Analysis
-
max time kernel
151s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
13-10-2023 14:03
Behavioral task
behavioral1
Sample
IN.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
IN.exe
Resource
win10v2004-20230915-en
General
-
Target
IN.exe
-
Size
340KB
-
MD5
714870c33ba84e744b84b32e6e114ed9
-
SHA1
840f442d4466713becdf72b88846871330ac38e7
-
SHA256
51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51
-
SHA512
270c584cc9f696de3421429627a07bfbd7829a033cfdc16280e7e233e8ae09e2f1cd0341537a6b050811683d93a14a1465aa3ab96e9577c98ebea521faae65f2
-
SSDEEP
6144:PNs9prB0CnszdPZxMzk1ukSXa9bnuDOeFdGpBP7ENf3zcfUE:y9RaPZxMzk1uBXa9bu2JeAfUE
Malware Config
Extracted
\Device\HarddiskVolume1\Boot\da-DK\HOW_TO_BACK_FILES.html
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2080 created 1288 2080 IN.exe 14 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 1652 bcdedit.exe 1136 bcdedit.exe -
Renames multiple (7545) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2688 wbadmin.exe -
pid Process 2236 wbadmin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IN.exe\"" IN.exe Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IN.exe\"" IN.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: IN.exe File opened (read-only) \??\O: IN.exe File opened (read-only) \??\R: IN.exe File opened (read-only) \??\S: IN.exe File opened (read-only) \??\Y: IN.exe File opened (read-only) \??\G: IN.exe File opened (read-only) \??\L: IN.exe File opened (read-only) \??\X: IN.exe File opened (read-only) \??\A: IN.exe File opened (read-only) \??\I: IN.exe File opened (read-only) \??\K: IN.exe File opened (read-only) \??\P: IN.exe File opened (read-only) \??\V: IN.exe File opened (read-only) \??\T: IN.exe File opened (read-only) \??\F: IN.exe File opened (read-only) \??\B: IN.exe File opened (read-only) \??\E: IN.exe File opened (read-only) \??\H: IN.exe File opened (read-only) \??\J: IN.exe File opened (read-only) \??\N: IN.exe File opened (read-only) \??\Q: IN.exe File opened (read-only) \??\U: IN.exe File opened (read-only) \??\W: IN.exe File opened (read-only) \??\Z: IN.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Installed_schemas14.xss IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT98.POC IN.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\HOW_TO_BACK_FILES.html IN.exe File opened for modification C:\Program Files\Windows Media Player\es-ES\wmpnetwk.exe.mui IN.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\gadget.xml IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01561_.WMF IN.exe File created C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\HOW_TO_BACK_FILES.html IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46B.GIF IN.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\calendar.css IN.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png IN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Damascus IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107344.WMF IN.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\HOW_TO_BACK_FILES.html IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR13F.GIF IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALNDR98.POC IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\ROGERS.COM.XML IN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki IN.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis IN.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png IN.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06200_.WMF IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml IN.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv IN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_CN.properties IN.exe File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107138.WMF IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.DPV IN.exe File created C:\Program Files\Microsoft Games\Minesweeper\it-IT\HOW_TO_BACK_FILES.html IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21307_.GIF IN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli IN.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer.png IN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\NETWORK.ELM IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21343_.GIF IN.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Chihuahua IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\utilityfunctions.js IN.exe File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\HOW_TO_BACK_FILES.html IN.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mousedown.png IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadata.xsd IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\CALENDAR.GIF IN.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_dot.png IN.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACCS.ICO IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\HEADER.GIF IN.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png IN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\THEMES.INF IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107024.WMF IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153398.WMF IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_COL.HXT IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLTASKR.FAE IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.LEX IN.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak IN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Cocos IN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar IN.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03795_.WMF IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBOX.DPV IN.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Palmer IN.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\HOW_TO_BACK_FILES.html IN.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBLR6.CHM IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01793_.WMF IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR23F.GIF IN.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png IN.exe File created C:\Program Files (x86)\Windows Media Player\HOW_TO_BACK_FILES.html IN.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239611.WMF IN.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1392 vssadmin.exe -
