Malware Analysis Report

2024-09-11 01:53

Sample ID 231013-ray23scb75
Target IN.exe
SHA256 51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51
Tags
medusalocker evasion persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51

Threat Level: Known bad

The file IN.exe was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion persistence ransomware

Medusalocker family

Suspicious use of NtCreateUserProcessOtherParentProcess

MedusaLocker payload

Renames multiple (4302) files with added filename extension

Modifies boot configuration data using bcdedit

Renames multiple (7554) files with added filename extension

Deletes shadow copies

Deletes System State backups

Deletes system backups

Enumerates connected drives

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

System policy modification

Interacts with shadow copies

Kills process with taskkill

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-10-13 14:00

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-13 14:00

Reported

2023-10-13 14:03

Platform

win7-20230831-en

Max time kernel

156s

Max time network

129s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1916 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (7554) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IN.exe\"" C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IN.exe\"" C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port-au-Prince C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\mosaic_window.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\icon.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGZIPC.XML C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\STRBRST.POC C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Windows Journal\fr-FR\jnwdui.dll.mui C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1CACH.LEX C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185818.WMF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0286068.WMF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\flavormap.properties C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\slideShow.js C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\clock.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kk\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ko\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\XLMACRO.CHM C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tongatapu C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\slideShow.js C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14579_.GIF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\VeriSign_Class_3_Public_Primary_CA.cer C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SNIPE.POC C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\external_extensions.json C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HTECH_01.MID C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Maroon.css C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\calendar.css C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01701_.WMF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_rest.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\it-IT\Mahjong.exe.mui C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\cpu.css C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Accra C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151073.WMF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185806.WMF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15034_.GIF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\33.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Windows Mail\it-IT\msoeres.dll.mui C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02025_.WMF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115843.GIF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\HEADER.GIF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ja-JP\WMPSideShowGadget.exe.mui C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0075478.GIF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\fr-FR\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01682_.WMF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB11.BDR C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1892 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1892 wrote to memory of 2560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1916 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3024 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3024 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3024 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2688 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2688 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2688 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1916 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 1588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1588 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1588 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1916 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1592 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1592 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1592 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1916 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2460 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2460 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2460 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2532 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2532 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2532 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1916 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2984 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2984 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2984 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2132 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2132 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2132 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1916 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\IN.exe

"C:\Users\Admin\AppData\Local\Temp\IN.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Users\Admin\AppData\Local\Temp\IN.exe

\\?\C:\Users\Admin\AppData\Local\Temp\IN.exe -network

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

\Device\HarddiskVolume1\Boot\es-ES\HOW_TO_BACK_FILES.html

MD5 a8514fd9f3a52ab2a00f57494d03b2fe
SHA1 0e204aabbd8b5d6ee1b36d10429d65eb436afd14
SHA256 056ae301d1686bbf2355fd96ef3363e2b18d593f58f912498d87de3569fa9028
SHA512 6250481712b51d19e13bf148e3cb046fbf669398b06f8ce757a8583a0fec36ca22140cb90d4706a731f27d1419795ff37ec079d170e15e9e2985020c1e6a1d5b

C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

MD5 c1c06e7ea206a95bd7cc4053549bce07
SHA1 b2efcfe17067e5fed856594f55cbaba15b989ff4
SHA256 a142cb412e4da5ac094992456dbe6684419d39e3f71444e9648098cef1361dcf
SHA512 d1c87bc7d25d3a9953c9edaea5e9f1bab2cecb9b341ee2fced4499f091650c6cba9bc4c2343a4d5cec99e0796b7ac40747adda25f529673a85a0fe267d747cac

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 78da61b5fdcccfdae668ed438582b3c4
SHA1 6feba6c3085129068885e4ecb69e8a5b64a7b09a
SHA256 f41e008ab8bcc8966245786288e3aa6f2b999d48ff1084d581645478e19ce6fc
SHA512 c4e2b76d0456656b296cbe378a8c3338b93ffa34d7d54f9c85d47de7781ceae323d8c22316323bd415fbf2a76f0dd8a5cfc1ed294fc02efe48388af173b15134

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

MD5 591f4c66afdb73880bac9efe4f9f4cac
SHA1 eb422a22fef50f5821846cbcf5ba2dff86533d5a
SHA256 829f6662e3581cd28e07b35ad95b29719b8cf82721099c30d4dd242c2e0c4833
SHA512 51d647ff5bfc45c46f1bae3086dcd202fb5dcfdf98ef20113f58a520ff8f9059f3f9290da2e270383c8a65e64243c661ce46efcd4b872440d873d4b1f7d1fc12

