq7bqp2IZcFO+jTCC/cp/s1T+mpNePeVTz9MPMaQ294YIQPhDfqm1/zqDLWR2FlKI76uEshq6mDY6ieBAxxu3yJWsBcVWSdyo0vjtDuDSh7b3PzaLcd1i8cmMkOwye3LvD6wNMzKhiwGPn2zorL9NVRg5DNCY/pDZxHYmSU6BhetQFJYy5hHh63OL1zxp7n6jhCjWv5t8wZdgdroT5H7okU8EkXiZQkXZENVDtiV2qQ29aNxLoDywtrZSFcfa7ozbEIzyCy5RmBqGdrMY6z0N4sDQmLUTR9ChcXYKn+x/bwmNFXOMSd5ZV09tGquQfG48CcXD3srGwMdLwG6+T03TL5kpSE0t296Hmtp6euNwMWIYGvLACvtWrJsZUYHg5J6SOWqkXSybtWMH/VAcT4Wqr/lLwOJt3kiuKTUE=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

busavelock96.exe

description pid process target process

PID 2948 created 1356 2948 busavelock96.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1020 bcdedit.exe
2792 bcdedit.exe
Renames multiple (7605) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1604 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3008 wbadmin.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

busavelock96.exe

description ioc process

File opened for modification \??\A:\$RECYCLE.BIN\S-1-5-21-2859459355-424593036-1984306042-1000\desktop.ini busavelock96.exe

description	pid	process	target process
PID 2948 created 1356	2948	busavelock96.exe	Explorer.EXE

pid	process
1020	bcdedit.exe
2792	bcdedit.exe

pid	process
1604	wbadmin.exe

pid	process
3008	wbadmin.exe

description	ioc	process
File opened for modification	\??\A:\$RECYCLE.BIN\S-1-5-21-2859459355-424593036-1984306042-1000\desktop.ini	busavelock96.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

busavelock96.execipher.exe

description	ioc	process
File opened (read-only)	\??\F:	busavelock96.exe
File opened (read-only)	\??\J:	busavelock96.exe
File opened (read-only)	\??\K:	busavelock96.exe
File opened (read-only)	\??\L:	busavelock96.exe
File opened (read-only)	\??\N:	busavelock96.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\E:	busavelock96.exe
File opened (read-only)	\??\G:	busavelock96.exe
File opened (read-only)	\??\M:	busavelock96.exe
File opened (read-only)	\??\O:	busavelock96.exe
File opened (read-only)	\??\Q:	busavelock96.exe
File opened (read-only)	\??\S:	busavelock96.exe
File opened (read-only)	\??\T:	busavelock96.exe
File opened (read-only)	\??\U:	busavelock96.exe
File opened (read-only)	\??\A:	busavelock96.exe
File opened (read-only)	\??\X:	busavelock96.exe
File opened (read-only)	\??\V:	busavelock96.exe
File opened (read-only)	\??\P:	busavelock96.exe
File opened (read-only)	\??\B:	busavelock96.exe
File opened (read-only)	\??\I:	busavelock96.exe
File opened (read-only)	\??\R:	busavelock96.exe
File opened (read-only)	\??\W:	busavelock96.exe
File opened (read-only)	\??\Y:	busavelock96.exe
File opened (read-only)	\??\Z:	busavelock96.exe
File opened (read-only)	\??\H:	busavelock96.exe

Drops file in Program Files directory 64 IoCs

Processes:

busavelock96.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb	busavelock96.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\vlc.mo	busavelock96.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03453_.WMF	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185776.WMF	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14532_.GIF	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue.css	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STORYVERTBB.DPV	busavelock96.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG	busavelock96.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\How_to_back_files.html	busavelock96.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00555_.WMF	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01750_.GIF	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF	busavelock96.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\How_to_back_files.html	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js	busavelock96.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\de.pak	busavelock96.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_ja.jar	busavelock96.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-tools.jar	busavelock96.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cayman	busavelock96.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT	busavelock96.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\PREVIEW.GIF	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02048_.WMF	busavelock96.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\How_to_back_files.html	busavelock96.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis	busavelock96.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\ja-JP\Hearts.exe.mui	busavelock96.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\WMPDMC.exe.mui	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00681_.WMF	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152622.WMF	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\BUTTON.GIF	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.BR.XML	busavelock96.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\How_to_back_files.html	busavelock96.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00253_.WMF	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFS.ICO	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\utilityfunctions.js	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\settings.html	busavelock96.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Bissau	busavelock96.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00642_.WMF	busavelock96.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	busavelock96.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\wmpnssci.dll.mui	busavelock96.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_SelectionSubpicture.png	busavelock96.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Taipei	busavelock96.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml	busavelock96.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\How_to_back_files.html	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09031_.WMF	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZUSR12.ACCDU	busavelock96.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\How_to_back_files.html	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\flyout.css	busavelock96.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\How_to_back_files.html	busavelock96.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns	busavelock96.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Fiji	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.mui	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00254_.WMF	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099149.WMF	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107722.WMF	busavelock96.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml	busavelock96.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Subpicture1.png	busavelock96.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2700 vssadmin.exe