Kills process with taskkill 14 IoCs
pid Process 2680 taskkill.exe 2532 taskkill.exe 1164 taskkill.exe 2944 taskkill.exe 2272 taskkill.exe 1584 taskkill.exe 472 taskkill.exe 2092 taskkill.exe 2576 taskkill.exe 2708 taskkill.exe 1060 taskkill.exe 1396 taskkill.exe 1672 taskkill.exe 2820 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe 2080 IN.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2272 taskkill.exe Token: SeDebugPrivilege 1584 taskkill.exe Token: SeDebugPrivilege 2532 taskkill.exe Token: SeDebugPrivilege 2576 taskkill.exe Token: SeDebugPrivilege 1396 taskkill.exe Token: SeDebugPrivilege 2708 taskkill.exe Token: SeDebugPrivilege 1672 taskkill.exe Token: SeDebugPrivilege 2820 taskkill.exe Token: SeDebugPrivilege 472 taskkill.exe Token: SeDebugPrivilege 1164 taskkill.exe Token: SeDebugPrivilege 2944 taskkill.exe Token: SeDebugPrivilege 1060 taskkill.exe Token: SeIncreaseQuotaPrivilege 3004 WMIC.exe Token: SeSecurityPrivilege 3004 WMIC.exe Token: SeTakeOwnershipPrivilege 3004 WMIC.exe Token: SeLoadDriverPrivilege 3004 WMIC.exe Token: SeSystemProfilePrivilege 3004 WMIC.exe Token: SeSystemtimePrivilege 3004 WMIC.exe Token: SeProfSingleProcessPrivilege 3004 WMIC.exe Token: SeIncBasePriorityPrivilege 3004 WMIC.exe Token: SeCreatePagefilePrivilege 3004 WMIC.exe Token: SeBackupPrivilege 3004 WMIC.exe Token: SeRestorePrivilege 3004 WMIC.exe Token: SeShutdownPrivilege 3004 WMIC.exe Token: SeDebugPrivilege 3004 WMIC.exe Token: SeSystemEnvironmentPrivilege 3004 WMIC.exe Token: SeRemoteShutdownPrivilege 3004 WMIC.exe Token: SeUndockPrivilege 3004 WMIC.exe Token: SeManageVolumePrivilege 3004 WMIC.exe Token: 33 3004 WMIC.exe Token: 34 3004 WMIC.exe Token: 35 3004 WMIC.exe Token: SeBackupPrivilege 2036 vssvc.exe Token: SeRestorePrivilege 2036 vssvc.exe Token: SeAuditPrivilege 2036 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2424 2080 IN.exe 29 PID 2080 wrote to memory of 2424 2080 IN.exe 29 PID 2080 wrote to memory of 2424 2080 IN.exe 29 PID 2080 wrote to memory of 2424 2080 IN.exe 29 PID 2424 wrote to memory of 1212 2424 cmd.exe 31 PID 2424 wrote to memory of 1212 2424 cmd.exe 31 PID 2424 wrote to memory of 1212 2424 cmd.exe 31 PID 2424 wrote to memory of 1212 2424 cmd.exe 31 PID 2080 wrote to memory of 2228 2080 IN.exe 32 PID 2080 wrote to memory of 2228 2080 IN.exe 32 PID 2080 wrote to memory of 2228 2080 IN.exe 32 PID 2080 wrote to memory of 2228 2080 IN.exe 32 PID 2228 wrote to memory of 2800 2228 cmd.exe 34 PID 2228 wrote to memory of 2800 2228 cmd.exe 34 PID 2228 wrote to memory of 2800 2228 cmd.exe 34 PID 2228 wrote to memory of 2800 2228 cmd.exe 34 PID 2800 wrote to memory of 2272 2800 cmd.exe 35 PID 2800 wrote to memory of 2272 2800 cmd.exe 35 PID 2800 wrote to memory of 2272 2800 cmd.exe 35 PID 2080 wrote to memory of 2736 2080 IN.exe 37 PID 2080 wrote to memory of 2736 2080 IN.exe 37 PID 2080 wrote to memory of 2736 2080 IN.exe 37 PID 2080 wrote to memory of 2736 2080 IN.exe 37 PID 2736 wrote to memory of 2720 2736 cmd.exe 39 PID 2736 wrote to memory of 2720 2736 cmd.exe 39 PID 2736 wrote to memory of 2720 2736 cmd.exe 39 PID 2736 wrote to memory of 2720 2736 cmd.exe 39 PID 2720 wrote to memory of 2680 2720 cmd.exe 40 PID 2720 wrote to memory of 2680 2720 cmd.exe 40 PID 2720 wrote to memory of 2680 2720 cmd.exe 40 PID 2080 wrote to memory of 2668 2080 IN.exe 41 PID 2080 wrote to memory of 2668 2080 IN.exe 41 PID 2080 wrote to memory of 2668 2080 IN.exe 41 PID 2080 wrote to memory of 2668 2080 IN.exe 41 PID 2668 wrote to memory of 2540 2668 cmd.exe 43 PID 2668 wrote to memory of 2540 2668 cmd.exe 43 PID 2668 wrote to memory of 2540 2668 cmd.exe 43 PID 2668 wrote to memory of 2540 2668 cmd.exe 43 PID 2540 wrote to memory of 1584 2540 cmd.exe 44 PID 2540 wrote to memory of 1584 2540 cmd.exe 44 PID 2540 wrote to memory of 1584 2540 cmd.exe 44 PID 2080 wrote to memory of 2564 2080 IN.exe 45 PID 2080 wrote to memory of 2564 2080 IN.exe 45 PID 2080 wrote to memory of 2564 2080 IN.exe 45 PID 2080 wrote to memory of 2564 2080 IN.exe 45 PID 2564 wrote to memory of 2512 2564 cmd.exe 47 PID 2564 wrote to memory of 2512 2564 cmd.exe 47 PID 2564 wrote to memory of 2512 2564 cmd.exe 47 PID 2564 wrote to memory of 2512 2564 cmd.exe 47 PID 2512 wrote to memory of 2532 2512 cmd.exe 48 PID 2512 wrote to memory of 2532 2512 cmd.exe 48 PID 2512 wrote to memory of 2532 2512 cmd.exe 48 PID 2080 wrote to memory of 2592 2080 IN.exe 49 PID 2080 wrote to memory of 2592 2080 IN.exe 49 PID 2080 wrote to memory of 2592 2080 IN.exe 49 PID 2080 wrote to memory of 2592 2080 IN.exe 49 PID 2592 wrote to memory of 3064 2592 cmd.exe 51 PID 2592 wrote to memory of 3064 2592 cmd.exe 51 PID 2592 wrote to memory of 3064 2592 cmd.exe 51 PID 2592 wrote to memory of 3064 2592 cmd.exe 51 PID 3064 wrote to memory of 2576 3064 cmd.exe 52 PID 3064 wrote to memory of 2576 3064 cmd.exe 52 PID 3064 wrote to memory of 2576 3064 cmd.exe 52 PID 2080 wrote to memory of 2500 2080 IN.exe 54 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" IN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IN.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" IN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IN.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1288
