51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51

Analysis

max time kernel
154s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IN.exe
Size

340KB
MD5

714870c33ba84e744b84b32e6e114ed9
SHA1

840f442d4466713becdf72b88846871330ac38e7
SHA256

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51
SHA512

270c584cc9f696de3421429627a07bfbd7829a033cfdc16280e7e233e8ae09e2f1cd0341537a6b050811683d93a14a1465aa3ab96e9577c98ebea521faae65f2
SSDEEP

6144:PNs9prB0CnszdPZxMzk1ukSXa9bnuDOeFdGpBP7ENf3zcfUE:y9RaPZxMzk1uBXa9bu2JeAfUE

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\odt\HOW_TO_BACK_FILES.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">{{IDENTIFIER}}</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 416 created 3144	416	IN.exe	21

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2376	bcdedit.exe
3548	bcdedit.exe

Renames multiple (4302) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3500	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4168	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IN.exe\""	IN.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IN.exe\""	IN.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	IN.exe
File opened (read-only)	\??\N:	IN.exe
File opened (read-only)	\??\P:	IN.exe
File opened (read-only)	\??\K:	IN.exe
File opened (read-only)	\??\R:	IN.exe
File opened (read-only)	\??\U:	IN.exe
File opened (read-only)	\??\W:	IN.exe
File opened (read-only)	\??\A:	IN.exe
File opened (read-only)	\??\E:	IN.exe
File opened (read-only)	\??\Q:	IN.exe
File opened (read-only)	\??\X:	IN.exe
File opened (read-only)	\??\J:	IN.exe
File opened (read-only)	\??\M:	IN.exe
File opened (read-only)	\??\H:	IN.exe
File opened (read-only)	\??\I:	IN.exe
File opened (read-only)	\??\L:	IN.exe
File opened (read-only)	\??\O:	IN.exe
File opened (read-only)	\??\S:	IN.exe
File opened (read-only)	\??\T:	IN.exe
File opened (read-only)	\??\B:	IN.exe
File opened (read-only)	\??\G:	IN.exe
File opened (read-only)	\??\V:	IN.exe
File opened (read-only)	\??\Z:	IN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar	IN.exe
File created	C:\Program Files\Uninstall Information\HOW_TO_BACK_FILES.html	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\THMBNAIL.PNG	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_ja_4.4.0.v20140623020002.jar	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_ja.jar	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BKANT.TTF	IN.exe
File created	C:\Program Files\Common Files\System\HOW_TO_BACK_FILES.html	IN.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\HOW_TO_BACK_FILES.html	IN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar	IN.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\HOW_TO_BACK_FILES.html	IN.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql90.xsl	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.tpn	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar	IN.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\HOW_TO_BACK_FILES.html	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-templates.xml_hidden	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_EN.LEX	IN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms	IN.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png	IN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\HOW_TO_BACK_FILES.html	IN.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\HOW_TO_BACK_FILES.html	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\msjet.xsl	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\rt.jar	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar	IN.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms	IN.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms	IN.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\HOW_TO_BACK_FILES.html	IN.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3064	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
4204	taskkill.exe
3120	taskkill.exe
2976	taskkill.exe
1852	taskkill.exe
2624	taskkill.exe
3884	taskkill.exe
1432	taskkill.exe
4932	taskkill.exe
1292	taskkill.exe
4696	taskkill.exe
1500	taskkill.exe
2824	taskkill.exe
4468	taskkill.exe
400	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe
416	IN.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	2824	taskkill.exe
Token: SeDebugPrivilege	4468	taskkill.exe