pid	process
2700	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
756	taskkill.exe
2704	taskkill.exe
2624	taskkill.exe
2288	taskkill.exe
1872	taskkill.exe
2188	taskkill.exe
1688	taskkill.exe
2424	taskkill.exe
2732	taskkill.exe
2924	taskkill.exe
1444	taskkill.exe
1748	taskkill.exe
560	taskkill.exe
2832	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

busavelock96.exe

pid	process
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe
2948	busavelock96.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	2188	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	2624	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2744	WMIC.exe
Token: SeSecurityPrivilege	2744	WMIC.exe
Token: SeTakeOwnershipPrivilege	2744	WMIC.exe
Token: SeLoadDriverPrivilege	2744	WMIC.exe
Token: SeSystemProfilePrivilege	2744	WMIC.exe
Token: SeSystemtimePrivilege	2744	WMIC.exe
Token: SeProfSingleProcessPrivilege	2744	WMIC.exe
Token: SeIncBasePriorityPrivilege	2744	WMIC.exe
Token: SeCreatePagefilePrivilege	2744	WMIC.exe
Token: SeBackupPrivilege	2744	WMIC.exe
Token: SeRestorePrivilege	2744	WMIC.exe
Token: SeShutdownPrivilege	2744	WMIC.exe
Token: SeDebugPrivilege	2744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2744	WMIC.exe
Token: SeRemoteShutdownPrivilege	2744	WMIC.exe
Token: SeUndockPrivilege	2744	WMIC.exe
Token: SeManageVolumePrivilege	2744	WMIC.exe
Token: 33	2744	WMIC.exe
Token: 34	2744	WMIC.exe
Token: 35	2744	WMIC.exe
Token: SeBackupPrivilege	2460	vssvc.exe
Token: SeRestorePrivilege	2460	vssvc.exe
Token: SeAuditPrivilege	2460	vssvc.exe
Token: 33	1924	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1924	AUDIODG.EXE
Token: 33	1924	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1924	AUDIODG.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

busavelock96.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2948 wrote to memory of 2900	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 2900	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 2900	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 2900	2948	busavelock96.exe	cmd.exe
PID 2900 wrote to memory of 1020	2900	cmd.exe	cmd.exe
PID 2900 wrote to memory of 1020	2900	cmd.exe	cmd.exe
PID 2900 wrote to memory of 1020	2900	cmd.exe	cmd.exe
PID 2900 wrote to memory of 1020	2900	cmd.exe	cmd.exe
PID 2948 wrote to memory of 1928	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 1928	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 1928	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 1928	2948	busavelock96.exe	cmd.exe
PID 1928 wrote to memory of 584	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 584	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 584	1928	cmd.exe	cmd.exe
PID 1928 wrote to memory of 584	1928	cmd.exe	cmd.exe
PID 584 wrote to memory of 560	584	cmd.exe	taskkill.exe
PID 584 wrote to memory of 560	584	cmd.exe	taskkill.exe
PID 584 wrote to memory of 560	584	cmd.exe	taskkill.exe
PID 2948 wrote to memory of 828	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 828	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 828	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 828	2948	busavelock96.exe	cmd.exe
PID 828 wrote to memory of 2228	828	cmd.exe	cmd.exe
PID 828 wrote to memory of 2228	828	cmd.exe	cmd.exe
PID 828 wrote to memory of 2228	828	cmd.exe	cmd.exe
PID 828 wrote to memory of 2228	828	cmd.exe	cmd.exe
PID 2228 wrote to memory of 756	2228	cmd.exe	taskkill.exe
PID 2228 wrote to memory of 756	2228	cmd.exe	taskkill.exe
PID 2228 wrote to memory of 756	2228	cmd.exe	taskkill.exe
PID 2948 wrote to memory of 108	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 108	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 108	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 108	2948	busavelock96.exe	cmd.exe
PID 108 wrote to memory of 2676	108	cmd.exe	cmd.exe
PID 108 wrote to memory of 2676	108	cmd.exe	cmd.exe
PID 108 wrote to memory of 2676	108	cmd.exe	cmd.exe
PID 108 wrote to memory of 2676	108	cmd.exe	cmd.exe
PID 2676 wrote to memory of 2704	2676	cmd.exe	taskkill.exe
PID 2676 wrote to memory of 2704	2676	cmd.exe	taskkill.exe
PID 2676 wrote to memory of 2704	2676	cmd.exe	taskkill.exe
PID 2948 wrote to memory of 2108	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 2108	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 2108	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 2108	2948	busavelock96.exe	cmd.exe
PID 2108 wrote to memory of 2184	2108	cmd.exe	cmd.exe
PID 2108 wrote to memory of 2184	2108	cmd.exe	cmd.exe
PID 2108 wrote to memory of 2184	2108	cmd.exe	cmd.exe
PID 2108 wrote to memory of 2184	2108	cmd.exe	cmd.exe
PID 2184 wrote to memory of 2188	2184	cmd.exe	taskkill.exe
PID 2184 wrote to memory of 2188	2184	cmd.exe	taskkill.exe
PID 2184 wrote to memory of 2188	2184	cmd.exe	taskkill.exe
PID 2948 wrote to memory of 2084	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 2084	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 2084	2948	busavelock96.exe	cmd.exe
PID 2948 wrote to memory of 2084	2948	busavelock96.exe	cmd.exe
PID 2084 wrote to memory of 1816	2084	cmd.exe	cmd.exe
PID 2084 wrote to memory of 1816	2084	cmd.exe	cmd.exe
PID 2084 wrote to memory of 1816	2084	cmd.exe	cmd.exe
PID 2084 wrote to memory of 1816	2084	cmd.exe	cmd.exe
PID 1816 wrote to memory of 1688	1816	cmd.exe	taskkill.exe
PID 1816 wrote to memory of 1688	1816	cmd.exe	taskkill.exe
PID 1816 wrote to memory of 1688	1816	cmd.exe	taskkill.exe
PID 2948 wrote to memory of 3068	2948	busavelock96.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