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

MD5 9b726cbfedab7421663f2190086fccd1
SHA1 5952d6be410ce5874946c74e0e27100af4c3651f
SHA256 f0817114f70794cc21b6cd3164b6b0a058fcca7ff7f413f2fa33fe3c835290b7
SHA512 93eb4cb79b01696f187068656e14cb58f1b11d56a28ff35720af41ae9b7222a58f86e2d5e502636d0e34b7679b252eb0818088cfa9872cdc98b7294a017761ab

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

MD5 8b7849e13888a14306af84b97ea69aa4
SHA1 c4866aa033f10bba3ce0110a0b34a314ed9c01b7
SHA256 84c09782c3ed56c8c461278878903da17c645cf59749ce515a0b22446f734cd3
SHA512 5b7e49b75157fc7de5d4ca8a70b185eb938e14721255b81f56c9574fde5b6e2f059d99381a0c8f3307079aded399fe202292064e39dc6cb220e4a6c0e5a96aa5

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

MD5 53cf87bd5b38269edc5a568962607c6e
SHA1 5ca0932bee25612719a0aa3696842839b0cd7a07
SHA256 e789566fb1c45c53d5cd7b956b39ec46515d8f92a9fee0dd48bc7d9a09a3e0f0
SHA512 2d7207344f8cfc40f1591d206b7c96ae3f41ebe313d381c4f3b957c252c1845965f749fb6db7b1c26cd1f23bfbec929897e5801ae5be213e03b00894d4860afa

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 949768128e4e9654bd6ea5f5fea39309
SHA1 a0b4ff185b36ce79204a98ed2e4a294380a172d2
SHA256 35a9e2766ae74cb6f5d2c3caa1bae0c3b3048c8406a9abcbab2c289ffca4d382
SHA512 c5e68ce25ad559787e24897dba466543010dc8e3bb6a7e6853ed937edcf0eac4f59b9838ee11f0a3ef6b3c4a43a9747cd1c0e5276641d54e4d7491165e27820d

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

MD5 37eb5eb50f8cac77cc9fc8c207d2b7b4
SHA1 56cce3cea024b5549c5608942dff0b51cddc64ac
SHA256 9dc5958900def33af57d2ac65be5df30728e09e177dd5c046b3f8786c34fc145
SHA512 f9a981a582bcd04c4f7ee95fb415394559268e38787ada80480c4e46b98cc543b7c182237423a821086721cfd4b1281cb1f0bb23bf3795d4f646b2586ce757c6

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

MD5 92606a89e7721ce7ef016865f34c03e6
SHA1 aa5398d1fb49a66ce69847a7defd03dba265f963
SHA256 997446940ded5648e82c39143d571b21d9f9c6260046b76f7041ab8b1c00aef7
SHA512 92f6403c8b3bd87c389bd852967d44be15949fa8caf96cd797b55f658b0028dfa5a3b1206f9f2c68e8dea29eedd6e59eeb544f29b74b66e073efa90069edf8ad

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 24bb33b3b8ffa9789719a8dc584439e2
SHA1 09d9643928a287265601b77e4cc16528f7108020
SHA256 fd5210abdea0d4e07b2f7f524b6e3da66e6bad2848a559004d976c210e810fdf
SHA512 98291859841d7b37c0cc6b6f5a5e34430cec9bb20a6287b015b7e299e1300dc1418922dedc47829ea4c8e48e27e6dd53a1d10c049da3e8e73b940861578c2a50

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 af3387415c00a4252a66fe521d008854
SHA1 72ffdb728ec111e161668c94c5d6c1e7f00d655a
SHA256 ab6f0286b3984ee5681a4e0d28a5efbbeb7cebb6212cb91802e4b1dae6bfce1c
SHA512 a2c2afb582492fe62ba88639ca0e0ee7229f8be22968246868c2764e825447b9372bb1e5c33c28bcb8ccc22b7af6ae26ec74b243069c46797d7d8db0d1ed8e6f

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html.infected

MD5 2bb567fbb5f51686c344eea6f8b6e585
SHA1 d31f81919f44f6798a3b0685387f7f27daa19133
SHA256 bae7daed0a314b003742fb1951bca82040f465eb06ee28253737698dc8eebb23
SHA512 455708a01030fa2cb8f3474d70c67e1edc52c4efcc3f5fa4c070b46258bedebe8d227ab4ee23322607293d1901f66a75bb30a900d348f12aa69d3d6d844ddf2b