Token: SeDebugPrivilege	4932	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	1852	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	4696	taskkill.exe
Token: SeDebugPrivilege	400	taskkill.exe
Token: SeDebugPrivilege	2624	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3080	WMIC.exe
Token: SeSecurityPrivilege	3080	WMIC.exe
Token: SeTakeOwnershipPrivilege	3080	WMIC.exe
Token: SeLoadDriverPrivilege	3080	WMIC.exe
Token: SeSystemProfilePrivilege	3080	WMIC.exe
Token: SeSystemtimePrivilege	3080	WMIC.exe
Token: SeProfSingleProcessPrivilege	3080	WMIC.exe
Token: SeIncBasePriorityPrivilege	3080	WMIC.exe
Token: SeCreatePagefilePrivilege	3080	WMIC.exe
Token: SeBackupPrivilege	3080	WMIC.exe
Token: SeRestorePrivilege	3080	WMIC.exe
Token: SeShutdownPrivilege	3080	WMIC.exe
Token: SeDebugPrivilege	3080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3080	WMIC.exe
Token: SeRemoteShutdownPrivilege	3080	WMIC.exe
Token: SeUndockPrivilege	3080	WMIC.exe
Token: SeManageVolumePrivilege	3080	WMIC.exe
Token: 33	3080	WMIC.exe
Token: 34	3080	WMIC.exe
Token: 35	3080	WMIC.exe
Token: 36	3080	WMIC.exe
Token: SeBackupPrivilege	4628	vssvc.exe
Token: SeRestorePrivilege	4628	vssvc.exe
Token: SeAuditPrivilege	4628	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 416 wrote to memory of 4500	416	IN.exe	89
PID 416 wrote to memory of 4500	416	IN.exe	89
PID 416 wrote to memory of 4500	416	IN.exe	89
PID 4500 wrote to memory of 2624	4500	cmd.exe	91
PID 4500 wrote to memory of 2624	4500	cmd.exe	91
PID 416 wrote to memory of 2164	416	IN.exe	92
PID 416 wrote to memory of 2164	416	IN.exe	92
PID 416 wrote to memory of 2164	416	IN.exe	92
PID 2164 wrote to memory of 4144	2164	cmd.exe	94
PID 2164 wrote to memory of 4144	2164	cmd.exe	94
PID 4144 wrote to memory of 1500	4144	cmd.exe	95
PID 4144 wrote to memory of 1500	4144	cmd.exe	95
PID 416 wrote to memory of 3336	416	IN.exe	97
PID 416 wrote to memory of 3336	416	IN.exe	97
PID 416 wrote to memory of 3336	416	IN.exe	97
PID 3336 wrote to memory of 4772	3336	cmd.exe	99
PID 3336 wrote to memory of 4772	3336	cmd.exe	99
PID 4772 wrote to memory of 3884	4772	cmd.exe	100
PID 4772 wrote to memory of 3884	4772	cmd.exe	100
PID 416 wrote to memory of 4336	416	IN.exe	101
PID 416 wrote to memory of 4336	416	IN.exe	101
PID 416 wrote to memory of 4336	416	IN.exe	101
PID 4336 wrote to memory of 2360	4336	cmd.exe	103
PID 4336 wrote to memory of 2360	4336	cmd.exe	103
PID 2360 wrote to memory of 2976	2360	cmd.exe	104
PID 2360 wrote to memory of 2976	2360	cmd.exe	104
PID 416 wrote to memory of 5072	416	IN.exe	105
PID 416 wrote to memory of 5072	416	IN.exe	105
PID 416 wrote to memory of 5072	416	IN.exe	105
PID 5072 wrote to memory of 3104	5072	cmd.exe	107
PID 5072 wrote to memory of 3104	5072	cmd.exe	107
PID 3104 wrote to memory of 1432	3104	cmd.exe	108
PID 3104 wrote to memory of 1432	3104	cmd.exe	108
PID 416 wrote to memory of 3312	416	IN.exe	109
PID 416 wrote to memory of 3312	416	IN.exe	109
PID 416 wrote to memory of 3312	416	IN.exe	109
PID 3312 wrote to memory of 1644	3312	cmd.exe	111
PID 3312 wrote to memory of 1644	3312	cmd.exe	111
PID 1644 wrote to memory of 2824	1644	cmd.exe	112
PID 1644 wrote to memory of 2824	1644	cmd.exe	112
PID 416 wrote to memory of 4244	416	IN.exe	113
PID 416 wrote to memory of 4244	416	IN.exe	113
PID 416 wrote to memory of 4244	416	IN.exe	113
PID 4244 wrote to memory of 3016	4244	cmd.exe	115
PID 4244 wrote to memory of 3016	4244	cmd.exe	115
PID 3016 wrote to memory of 4468	3016	cmd.exe	116
PID 3016 wrote to memory of 4468	3016	cmd.exe	116
PID 416 wrote to memory of 748	416	IN.exe	117
PID 416 wrote to memory of 748	416	IN.exe	117
PID 416 wrote to memory of 748	416	IN.exe	117
PID 748 wrote to memory of 492	748	cmd.exe	119
PID 748 wrote to memory of 492	748	cmd.exe	119
PID 492 wrote to memory of 4932	492	cmd.exe	120
PID 492 wrote to memory of 4932	492	cmd.exe	120
PID 416 wrote to memory of 3152	416	IN.exe	121
PID 416 wrote to memory of 3152	416	IN.exe	121
PID 416 wrote to memory of 3152	416	IN.exe	121
PID 3152 wrote to memory of 980	3152	cmd.exe	123
PID 3152 wrote to memory of 980	3152	cmd.exe	123
PID 980 wrote to memory of 1292	980	cmd.exe	124
PID 980 wrote to memory of 1292	980	cmd.exe	124
PID 416 wrote to memory of 560	416	IN.exe	125
PID 416 wrote to memory of 560	416	IN.exe	125
PID 416 wrote to memory of 560	416	IN.exe	125