busavelock96.exebusavelock96.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	busavelock96.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	busavelock96.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	busavelock96.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	busavelock96.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1356
- C:\Users\Admin\AppData\Local\Temp\busavelock96.exe
  "C:\Users\Admin\AppData\Local\Temp\busavelock96.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:584
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:756
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:3068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      PID:2836
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:2524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:2556
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:2496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      PID:2964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:2300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:2596
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:2320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:2268
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:2392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:2692
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:2004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:740
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:1912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:2144
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:1660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:1080
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:1424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:1436
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:1464
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:996
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:2040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:1348
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:2232
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:1548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:1032
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:1684
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:1744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1176
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:1752
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:2452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:672
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:2244
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:3012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:2604
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:2368
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:1920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:2600
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:2572
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:816
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:1980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:792
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:1112
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:2100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:1644
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:2160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:1900
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:1720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:784
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        Drops file in Windows directory
        
        PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:1740
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:2980
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:1784
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1020
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:1832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:2952
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:1084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:868
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\C:
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    PID:2116
- C:\Users\Admin\AppData\Local\Temp\busavelock96.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\busavelock96.exe -network
  2⤵
  - System policy modification
  PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:1760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\How_to_back_files.html

Filesize
4KB

MD5
7c3f6e9a4b7280c3e4cf5162dab91a76

SHA1
713ebad2eb3dad54c852d50796ce8dcdbf5b274a

SHA256
f1fd958593b04d049aee106c36d6933b2b3ecec69997b3a95edd93426da8b20d

SHA512
642df7562ec6195e765e5b0358113097f41e99bdc6eba226e237a2dffca1dc8a243acbe6bd85594287f7b277081b61122aca10109bf03dd257575801c3a7ad17

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
1KB

MD5
95799d26aa700374bcd8a2ef03347bd2

SHA1
96ba0abbae10e184897fb5b17203673411820f07

SHA256
a5cef0e031ba39db9f366e387629e9b00a4c6a230e7fee3316991fe669b683c3

SHA512
142053dfa352f3c152da2103cdddeebb3d8dc99aca00d0712857db716cb3abd06e5e8202916b072956e6b50c8f8af28e277f09223afa9078d4db1992184d3385

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
1KB

MD5
5168a7076cc04fe5515ae007695697c9

SHA1
d3bcfff993d318a007b8f4c825a7e51c1e5b40f4

SHA256
612b7baef2fa51a226ba8fadc1b4b54324e764ee23ebd5fdb9d492f02b5cb519

SHA512
3ea1b5de8dd7cf779cf3fe6532ba358e8f2020e2a81ca03e9598d97bb583f3ba90d64326d2d7c81049e49787e2302f67fd63fda1fe33cc3633e17e528aa646ff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
2bec8b88b647f439aac808a935c84234

SHA1
d2797a8741c6a02e93030ec6d2ae339e3d1d797a

SHA256
e3464bed0a4a84fafc637ba040c41f47bdaf1061a75bd1f569d1191af08d2d79

SHA512
f2f47029263a1f6d51a77d6acc51dcd2383674d91b74f34801c2821e62fd42f416bc806c94b92872723be482b4e048206f4386643875774396ed0f63a5f9b26b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
f707605a38137d978df8aed71291edef

SHA1
66200270e228ae55d0cd567d5e71df6699c08ae0

SHA256
b31661b8cfee62f8921df6c6289bef7336082907932cdb3b1ce4a526aa745b32

SHA512
ab1eff43a8b5cf0e125dbf5fcab1f1ead37ba501d078fc1044d221051a116fd06e8cf0c311a28046f71fd2206544e3b93df9cb63572cfb4648c2bda2589cd15c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_F_COL.HXK

Filesize
1KB

MD5
e0e650b33ac2d645f93e3773c36ac32e

SHA1
c469a2e0743db6c020d3f3485e2c77c7eb9a1ce0

SHA256
03ddc37f982528e0545815bafe8a78951b61289e4de12c3546caceac36a657aa

SHA512
64fe79e263e810d544c027a7be9205c749c476a59d037f50a27f0511136baee94cb1eb60a7ba837b12a2e81b2b588b6b791f369c5ebaa15b314b5e5bead9341f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_K_COL.HXK

Filesize
1KB

MD5
22a1785fb2c670f3699d3cc00382081c

SHA1
d997a8f426b283141480fefd6807119faaa091e7

SHA256
75159df1b3448e63a0b46c0e6f577d49b8cd445bd193ffb5a9bf8f06b9a39932

SHA512
164740f3789f37a0eead2235276e1f976cb408cee8a7cf1c7cd6b9cab3f28fd718232a14d976f08a00c53b1245700223408fdeb9308f29a841756dd48cc70f47