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html

MD5 94095610c67607f571761a1282e52582
SHA1 156b2914c2b26258e37d67967f18db2419abf555
SHA256 39d26cec174af43caced86441a6b099abe6935d87b24c8b202aa513941468ca0
SHA512 e4c839b2fbb8e83ff56014978d1d2474ebddeb8006eadfb0dae30b0efbe2acda3a93db90ccd16ee0a2a64d9f17557573bb162b3421fdea6e68adb8afa46177d6

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden

MD5 347ad211b859431ae3f8db9d646e6b1f
SHA1 de483f33cffdaba49361ad558df9b1a9fa0aabb7
SHA256 c182dac873540ac4a62997c726a7230f1fc400619f341b834f3900559994c2df
SHA512 38dc27bd0641616f0bf9b7df91f4a61c454146d8f703bd77343efb6ddda27c0c24009e0d79898c83bc0b72e35abd492f3a3c7ec363e48ae3ee973b1d770390be

C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 c1a6d642228a2fc793064bd38740f073
SHA1 239e56440598ecf56c63ed6c5197397fcb6996db
SHA256 632a13258f3e1f63eb1ba5f2a92d2aa470af1beef3b6c8b830eb28be352d4636
SHA512 f456ec13fffc90b447d776761a7ea5420a24714303fa63c0c49ab697e97425b4e029e30189f809e775637b17a4d2e4d7e660908360dfba9d406938ac363fb954

C:\Program Files\Java\jre7\lib\zi\Etc\UTC.infected

MD5 9ae1effe91f14b305f709fbce5bb3b51
SHA1 d315b987f0f9225f5c11e2ea86ff61dda1db97ea
SHA256 1904e39ad16ab5ae591f3f39bd41d86e6632e1f1d7309205ae7261bcf8d16db6
SHA512 a5a10af0c22e70b27c73479aff524a41a39e1d2adc3422c85c1d3a8256baff45b748915ce44e3f9b1e06c8545cc11614107d7ec393b6e663c9e111aedef306f7

C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo.infected

MD5 4334213852f2bd9f27fa29148a4e34cc
SHA1 9045a7265c78fd5aabe47e88359f19852e2ee2c8
SHA256 bce9cd5391e6d5732d3cd5e55ef3a3070afa2e4d2501ab100d073a4ec9a901db
SHA512 cc795580bd95af63c56f855e761d0570f80dcfc48cca981b798bb7d2849add685ffc0c88f7527c4a386c09083f444c30065270cd11566b011aad191d5ff1e717

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

MD5 0ac71153dea6528304eaf4620aba2efc
SHA1 e61b1e16d4b1f5ddb7be65f83918c239834c74cd
SHA256 5bf45e2293c060543c8f3333db53c61cd4d9e2daa86a07b1ec76cab68837e1d8
SHA512 d9204fc763333949bf5768835d176e504194da0b72c52b9a727bb829e60e9e12b9adaf4e962ee25020281695e17313c31dd05eba8d2e6febde89e98a17ce96a4

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

MD5 d934279f214841ec99fbe0982faa951a
SHA1 645e8e37dc7369c8e46f0b69c08a85ec2327c19c
SHA256 135cf11073ad57f95a7f396c052c6309bdb768c6e65c5269853ec6bd1fde1acd
SHA512 ec957a84f3499895c96b9572e5c7f64fcb3190f0f7ff3f332f06860c061a27a7d818ff929c1b7d262aa7eaa7471e4f15ea31cf024e72a4aa2bc09d8739428895

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

MD5 90c87dbd80e56f2f25f4118d9efd41c6
SHA1 18b5536ac77231429ccfae8fb4e12fc2b184f32f
SHA256 740a7e143e6aaee8a73cc98ea7f8ca3d8d2bb40544c98485fa26949acb283e6a
SHA512 5fe91b5a428b6aa0da21ca8bf95661f8bcb921703b173c7bc7b05273cb56f6bf895afb09f26705bccb10e7c6cd0ae85e44939afc385efa8184c0a5cd273f0565

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_OFF.GIF.infected

MD5 ed135cb6744244a81cb7eb6966aaf1c6
SHA1 63f756d43cdb441942c727a9fb05fdceff5e3c66
SHA256 2550b2cd6e3e117ab7b56a841ebff25500da4fbd5085f822745a8811a846a415
SHA512 e7657b8f305063b959b8f4b71785db784e4b6576d55e664c0fecf14fa3090f95d4ce580a8e37275e9c539595026ab0e3394665d6b1916226598a87053d7689bb