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	IN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	IN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IN.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3144
- C:\Users\Admin\AppData\Local\Temp\IN.exe
  "C:\Users\Admin\AppData\Local\Temp\IN.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:416
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"
      4⤵
      PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4144
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3104
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:492
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:980
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:4748
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:4184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:948
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:2952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:4836
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4696
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:4760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:2716
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:3000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:1388
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:2376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:3524
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:4384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:2800
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:2044
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:556
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:3884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:2840
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:2360
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:4336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:3424
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:1416
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:5072
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1688
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:2440
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:1752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:4408
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:2524
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:3868
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:2664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:4308
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:792
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:3344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:4820
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:3028
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:5052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:4496
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:572
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:532
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:4208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:2852
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:1804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:4376
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:4168
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:2908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:2512
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        
        PID:3500
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:2896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:3872
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        Drops file in Windows directory
        
        PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:3812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:3036
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:4184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:4732
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3548
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:4928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:4936
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2376
- C:\Users\Admin\AppData\Local\Temp\IN.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\IN.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:556

C:\Windows\system32\taskkill.exe
taskkill -f -impostgres.exe
1⤵
- Kills process with taskkill
PID:3120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer

Filesize
7KB

MD5
b7739e4f4ccca712ddf982fbb075d04f

SHA1
8fd13a61b8bde683072d84f04ce5e9c720bfc599

SHA256
623a5af7ea5a254e3a2cfbfe7f52464b33b5e4be593bf99c57878d20ceac71b2

SHA512
47630e760c2fb9ce51696d30364843ab798ade1e1beed5814481270bbf8c788e2a8fc2785b01f6b25b245732b5418a31222bcddc297d2ffa047f82236a997f8a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
1KB

MD5
07dd3f61a4850502a3867838fe924b22

SHA1
a8fcbaed5a5c494026f9dc52450d2873f214b148

SHA256
4019d72f0a961895f9b858d72a8946ef0dbba4d312d74b965195c24be9e744b5

SHA512
f974c281eb97bade8c27cabeb58a61e89d9ea3c59e44fc3624a9fa9ce858f4226ab4aa3abfef2216b762b26bd661bf8a1b9be1b74ab027f6a50939e84a3700b8