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK

Filesize
1KB

MD5
1950219b5befbf150322c03b3ddfe543

SHA1
e62d304a8149445af4ab12ba1885b5790ff616fa

SHA256
1731047eae3e61dea74ffe43d0ff994cd70371899b034586b3b6044296d731db

SHA512
f49bc58e9290b9945f4912bc94999915b049655a30f275b351b56316d8599a64a8b20be6fab9fd887390836375fd76a73f2016b463099ee3a6e4760aa1306176

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK

Filesize
1KB

MD5
abd3a6bc67c0e00ca365f27c52b9170d

SHA1
dd522489b32796856162d7472d9a95be7fc3a110

SHA256
744e48161f3e97fe2c63c9753b02db6cddf6a1342e0148dbddbcf34803ee8146

SHA512
63fd88172de00b939069c38fdb24080380e865bc63df3935e386e51c092bb6c6312e906cff0d74062e5e9f9a3467b9fc7bfb3487e3b9ce40ba75fc2b2251930b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
240KB

MD5
5b6c148c3b8261352df781d27fa76726

SHA1
f32491249bcb1f9099fd9668e1a2a504605353c8

SHA256
6518cc345f9f67c1ee8e935424c6e7ca889d6d2edc3a98827dbc1283058aaef8

SHA512
31719271e772f54fd0cbbb8d545002b0eb2d5a5c8c5bcc146ee0195c4382096c5d27633d8772e5f02d560d51665540469a219f945e0af4dbf710897e44735b1f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
f9f151ff007d3f247323afc355000f2f

SHA1
a1b771302084c9ccc90f927e1f9099e4863283c5

SHA256
8f54f3278d219d3ec950519cc3221287eb226654d5f62d4a41fa638163d0a01c

SHA512
e264afc7d5959d5931642a26bef461915eaf66f565683f45bd5be4a5b4a91c21a0c8cb76e8c3a1622623571004c31f9385844187830b8472808ce25aeb937e92

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
9515594301a3c0466550abafb472fa10

SHA1
36e19dd6dd26747611d4feaf82fcb34f07326475

SHA256
18ed8c3c14d0d6f6543a69717ddfc8bac05ac41ad151eca5cb19608593001829

SHA512
01798df8b0195407a9c0b23787a35735b8eb1837c54d3a791e3450eddd2c1e74d43802a783b201afe85259b11e55d83300e2a2ac2d4b8ccf11c016ef6e754740

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
8KB

MD5
950aadfa27ddd5dcf40364a6e1cefea2

SHA1
da650af0212089f08df87955f5b4b1617764531c

SHA256
2db8abd9ccfcc789dcd96c3854ef8d92cf7cd45e589d5453cb0f1b166c1b457a

SHA512
c37ce8b91ce7fed0b1f00dfdeca9c0b56d9e5f14dc8d74d81d1d45d17546ae0b4f4deb4eeddfb9321ab8267f27ead3e8917d8871014035daeba5e5cfc44b3eaa

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
1KB

MD5
c9ffbb0e91767e18cb2d53f0deec265b

SHA1
1b44151a44ebf8ca967e169925b084cbb203fda9

SHA256
9dc83041a7f507d461e6fdaff435449164a2f50052f6e7ae8ec220e2e1b6f078

SHA512
0596723ffc4902b5713ca55170d216de2ae514311edf4a646e6bf1f66f320944896e9bab6337c7bb11f2e7d0e41e195cf109dd8de8b41d6ab71865b8266f25b7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

Filesize
2KB

MD5
e8c4ad398357001a9c1cc09627074ff5

SHA1
6784c510957fe85dd7afe1a80e3906c49970a81c

SHA256
1d9cd938b9e6d32bce0c808b7c8b8d8664470512b84f7ec9aec395291b65cc4a

SHA512
9110b6e0af1857f286e472b7f3aeef14aa0e505b63fecf9eab18af5f890e5884c18cbaf631354cd81f988fc338beb8d6d51bf846e37bd797b7c467eaf4f3ed55

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

Filesize
2KB

MD5
3ce1dcf52965694b6b7ab98b0d84d6e3

SHA1
110c74ed030d39e723b5d9fa714aa02e59f96f23

SHA256
e0434c3969256fe0769fc1bede26adc7289a46e17ab77759484d1f6591c23fd0

SHA512
6119a5f0a03395f2391e0c103279ab3037878533664576886a2ae3a3b5d5151ec28350b8bb3961140663e41bcb0f8b1b79bfa2c375737a3f0acad7833e58432a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.ICO

Filesize
1KB

MD5
c46c91ac4f07cce4ab6ef90248a5a524

SHA1
d45bf066326351aed39b3600f1f42b2b4e19a61a

SHA256
333cf1b1a09989c5e435dc608a5d18b16d92426a974249e2b954abb826efd66c

SHA512
ce2d6b34915b1faa8d258b09732b2de6a781711b25437cc4ab8467b240f61457619b9253b022a689ac1042407127b9eab2f90c507007351e0fa4dffaae19cbb9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
4KB