C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_K_COL.HXK

MD5 896be533068f56bed17044fe016139f1
SHA1 d33dc08d965418f126ab88b8eddcc0c3b6495cb2
SHA256 2b204c08084645a29fc627d7639d142c588efa394b850e728a0def890976c5a1
SHA512 735bb19114c445c068e293599c6e08afc75b89a00c01df269c6024a46b4282c88a948811e557dabdd3d389baa9144b9b5f0dcf90b545330dc114e573d491b672

C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTORE_F_COL.HXK

MD5 6a992d64b04142f8d67a040662d10e45
SHA1 363c824df805ae3b58afd3746a3305cbd7473329
SHA256 36e52b278b51b1b23d3530fc5f69d645b4399bde44f466101d8bc2bfb46aded2
SHA512 d2c3053b49f13cda57d40faa0f3fc742effbf74ec476be80ebc8d4bc6b9085592eb9cda78768122ac418dea8665a23ffeb4b6d1e41e6974e1b59fc3fd4c25470

C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK

MD5 5a1e14d9111ccc6e3c791555926dd953
SHA1 2186f07b511aee763de7ebe2c4c5fe8b965bfd9e
SHA256 05d981d3ebbbb05bbd0b523ca7556d98b82a51b98b3c2807cee13a0ccda4c294
SHA512 0aa6fdbb7fdab90887208e872814f1093ae6a1d12dc79d524a77f2606278cf7f01f77e3595d1395b4f02523008adb6beb375a15d1c74b8db26c3222a556fa943

C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK

MD5 9bead423b487cc6a7dd6eb1997fc2717
SHA1 87cf3b78bd2faeb2a555254ac22a1446f8da0fc6
SHA256 f70078c4da03444f198c212525f82c0068570812f30d731e22a29044596b033f
SHA512 17025c8da250e015b006ca479ade159209e2f551f1ff08dc035a923ede33dd404a0b5bc9c3c94c67611e5cbb3016ba88a0c6ecd0a2ef6bd0bc853228d0667ef1

C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

MD5 a43f572d01503d3aef99d314c271a094
SHA1 261c8c0cb2b5ec8b443ead1ecf50ee3ce68a72a6
SHA256 abaac16983062ae354805e689853ea6af1f560037d22c59fe47cb23906f5ee05
SHA512 7c5cd8ea22785eec80b6c58a809e8b8f2df01eae371a8b12534e276ce185d8d85024284e56f2ab6875bd57cf3ad39fcc84e475f94a374d5f8edab868591522a7

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_on.gif

MD5 7f34c1ab691e6bf6b9b6ff6e6491b844
SHA1 ba38aba07006dc3e9ce0732716af2110a76976b7
SHA256 051ac43874a3e12f32776c6e03b99016a8da952d2ba5a0815c1d9d600a7cecff
SHA512 f969cabd2c2ae9c438085eca389e5592c3cd3f498e2da39b474136a908b9fa9ce434198e3a3ddaac870a472e7f1a718a700631b4aebceec2a257f2be4736d48f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF.infected

MD5 56a720b96627cc0665a29a2468707d2d
SHA1 f6ce61bbe811059a115d80df56e997cad8a44038
SHA256 b2be36a2153d5c25849448b35b8274653e9d0c5cb6af73b9c651241faacfb78e
SHA512 8405ecf30780b11a019574c4a0c218a6639d35c58797d284693811f109753c8f1daa8e0b85ae3338c8cf0fc4fc95ea53998c1c09e28708917c2b7deaf5ca74bd

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

MD5 5fac65d7f08a57c050b1bfda5d227483
SHA1 21d1c72961337874b5d54173f4019fd577f947ad
SHA256 c1797f3d02583dbbb8ded2f6815c5d9d8946f147f1e6ceeec00305cf450bdc9a
SHA512 7c2d50ebf4673fc18be40e5547e58ea1cce14d405212b04899b2d68f30e9a8805162e0ca98c7a5d934c8158e8fabbec0b9aaa3e5d847b5511a06df5cc4a548b0

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

MD5 21afe05e6c9c232269fe28cf3469be94
SHA1 7bd338410c7b9ad46be1283dfa7faeb85f6a2105
SHA256 dac6a17690ff60dd7c9623c8670004821368a63d2ed39d3ee2c357a2a8c715da
SHA512 66ef47182cbeadb77d927639e3b92208100f0b366ddf8cf78c44a938a78e9f37909cf71e9d430f2393b138dc85d61b81924f15681ed15486ac177d4ece9d54d8