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
e35ff506f84848ec3cbd75e70bdc0b70

SHA1
0003a00597eeb4f7a4fa76880d104c648d369217

SHA256
329319f3047a263b901fd47e60d4487ef8d17b891a076d061171bd4cad3fcfe4

SHA512
9cfbf25df8f45b029c08992d482c397255718f08f76a79f90e1599eeeb162269a262b7c6d3a534cf97c7644c3f34ef93e6387d85fb0f13d230f9fb51bccae0ef

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html

Filesize
13KB

MD5
e3484c370e473bcc06ee55f1d510555f

SHA1
fda81edff7d7c5dd7019d3c3cd310a6393d2875b

SHA256
588baea132e484e6eca379f0c34c292b4472480f5f4603dbdaf023168fff3e7f

SHA512
7e2c04af8b610531b8a358e56582aeb5cff3f4f5abca8371b2f74cb41af8d3e206840f6103665c3788a3c29c9eb9cb0e76b6df11549baa3c4b0e5363d21f3142

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html

Filesize
10KB

MD5
416bf5b2700ce8e0498faf1ec6bba713

SHA1
6e08ee8d8590bb5efcac77ce8ee594e0c9a5daf5

SHA256
c5cdff18f0f1391a806d7203c42edb2f7b49876c5a94bb1d43742a1f26345a85

SHA512
a53ec1026eb309f2f515baae43caec9ae8d43c659ab7b46bd43b7278bb3e0a7610a41ccb325a2de9884f07ad4d6c50a70f87ee6f0039cf4043f1d86c941da9c4

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden

Filesize
1KB

MD5
0aa5d09cd7356dd53b60a103f34454ed

SHA1
89b597a2d5b3dbdfb7a39b97845bc1c07bad20ce

SHA256
dc17c250e1e1437baa5b649b32532051f25db0b29229b0999d531fdba07c19ee

SHA512
ba474b2c11e7e0f4f1e868d0305196b50b9f7aa63bc2843dcf1894dc4f61fd889a393f6bc44306ee77b979af69d0178cdc67f80469b28529d843799a15a60db0

Download Submit
C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gif.infected

Filesize
1KB

MD5
bc8bc9e47cae43f6498077cc4e66505b

SHA1
14aba2f7a108579a179fe510a1dfbf59bdf99934

SHA256
ed6e51b3445eb3e51ccc107abdf9cc8cd07fa98923de14788c39da0d867c17a9

SHA512
cd93e0c06929d78319938986ac6b02052284c79cdd8096781d29dd95a4790feb3067c6a0a89b2b42ec32b84f4bb01241c539a99439a5133a0ccec397d5c144f5

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
1KB

MD5
47576c6cfd4d8184b1993061f4544939

SHA1
00733f4ca9973c2c51cf5ca39427681f10e14aa0

SHA256
f8e7297c874c96a0c19ada5b2ed4e3a4f9139cd139c87da04e809f9ea68bb03a

SHA512
8dfef6d4cd83041fec1531b3bae8d5c73e4c9b975159f5969d10a4bf8f1e019f3fdc3f67121bd0f4d07908fdd715ac9db4392c08ed87b3b92bcb1a7b0710f03c

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.infected

Filesize
1KB

MD5
46654ab9227f6e56fcc43b5ca1229f9d

SHA1
1662e8a29e0a635fe2bd6cf6b5c7cc6c0f74e925

SHA256
bec373ef34183037c0460e32aab4808128563b6c10c422916a24532249522aaa

SHA512
2518d90b64a030ff6f368cd3e144292bdd6263a2bf54669f01fb216932d12811622d8291623d01ddaec51e0f834121feac890cb4a8c5a3e85f7575d0c83a6521