MD5
18679dcc4f8312cc23375bcbc6d4268f

SHA1
4c745fd990fd97a581beaf454298e04767b49443

SHA256
b1c0fa4a1cd4626d1d03ba8885f3bc5162500bcc4f02df74519ba50a9c89b7db

SHA512
a0831d11f446c7162ba47c1fd4678c948c9005699b6bcbfab63f6bc70c0e50ea4ac675de7839d2e8883643f484e496bde4aa53bb7682993d2e477492699f9222

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
2KB

MD5
3b42c157e79f74581a8ae07ca30647ce

SHA1
374bf7946bd7204afa0ceafeed7fdb745949c1cd

SHA256
807b6dff2bfefa030abd4fd865fbd8c03e6831f8f79eb3d0231ecadf2f973dfb

SHA512
bb74488346a8b54e71c7f71092d8eb9d4702b2dcbc6e71b59218fe38d2b8ca275bdb97a6a030aeeba8c2ee399b94c2769b7858e6d60395749240f051f659693e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
2KB

MD5
ce8c5b7289aef46a20a77f179da8ef4d

SHA1
2fe0f02c386b0abfaa2b01c895038ca718ef697f

SHA256
a44dda94252e1082cc4475cb0145eb69d3f1a4e95c03e02c4bf8b05140251b5c

SHA512
5044a65c701d9d9d26d7ce5f098bbc13b778528104df7bf7913b5b1b6411726bf9f6bb613bd7d2c9a0bce8dcfe0feb6fb2d4feb55e50d6cd37282233507a576d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
2KB

MD5
601a427fcc76f0767a87d1c5299f09d4

SHA1
4463c5109bb4a2b7ce703066fca80813a80598b0

SHA256
fed5f731abf8170b2e977d85cc22d375e2962b9c7eede6b56007ec0370d4bb99

SHA512
2a0afb751fe0655a2078e56caa4f0ce4d86e16dfdbc32bce7d30442fdfbd39b735570b0bb8d10c64ee60c9ea10ff6b87856f46635f12faf3e592983a886112fe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
2KB

MD5
ab431dd4a6957f3a4084bf0c5134ba15

SHA1
87b3c6b9ef967ffb5718e7a9ea794583f31d449b

SHA256
17b7fa80bf2d6c0944e6e7967a53e72efddbed104244f184bb7d1586b9f28508

SHA512
167ee6d3c47b9485dcd842ba53478561dc177c00659194431d32dffc97aacda6cafa4af65b557c273af6a8319d0cd74f866e2d9fb62733fe44df1c778c158b33

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
6KB

MD5
a01b09d27b08ace6ec8e80528a3e5b5e

SHA1
48260deeb73448c8a58b4440d6de1cc05ffd2edc

SHA256
68646f1eb6efcbf2d9f00a0b270f776454a6457138f457f124333b2199c72576

SHA512
06d207a106ee68e4940d6b84ccb74bf0fcd3bace5686e7a69c59d0136f9592bb55a562c51498f41463a8a790e0fcf51d8998b451845448c47ca49d01be07d910

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
2KB

MD5
d5514950c826790f0a7783090bbbccd4

SHA1
396c95779e8906bdc17a644314e19432da2b8856

SHA256
6842032b11ef36bd227891b075276c3da476b3bd4b252a8cbd2d051ac6e63b27

SHA512
df1b654c4ef9c7ede664da22512e50cc5bbb7bb228a8cc285c5037b8fa1fb2235d762f315be104b1921e535ffaa4fa529c5096b430bfea0b8f8dbc772dbe79fe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\attention.gif

Filesize
4KB

MD5
6c2e9280a6a38667a6c34509e710fbe0

SHA1
dd3c8fb55196d6540b675ba856647ce081f2b81b

SHA256
bcfdaedfd86d890525debd5efc1acb8ea9a659a46c86f85c32166cafb25dd875

SHA512
06f384ae000fcb0c2a2e4ac7bc0150b190288f9c39669b09b83b90aa2b471fbb2c842d270e37d6717ce7354a94e5d636ec5375dfe268c2c2be3f87d8332d866b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
2KB

MD5
7e39ece512e84f7473e05f39a2a53655

SHA1
faad67b630016126c257fe1b996115056b0a8562

SHA256
9295ef5d885ee6836ce40a070c95c43366b815ec01393e5807f360e9009bdbdc

SHA512
bb20396b9dfd44902a27fec271290fe8f249b9faa7816bbffec1d7a143540f0216e09225662f1d464b5856e110892d30a68be9b95fdf7e73d8570bc9f566d6cb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
2KB

MD5
2f970751dc0d3a7ff029f8f53b938dd2

SHA1
8aa11796416b49cbc488c2d9001f317faf5eff7b

SHA256
3e914faea43975367d85102aafe0348f4826167948db4bfd7123e5e787cc67c8

SHA512
06bb15e82b3e1e6de4f5badb49e90d45e7c3e4dde8241d4fe8ea7c6ea8ba93db17074a1e346df0100e6cdc8aa9526a3c0cf62d7ed6c559c273e692fd424b35ad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
2KB

MD5
c757732317f506bff4120b5dac7dadd5

SHA1
47d9e80294b1a89debcdef5becb3884f4b382858

SHA256
6e86f0bc2feadd1b821baa02644048e97a31cee02b1f725e521ad736862f0092

SHA512
cd06d05f9f94641ce09b9ca8135c06b65f58ceb27efd7611dfe825c24efb52e98956c9f5d59b06d9ac6aae197315b5c9823d2096ddf2102d6dc1cf1dbfb17fa4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
2KB