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF

MD5 99c483af8d122e48a8c1af1bdc8d1a6d
SHA1 9fa1cbc3c14b44233aab04612ad544d099debb4c
SHA256 7309ab997ea3c049f949f461f020ce2b0acf4c0fce1a68e181312ed132a2c8d9
SHA512 f68b6e78ca28848d878ef6e4768b2d5734018b1d42bcca57925f4ae8799421ec5e4cbbaaccd84dd763c1ed4a47eea9deff6ac7de177878e6e485a2d9fc36ca2e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

MD5 0116b4051d80600487f14e033b06d036
SHA1 5dd88ea81e1a1b736c1c451923cf404dee0ea944
SHA256 685449eab201f8768f35dc686b05987a88e9793354dff16f2ab2aa265ccde4dc
SHA512 f557c8c241af083f327b38e19fe0b2cdab5ed083685000939a09917c5ab445ce3bb9d68d90890ef2319115055305ade7af24f8ac1222102bf7710d7dd4b3e22a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

MD5 9ad5fb630d8ed0c71b7499613e1caf3d
SHA1 6283516cb469ddb1f04eee90cd8226380c686d9b
SHA256 a62571f7cadea933db6e9842ac33881ae88da1e678a5a0dd548b1398bfaaa8b3
SHA512 a8c17982c3b8ef74cbe41f531545327c24e83eda8fdf7876ccfbf76b2de55b2ebc7d5ff60a5521e29de382d8e5202b0fb998bb50742c30df9a31bda05fecfa1d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

MD5 6556dece2ba37c0946a895ffeaab2589
SHA1 cf9cdfaf7d79e3b021a56efab3b24c9f69fcb6c4
SHA256 1580481bb273a4f12d24a9e35f4ba04cc4578b359ff05921e58fc36f571e4383
SHA512 9ece50aaf613f5dca54c2bb17b1021f4003911c896e60c5022ec3483bee3c81fc27dc5d867c50feec3d811d21c8d1fa1928780040943756e25858c1d2941dc4d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

MD5 7fbeef79934fb1ea9e504f10549ccf1d
SHA1 d1314d57d7891cd952b024b6fa16e4e3371d8d7b
SHA256 4115b166e97662f105c7444c7aef4b1772132ddf2a6ac403240abc48a3290c33
SHA512 95695ad86d128a31f45d1b1b2d952077db3a8db9bab69fe45d0dd1be50d6275adb260e5508c935c072ca2963c9b5d47e90fade7ff042296667a0105b79565fd9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

MD5 5e8ce55f5c0f34c95f7d56b81361c580
SHA1 b78d718ecb5c1b2f137060c45a347587755f7da0
SHA256 0fe44633e696aded2c8913b9a46220d901106f26eeb29fe8daab457d336be28e
SHA512 0ec27c9a20b2dd578c0bdef5bda805027dd39b27366ddc0be7590531ae688a0cd79ba2aa408d6651e741f4423f86921a2916c941100b531f83e272dabf3bda09

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

MD5 99abca91244caf8233b32f902e5c322b
SHA1 cab2335fe0b189bef3b3ba614244c8d9d320f363
SHA256 ca2468b643af368385f918668fab390b5d0f1c4b231cc6093a212f4a56189702
SHA512 d52fd8d4e31830ae89c75466682b162b73ff89a3b89d5008c1c8572f94d86f8edf9ef84246b462361330eafc227541f3a91659a2d48a91ad9fcb17c7383d035d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

MD5 029427e885662d6e660e800d31ba7251
SHA1 1be3698634a079f84d17a1b2f60e83353c57da99
SHA256 9ecedc95294ba8e5c49fd060d12a0d283cc411e2a9915e2797889a75f4b33947
SHA512 da120a8380e6564e93270b5a65afc01bdedd01c5a92147238905598510716849bd7d218cc630e76287a556c16169c0b19b7584c9dffdd1d8dc77c4a8da1e6037

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

MD5 f0f7ccdefa36bed29c6deffe05c332e5
SHA1 3baac09347c13920689dbbb6a35bf2d7d3ee5792
SHA256 56a742063617221293eb190b997ed69f79546729b8d1801e8086b4195560ce1f
SHA512 1dabd5b80b6f53b59b5b12b501cc7710c9cb61045b4a847f0542bcb1ae365fc6b8b21e857c36ea3b1a0f213c9715707951c7838bc50b40d5545e6575abf9189c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

MD5 5bd0377da2cfe8fda308288a7d322b3b
SHA1 9662e890c73bf3781a5023f57f38db8f7993db72
SHA256 079be119a990567dc56871c8aed461272b90f75fa1f46b3e043f8566d5a114cb
SHA512 185c10466d90c66bf1e67006804d3d9f0803b41d9434b479f9e461e256095e52428daa303080de592bc8489c0742940bfe95f7249009b4edd8d94898f2dcdada