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.infected

Filesize
1KB

MD5
0dd436e71080cfcd5c4f729b3c24bdce

SHA1
96efddea72b7fa1b62d78e174826b3b9e3572638

SHA256
794cca21841b6811574226066a5a4a9a3f79eb6eeb18876d82ee27f97ecc351a

SHA512
2703098d869c16104f8104feb59caf903c48ca7f85f985994a6eb454fdf3859e1543c90c785d0aad477324e28f15f5e7738b7c19240cd1440ef06e4a0f7067b1

Download Submit
C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config

Filesize
1KB

MD5
50ccbd53ead1c32b27c13391302f92f9

SHA1
2de1a5408a5c221c644c65e711710c07516b2fe5

SHA256
7dcc5c68b4d07a1f5e7856a2ba16cf77c91240e66fa86200f7d64b3b8b626130

SHA512
7628fc7f2080f0ff3471f1f6a2c2a66c1f72a28e7e191c7be8344bdd412c2f3f3184011933c27cc16d7861ef77f601aa187cab3a2dfa293273f1bb2b14950aac

Download Submit
C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub

Filesize
1KB

MD5
dc41d6ccc822d97b05fabdb398959988

SHA1
42751214bee8cc5a854442341324539cd51da055

SHA256
d2586f7ee82c724289f6fd4059934f30667e39e3f447fe076ef0619500ee4b7e

SHA512
efae19e3c11743d947366dd1e3c4552c41e7509a8e583497a110d9d5be4779c21cdd163862c89071a55d10ef4df5ba4525219ec62a86709bd49b9fde93882ed4

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

Filesize
2.4MB

MD5
d2fcbd86faff12b7761bbae315a2ce72

SHA1
38798a78e1d8b61dae3d9d4164f3d07d4f3a8b04

SHA256
05a31ad3860bec4163e0a8ea6a02fc161cae0501408f8736913cb9c8c8b1d3d0

SHA512
b244661fc438942115927d443b3df628494219cb4d258d42e0d5648c322db79fa5c28327ff9709914535f1c96164f34405ad98220217fa15129fbfe2487b17d8

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
45e63daa0bf896285b6e32b6d8d49dc9

SHA1
8c1af5bfed11a1e0acb683c0628dde813409321a

SHA256
35f4902213846787a96d77828b76bab0a475b47f7f789d2fd6d9a5d97c23c0a5

SHA512
357810f89899534b380764aa52a2945b36830230fbfc33148a9b698de5ff6a5b323cce4279c289525d4138e908b13c1a3f6724b2cbef0244c613744b145422bf

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo

Filesize
664KB

MD5
152588ab6b47fab00638b3a2a0d11b90

SHA1
c9dab8f8345404a1d6215798a857f90113292823

SHA256
f4742b35babd42f00cbf95ccdd49bff68e6d03bbbdede842bab124decf15a706

SHA512
08e32f95cd9de37e47b2721e2cb8e5a76aca25f6959d545d22b03d4f620a625658df93d968e0acde74a4f50f07187fad34acf829225595baa2834c769b7932e5

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

Filesize
704KB

MD5
ec7020e9bea8e04cc6cd38d6b718ebb0

SHA1
ea7f4e624eced92bfdf48947a7a631b8d72c84db

SHA256
e3af091cc7345a49c2cf022141504e96d8657cf67db59a8d04a82de00a8c3e46

SHA512
053873287434af5e1dac78822314b177f80dc90ebc3076f5d1448d9cb52bc466d1f5b5f16225ba656a313c6ff94f14c6e623bc125a59aaf355708df52afec438

Download Submit
C:\odt\HOW_TO_BACK_FILES.html

Filesize
3KB

MD5
a8514fd9f3a52ab2a00f57494d03b2fe

SHA1
0e204aabbd8b5d6ee1b36d10429d65eb436afd14

SHA256
056ae301d1686bbf2355fd96ef3363e2b18d593f58f912498d87de3569fa9028

SHA512
6250481712b51d19e13bf148e3cb046fbf669398b06f8ce757a8583a0fec36ca22140cb90d4706a731f27d1419795ff37ec079d170e15e9e2985020c1e6a1d5b

Download Submit