MD5
6f638ecfff444f4d0dd6f0b3b5cac491

SHA1
a3e875a2cf3c7056922d0a249ea1311d3add87d3

SHA256
e25c907425950c84cdd90cd8a3d0a3170311c1b87c7bc382a20828b8325ba41a

SHA512
c16079e0609470164d883386ddee6d0d69e4b969c57337a2242354f78ce18705fddcaafaa16953a222d061c05d68fc0fb1a147d2d99a084ebdfeca01e8b3af8c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
2KB

MD5
9f9407fac682cc9b47d454b61cfc02fe

SHA1
4a176280b091ef85e57c8896705241d3e724fbd9

SHA256
8b693a1bc6fd108cb2e5d513e9f0f448ebc766c0a0e7b755d3ebe39706b211ee

SHA512
afbdf79e008c8d569df38a44fadef0875c3b11c978a085264d04587350ff566b4bfe33347cdde5d0ae7f5e4a03ef858ac7677e6158646cb665263c9442c1e11e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
2KB

MD5
e15d8fb4554f2d5b74be8230a56334af

SHA1
1b06c1d0e98d961c3637e670085f5e4f30b5a2ec

SHA256
818f6dfdd1547bdd9d6204a5a12494fee028fd314702be9b6dfbe7220c3bb120

SHA512
2d1d9ab57541a73c274c031d2ee45b6dfc58fca092ae69a807bb81e49b38c4dfe7de6173e3b6fe135b8d5333335c1b44d683ba1797c3a6164a15322ede88cf34

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
2KB

MD5
9fcae72981dca576d42737c85cd15bc4

SHA1
73da6335f6ccabe6e7a3c6055d1beceb214a66fe

SHA256
9c707229ea6da53e808a7b660a605b6d002468a5415279bab611e83e333bf1d4

SHA512
fc5e3208ebd6565ef02006b5285bfc4ae4a38c6811ad96f3d5729992d430214fa2097921cf7e9ed6ea50882c96556c6af30397004f56b381135a3f0c38af1936

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
2KB

MD5
f02e3ab3df5b52fc3b76c4da93ce8a3e

SHA1
aa071277b7ac823369d5b302698f55beb0fdd449

SHA256
2a102d7ff79dc6855db4c39fe55783d4f4bf8e656c0e7e1ad657b921e4ba3782

SHA512
b4a0e98412503f17b0d2c4e0b948aeff46c3de6235aeaabb1d1b7543ce03fc33db3864b9040dd059ca56260bdb44da8286b2bd33eba40a03f4a85c10aeb00740

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
248KB

MD5
cacf28f98a2df8a828ddbecea3876246

SHA1
de29bf5bef2995b6fbb39615b427a42f725abc29

SHA256
4ff493ebc1b384c5d6a48edbe9b74d5d2f5330f5e779b6ddcd4a8e63b243e915

SHA512
d522c5569d628c9b93adfbf071aa3230d854f0f15b06264566a475d22df11ab83fc65c80dc934d7504e56c615c4bc5327d3a1dcbc8c9515b5bf6fe5f4f2a9aeb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
2KB

MD5
72c48a03c693d489aecb60028f86e207

SHA1
215e1362638491e3d4e528cbdf486a05da91cbd9

SHA256
5e1830497d5ae267c911162284feda89d173851bd36ffb4a953e6d67a61e7974

SHA512
1b023b5cf1dd3df4ce086d3d662fd4cee86250a7d4e70ac9a993406b2b01b59417b5b9b24a480bfdcc2f19b898f42f761878e708b8a21395651f9e42492fb250

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
2KB

MD5
07c1d4b61c0ae16fbadb63ac3221ece7

SHA1
c5e7995c1f2cd8afe76fccc776a71211efcbde43

SHA256
f46169fae379dd3e9280e7d57c2afee8f24b9c993f9200a5fb28ce0d23cd474a

SHA512
9007564cd0f14eb219e6eaeb0042d93afad0ccfae9e4a23364bf49509c79f50ed8fea34ebb80096f05e6fd63228cd29f33a97f3b49e4abfdcb7d5389c23682c0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
7KB

MD5
54bebe0f06877e4200ad20647c977050

SHA1
8a543423ef4b8c1218f5ed51745ebe0be6c1f53b

SHA256
ff8faed2f53cd134ccb963f859f66a420f326c62ad2c6101b186272b5e0def64

SHA512
839946b56cb69d700a427e6e782c5d5c2a46ad8cc9601a55f6929c690e5c1c5800aa37e4bcea80bad7bef694a43e73ff9135e54fb0a7d805a820af3ea94231ad

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
b7c7af33d7de1b72e505df2a20faac08

SHA1
f931884a0c731de7893fccd7943a36923f34bdbb

SHA256
3004fab8b3a07c999b19f46b63b4910ac7f076b31b2f8a83083595312cef7a11

SHA512
0a1cfc74aa3f10b692b5de2559bfe9c0bcd043aa9fed5b53614c9bc275cb1a6a1751f174147991f4e76e6ff06e47a455d3bbaf1beb0ae061dfdf50f3a3145a83