C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

MD5 14d2416669e3e533e67a5868818726e6
SHA1 722fc785b8a6c7cc330e1011eb8faae72c7d8a6f
SHA256 d2a1b2b52a1645c06f465cb77ae6e0503af75fb47cb0e9e219a95fd236a7a79f
SHA512 ae3e29912c90e7446e6fae7f51fab6f01c893da1aeab5c8a334f63e5971d3cf5eeea6dee6bd0be41f98c76a2e57d1f1eab710efe8b4ef8c27580d35e3bdd70c0

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML.infected

MD5 bfa6f9ac725b9c832dd83b07095f7dc6
SHA1 0eeaadea68d47a534ed4d72ad2aa98c58c5d48ac
SHA256 7abdc75149007d5dbbbcae36b1cf82f1e8e0488e1316d68ba21542217119254e
SHA512 190be4d9590d4cc424060921e59fac4ce554788d1e4ebfad3eec941d332e19f5810872c880a5f746907b105a42e61a2cffb64f16245191897f97136e34783b52

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML

MD5 44acb414f2dd30f2d372a1ed0f0e59d5
SHA1 a82ea2495ca3357b98fb205570ae4690e682a77c
SHA256 f570a8e0976686f10143c995366c2de5a38e6929d54306d337a3d264340b0653
SHA512 792440b19c97a8970f24c6300279f84f615db1c8876bb5c93a494da3d0b5bb934d619981545ff6c50b503aa5d332f83d6fef1eba421d4c0369b5f7cc0f8f5ae2

C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

MD5 d06f7f2fc348d6753f0db4b9f6da4ad3
SHA1 2c7e5918aca11647053b2f98f19e6cce854ae00b
SHA256 5dc3aa70eea67a7493aec4400916dcf89bed7033b4ee3b3d9fde53e009ad98a4
SHA512 277315efdf71ad659d58c56c58146328bfae667aa52d5dc34d477ca14b3cd45708d799cc172ed80bdf96c41ba3b0712b3f5b8526db06211ca19bb0284e58f31e

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

MD5 ad1c464325d87d232b47440f0103e643
SHA1 c49994a971d7b81ecd15e9e1aac733b0d4c7aebd
SHA256 a753be0aa7dbb947b72607a5a7e2dd8d68c15b187c0d7b3cbc8cb6a2f2070606
SHA512 bd63f49223af14911bb3cae66b74e30292bf395b5d1f6cd2fe6f9bcb9fc098d5e7b711d43acb70503516b6ca0f49746647080e25d0c4a04f7968de761979959f

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000.infected

MD5 57a1056ac072c33ff3c9800c552dcaec
SHA1 37e411664d18490bfa50459a413cf13b9e4fd2da
SHA256 56817809dcc3bb2ffaba1a15d49d89cfd426770483b78e081587fdaffd8ce8b9
SHA512 323fb5175f1809c5f6636571e6d2576a5ecd9f66bcc63fffc94f8ff0c1464542c25393d1e7f4692417a91500e2eccbe294918da3120bdaa4bf1cc58a3e100e22

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

MD5 50364f72f29eaf21c69d0f8fe8fd1dae
SHA1 8d4794ae363e8014624e96ca847b94ec39f646b9
SHA256 54fe65f6f6f9b0a9eb4060776c1bc97ff0aeabbc1ac9f9d432a30ba65121c06e
SHA512 bf63717dc124ecd5b3eee74abfe07aafd86d24fe35956ff41f423511b68acd9065718744b60ec812b5e3e2ef480462dcca0f580fbd31d3b9198d7eb2dd7475cd

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-13 14:00

Reported

2023-10-13 14:03

Platform

win10v2004-20230915-en

Max time kernel

154s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 416 created 3144 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (4302) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IN.exe\"" C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IN.exe\"" C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Uninstall Information\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\THMBNAIL.PNG C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_ja.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\dcf.x-none.msi.16.x-none.tree.dat C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerActionExceptionHandlers.exsd C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BKANT.TTF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Common Files\System\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-impl.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\af.txt C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql90.xsl C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\comments.win32.tpn C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-templates.xml_hidden C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services_1.1.0.v20140328-1925.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_EN.LEX C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\et-EE\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\msipc.dll.mui C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.ja_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\msjet.xsl C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\rt.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-keyring-fallback.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Subscription-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription2-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 416 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4500 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 416 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2164 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4144 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4144 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 416 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3336 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4772 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4772 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 416 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4336 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2360 wrote to memory of 2976 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 416 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 5072 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 5072 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3104 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3104 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 416 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 3312 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3312 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1644 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1644 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 416 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4244 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4244 wrote to memory of 3016 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3016 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3016 wrote to memory of 4468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 416 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 748 wrote to memory of 492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 492 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 492 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 416 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 3152 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3152 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 980 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 980 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 416 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 416 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\IN.exe