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
1KB

MD5
b19c1d7ae5ba926fdb7900d3de773117

SHA1
c57151d3d0042064fd34a2c55d8ef3022c7f1d18

SHA256
88cfcc964b7fcae71fe9f58f621b2d28b7d4b6f8b7e643e530411de5c6028b15

SHA512
3899177f9ce3e1cc17ed051a25eba646fdbf7a50b02b044c2cb6ed0a1206bec79b829109fbe3af4c234ba3516877c4e087c7f56201b0901cde61b3c1ee9c8d43

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
1KB

MD5
2db26fea8ed5f6049d8ed2040d2840c2

SHA1
46e0ba566f56734ed46f397e8c451dea0b92fea5

SHA256
06bcfe26232d77a874b738cc78ade796f3e7e04ded40d47a2fd9905ee4560d1a

SHA512
6c56bdbd1ec0edb04334d849f101b34b6884efca435712a98614c7ff6f4dcc48ef2587cc814c1c92d1c24638c1f4e490cc8a758db789d363895cefacecfda0c3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
1KB

MD5
92e0c6339a3ed6605155c945f9da881b

SHA1
ee21711a9ed949b6d5f3a9c71fa4e48ea1c3d8d9

SHA256
85c4084494c9b8d44ae3821ca67aab9369a9965477b90c9ee728e79d295ca4ed

SHA512
9f350778b16676795265972c79a2052f5afacd45b176b39c61dd3f3eecd1b7a978abb1dad1384a5593d49b052a3ee86ad1471e1edea49f1fc94e23936b6792e2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
1KB

MD5
3e1c20e787af329d1d84ab93a3ca68bc

SHA1
f39b086100874072f50ada5836d52088ef9187e3

SHA256
de5425c0ee539c01ef6f932a4633d089657379b784c4e8dacd5a70c0fccb2065

SHA512
7598baab78303b93430e58da70385a48ca5f10239b3e3eda2cba83e8959599bbc166a25710f6b0acc720611ac9d9c4cb61a5f9417fb6e888bec7c03b82f5b9c3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
f1092012897f00a398ea0345c37b23ce

SHA1
9325c73f9a29852afed407948b2aecd73b308017

SHA256
9500d6fd2c56fb71c3f3c2c357346f00242ceeb57e7468c1d8b4eb43b39b9f91

SHA512
09b21a2d89147a3f0b06421ea5275a2c3b42930e3108dbb021a46d76a1eb0e6b69c2b742707331d7063efc77531a4b51a3a8f009863b2b6c32b1ad5739ada7dd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html.busavelock96

Filesize
13KB

MD5
ca8d69ae257e8c2b5e19a7c388c6a182

SHA1
356855566cab78104aaabb3b3c80154e72d4dcd1

SHA256
62b1cca022941590f7c98fd8ac765a6e38f9d1f3e01cb8d19924f20438542d5c

SHA512
c4ea16070e3e861928e39e92e4f7d822742bbf63f4f243ce639e04c5e4e0864a5b3ff1a9615ad65f1d3a2736700d173645b93f794d5c5c3a82fc462078a20cd2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html

Filesize
10KB

MD5
84e1f84573eb7933379dd4af342f0125

SHA1
8b23c79d58262cd9740bb3d759a8aac2d1031c1b

SHA256
6385bd1c4d33466cb1ee1a2f3a4fb797fcfc385289b1efeb39805ce0bb7382b7

SHA512
80e4b2e299a00a7dd6398a383198653f87944cb7c37a42f31fbb61d04ec2a1d96ed415c71859945c033b510d93df94d9bf4447839fb6d5f956e97785f370dbf9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
3aabb1e9be385242b2e2da75734385bc

SHA1
e453520f616a0d116a39efcfad1aba890dda2268

SHA256
7cd1e0eb665b2577b4915d79bf6b620eb64b93cbd502cc5ddd1b39a9595a0872

SHA512
02384a508fc702c6181260953faebe068f7963347ecb865879d1c5875d000039cdb832158cbe51d41e9db909da072639f70a3309f9b65c864be24685c8b8cb4f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
152777228074ac19d728a60ea3090fda

SHA1
724671a83d23576abcdb11aac7f14cbb7e9a3c58

SHA256
86cbcfadcf34a485511bb2a22f65e35c97d3e5c5fb9ab4fa73d8e71d18e60ecc

SHA512
edc109b3a4c07b3bb57881d6ace5894814d87563300d0eb957b26ed957777c7ed36d517124e4bace8e9bdb53f7ad5d0aa74f5418864d5fa10b97941c1cc1aa72

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
1b3ec4d8bd92ce2d951bf876512d2e5a

SHA1
fd5030f0868f28cde59989402f1b513e9a19510b

SHA256
2aac0a879db19ef53dcc6efeabddfa17f0160808c5f35cb3a300a6aa60a27cb0

SHA512
f5b5b256bf46cbdbf028ea239a9520f8257059700303610dc313aba81e5a625b10a1b6e07f080d9fa2307f6c3fa5b5e60a8a338d8c5c449db9c3b3e02fc43b02

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden

Filesize
1KB

MD5
b2c89f54596ebba33d8ca7a5e550e323

SHA1
1227a175db55c8b7acd1615c23c74f7bb35ef7f7

SHA256
e80c6ba8d3ec52431d89d2940fdf37177c31a129a9aa197e512090baadad5286

SHA512
07495588a6c7159ebbb16ebe8ab8e12e5e52907b722a33cc85a43359b59f1a285dbc02753ce5d5ae0e6897c8534e15791f1393f5cce0f9a6d4a6f77d568f838d

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
e556a82d4f8db15ddfc59b70c6e75c8a

SHA1
6c00287d004cc7529b5ecb9baa158bbd02093ac3

SHA256
c68240c5663d12ba42d94b85e6b7bb025af615a75a5a4e1dfaae6a3295f1f17e

SHA512
30b385deec92856a917582b33617db9686124a2f1ae284b28637310b91a85f90a828a837f999e9362a0de14d85472cdfa07094a5220ee113e2ef7ab5b2653325

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC

Filesize
1KB

MD5
1b788a697d6a21757a303df3ead2f98c

SHA1
091abf980b192114790ad7c6e44afda61705e7ca

SHA256
bb233f465f9d92ee155847a235da5fafbf13b13e5d265eeda2834a9af17b4d79

SHA512
29463d16c8c36d4e19402be1d54bad33b70b2c92c925ba314f9dae12431282e06653f4dfbc924c6124d27fab2e45031f52c32639781f9907be667e8101c78140

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\EST5

Filesize
1KB

MD5
cae78d5cbde78a99e35b4a74928d0fbd

SHA1
2164e58562fab1733408604f5016587f2c306b9d

SHA256
68d16002b561858894a684bdda893ec14a370ef4a4f7a5a15a31b844ef2de4c1

SHA512
f1213a60d2b0041ec2a2e442f9954d5d3d2ae7106a393baf27ec959ef26aa4fb48056dfdbd2262fa31e7662f21d2a70001dd8a12540b1607a1daca286ca587c8

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\HST10

Filesize
1KB

MD5
0dbd0a668bec54da9bbbbc581b16c48b

SHA1
5e65432d01292e52bc78ff1168335f2044924bca

SHA256
7743cb00f63802ce1bd90b2b5c1a8d64efbc889471f718e8568388490a047e24

SHA512
c7d02c1594667d1316182321f11ae39d781eb1f6f0024b10d0ba741fb9414de6002e3febb6df2199dc66fda25ff392f3010e0b53aa5182d876399d17364d9903

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\MST7

Filesize
1KB

MD5
6f8fc27311808b9e0176835703e8c39f

SHA1
a849a0924f89ef7c5f399bda1801b4657c9abecc

SHA256
5c2a34e15e616cba4956bf60a9d5bb5e0285877840d66d285770bb233299beef

SHA512
3cffd8dfb5ea37e8a74934da5436f0a39e9872156b836e5a851934194713598cb0f7b5e7c69d8b51a787af7980f9b47ba17ee89cfcc71bb524e20d6ea888a1f7

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
9cc1f0bad3d35f6f122bcc6734ca95af

SHA1
6674c29db779dd4d12108b14ad408202cc102a8b

SHA256
caa63e3534920aa6592231a7961c728df38ec0c0884b4f619d7b2e8aa4ff39a4

SHA512
4fe159591a9959390d9b38510fee66cc28918c1925a07835941bbc4ea8e8c28e9270549423a8bf4c8636952009f2b99858c0b98c0fa0c40412dfc397dac8a548

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

Filesize
1KB

MD5
f384dcd593c823e00488c532dc73d4d9

SHA1
f77cf723b827bb13dd3d3bf51be6d391f515da3d

SHA256
8c39f26d65659390184272ce070e0fa2e830fec2387cf9dbf2447479dd56cb9e

SHA512
1a3f20079718434d5956a9aab88cfe83f75f4a09c98a2bef7daeedcc93e7467f1dfee6720a7bec77d83df653944254181c98c2ff57fa4bf08c16c127d71bd771

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
1KB

MD5
63e892ff26e99e73a47a142a0e2aaa9d

SHA1
4b349d96a405bf45bf563d62af5f7b4b288ac671

SHA256
db0561661c16d3785e3fe06de974973c29d1e9aec16e821158b75308529041e1

SHA512
f9ce70ede33fd99bd4b1a506f23c35b3c4853be7c19024e60ce34ec456aefaf9606737acb0c7d80068bddc381f02ae24d671f48fdff03d8be50290f37825b832

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

Filesize
1KB

MD5
3344d5d39ed0a92da58be4d880479deb

SHA1
6d6e3c31a572315adaf1e40f1ec12c9bdd090660

SHA256
350a3ba6f08a3a31cdde24764b4531781e7fd7f8c708dfe311dce37a032b65c4

SHA512
8f4262bb9e414330e1e42b00efd1918706fa389e9ad16adcfde5b1c429d8a87fbea177debb562e2d6e614c2f0de2b4d72cec2921c4aac8dca9952ab0b3866a89

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
04a232405ab8c9ccca196530cb4215c7

SHA1
5708cc712cad39643dfecabe2dc64b3961c49ad0

SHA256
8e800d4bde61e10e5e2af6b139d7f2ef5ff595242f6cc44de54432d16fd54077

SHA512
0abba6dda8e835bc2a2b6577b8f622cbe955be0db269ba30a77afd8b8daf9e00437dd3005d403b9d5db8a2eabe60c6bcff6c7765f9032ab1b3c2ff526ffef348

Download Submit