"C:\Users\Admin\AppData\Local\Temp\IN.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Users\Admin\AppData\Local\Temp\IN.exe

\\?\C:\Users\Admin\AppData\Local\Temp\IN.exe -network

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\odt\HOW_TO_BACK_FILES.html

MD5 a8514fd9f3a52ab2a00f57494d03b2fe
SHA1 0e204aabbd8b5d6ee1b36d10429d65eb436afd14
SHA256 056ae301d1686bbf2355fd96ef3363e2b18d593f58f912498d87de3569fa9028
SHA512 6250481712b51d19e13bf148e3cb046fbf669398b06f8ce757a8583a0fec36ca22140cb90d4706a731f27d1419795ff37ec079d170e15e9e2985020c1e6a1d5b

C:\Program Files\Java\jdk1.8.0_66\db\bin\startNetworkServer

MD5 b7739e4f4ccca712ddf982fbb075d04f
SHA1 8fd13a61b8bde683072d84f04ce5e9c720bfc599
SHA256 623a5af7ea5a254e3a2cfbfe7f52464b33b5e4be593bf99c57878d20ceac71b2
SHA512 47630e760c2fb9ce51696d30364843ab798ade1e1beed5814481270bbf8c788e2a8fc2785b01f6b25b245732b5418a31222bcddc297d2ffa047f82236a997f8a

C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 07dd3f61a4850502a3867838fe924b22
SHA1 a8fcbaed5a5c494026f9dc52450d2873f214b148
SHA256 4019d72f0a961895f9b858d72a8946ef0dbba4d312d74b965195c24be9e744b5
SHA512 f974c281eb97bade8c27cabeb58a61e89d9ea3c59e44fc3624a9fa9ce858f4226ab4aa3abfef2216b762b26bd661bf8a1b9be1b74ab027f6a50939e84a3700b8

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

MD5 e35ff506f84848ec3cbd75e70bdc0b70
SHA1 0003a00597eeb4f7a4fa76880d104c648d369217
SHA256 329319f3047a263b901fd47e60d4487ef8d17b891a076d061171bd4cad3fcfe4
SHA512 9cfbf25df8f45b029c08992d482c397255718f08f76a79f90e1599eeeb162269a262b7c6d3a534cf97c7644c3f34ef93e6387d85fb0f13d230f9fb51bccae0ef

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html

MD5 e3484c370e473bcc06ee55f1d510555f
SHA1 fda81edff7d7c5dd7019d3c3cd310a6393d2875b
SHA256 588baea132e484e6eca379f0c34c292b4472480f5f4603dbdaf023168fff3e7f
SHA512 7e2c04af8b610531b8a358e56582aeb5cff3f4f5abca8371b2f74cb41af8d3e206840f6103665c3788a3c29c9eb9cb0e76b6df11549baa3c4b0e5363d21f3142

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html

MD5 416bf5b2700ce8e0498faf1ec6bba713
SHA1 6e08ee8d8590bb5efcac77ce8ee594e0c9a5daf5
SHA256 c5cdff18f0f1391a806d7203c42edb2f7b49876c5a94bb1d43742a1f26345a85
SHA512 a53ec1026eb309f2f515baae43caec9ae8d43c659ab7b46bd43b7278bb3e0a7610a41ccb325a2de9884f07ad4d6c50a70f87ee6f0039cf4043f1d86c941da9c4

C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden

MD5 0aa5d09cd7356dd53b60a103f34454ed
SHA1 89b597a2d5b3dbdfb7a39b97845bc1c07bad20ce
SHA256 dc17c250e1e1437baa5b649b32532051f25db0b29229b0999d531fdba07c19ee
SHA512 ba474b2c11e7e0f4f1e868d0305196b50b9f7aa63bc2843dcf1894dc4f61fd889a393f6bc44306ee77b979af69d0178cdc67f80469b28529d843799a15a60db0

C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gif.infected

MD5 bc8bc9e47cae43f6498077cc4e66505b
SHA1 14aba2f7a108579a179fe510a1dfbf59bdf99934
SHA256 ed6e51b3445eb3e51ccc107abdf9cc8cd07fa98923de14788c39da0d867c17a9
SHA512 cd93e0c06929d78319938986ac6b02052284c79cdd8096781d29dd95a4790feb3067c6a0a89b2b42ec32b84f4bb01241c539a99439a5133a0ccec397d5c144f5

C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

MD5 47576c6cfd4d8184b1993061f4544939
SHA1 00733f4ca9973c2c51cf5ca39427681f10e14aa0
SHA256 f8e7297c874c96a0c19ada5b2ed4e3a4f9139cd139c87da04e809f9ea68bb03a
SHA512 8dfef6d4cd83041fec1531b3bae8d5c73e4c9b975159f5969d10a4bf8f1e019f3fdc3f67121bd0f4d07908fdd715ac9db4392c08ed87b3b92bcb1a7b0710f03c

C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.infected

MD5 46654ab9227f6e56fcc43b5ca1229f9d
SHA1 1662e8a29e0a635fe2bd6cf6b5c7cc6c0f74e925
SHA256 bec373ef34183037c0460e32aab4808128563b6c10c422916a24532249522aaa
SHA512 2518d90b64a030ff6f368cd3e144292bdd6263a2bf54669f01fb216932d12811622d8291623d01ddaec51e0f834121feac890cb4a8c5a3e85f7575d0c83a6521

C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_K_COL.HXK.infected

MD5 0dd436e71080cfcd5c4f729b3c24bdce
SHA1 96efddea72b7fa1b62d78e174826b3b9e3572638
SHA256 794cca21841b6811574226066a5a4a9a3f79eb6eeb18876d82ee27f97ecc351a
SHA512 2703098d869c16104f8104feb59caf903c48ca7f85f985994a6eb454fdf3859e1543c90c785d0aad477324e28f15f5e7738b7c19240cd1440ef06e4a0f7067b1

C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config

MD5 50ccbd53ead1c32b27c13391302f92f9
SHA1 2de1a5408a5c221c644c65e711710c07516b2fe5
SHA256 7dcc5c68b4d07a1f5e7856a2ba16cf77c91240e66fa86200f7d64b3b8b626130
SHA512 7628fc7f2080f0ff3471f1f6a2c2a66c1f72a28e7e191c7be8344bdd412c2f3f3184011933c27cc16d7861ef77f601aa187cab3a2dfa293273f1bb2b14950aac

C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8en.dub

MD5 dc41d6ccc822d97b05fabdb398959988
SHA1 42751214bee8cc5a854442341324539cd51da055
SHA256 d2586f7ee82c724289f6fd4059934f30667e39e3f447fe076ef0619500ee4b7e
SHA512 efae19e3c11743d947366dd1e3c4552c41e7509a8e583497a110d9d5be4779c21cdd163862c89071a55d10ef4df5ba4525219ec62a86709bd49b9fde93882ed4

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

MD5 d2fcbd86faff12b7761bbae315a2ce72
SHA1 38798a78e1d8b61dae3d9d4164f3d07d4f3a8b04
SHA256 05a31ad3860bec4163e0a8ea6a02fc161cae0501408f8736913cb9c8c8b1d3d0
SHA512 b244661fc438942115927d443b3df628494219cb4d258d42e0d5648c322db79fa5c28327ff9709914535f1c96164f34405ad98220217fa15129fbfe2487b17d8

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

MD5 45e63daa0bf896285b6e32b6d8d49dc9
SHA1 8c1af5bfed11a1e0acb683c0628dde813409321a
SHA256 35f4902213846787a96d77828b76bab0a475b47f7f789d2fd6d9a5d97c23c0a5
SHA512 357810f89899534b380764aa52a2945b36830230fbfc33148a9b698de5ff6a5b323cce4279c289525d4138e908b13c1a3f6724b2cbef0244c613744b145422bf

C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo

MD5 152588ab6b47fab00638b3a2a0d11b90
SHA1 c9dab8f8345404a1d6215798a857f90113292823
SHA256 f4742b35babd42f00cbf95ccdd49bff68e6d03bbbdede842bab124decf15a706
SHA512 08e32f95cd9de37e47b2721e2cb8e5a76aca25f6959d545d22b03d4f620a625658df93d968e0acde74a4f50f07187fad34acf829225595baa2834c769b7932e5

C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

MD5 ec7020e9bea8e04cc6cd38d6b718ebb0
SHA1 ea7f4e624eced92bfdf48947a7a631b8d72c84db
SHA256 e3af091cc7345a49c2cf022141504e96d8657cf67db59a8d04a82de00a8c3e46
SHA512 053873287434af5e1dac78822314b177f80dc90ebc3076f5d1448d9cb52bc466d1f5b5f16225ba656a313c6ff94f14c6e623bc125a59aaf355708df52afec438