-
C:\Users\Admin\AppData\Local\Temp\IN.exe"C:\Users\Admin\AppData\Local\Temp\IN.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2080 -
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"3⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"4⤵PID:1212
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2272
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\taskkill.exetaskkill -f -im sql writer.exe5⤵
- Kills process with taskkill
PID:2680
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlserv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵PID:2500
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵PID:2504
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵PID:2964
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵PID:852
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵PID:2844
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵PID:1704
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵PID:1420
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵PID:2924
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵PID:524
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵PID:268
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:472
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵PID:1708
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵PID:1380
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵PID:2332
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵PID:2904
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2944
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵PID:1240
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵PID:584
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe3⤵PID:1720
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe4⤵PID:1752
-
C:\Windows\system32\taskkill.exetaskkill -f -impostgres.exe5⤵
- Kills process with taskkill
PID:2092
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵PID:2140
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵PID:2060
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵PID:1676
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵PID:1464
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵PID:1460
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵PID:548
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵PID:2164
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵PID:1816
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵PID:1048
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵PID:2024
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵PID:240
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵PID:396
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵PID:1528
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵PID:2112
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵PID:2280
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵PID:704
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵PID:2408
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵PID:1820
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵PID:1700
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵PID:1556
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵PID:1552
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵PID:1760
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵PID:1236
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵PID:1624
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS3⤵PID:944
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS4⤵PID:2344
-
C:\Windows\system32\net.exenet stop REportServer$ISARS5⤵PID:804
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop REportServer$ISARS6⤵PID:1952
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵PID:812
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵PID:2104
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵PID:1568
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵PID:580
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵PID:2220
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵PID:2476
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:1136
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No3⤵PID:2292
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No4⤵PID:2444
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoverynabled No5⤵
- Modifies boot configuration data using bcdedit
PID:1652
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive3⤵PID:1936
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive4⤵PID:2796
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest3⤵PID:1944
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest4⤵PID:2016
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTABACKUP -deleteOldest5⤵PID:2368
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵PID:1744
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵PID:1604
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP5⤵
- Deletes System State backups
PID:2688
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet3⤵PID:2300
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet4⤵PID:308
-
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersion:0 -quiet5⤵
- Deletes system backups
- Drops file in Windows directory
PID:2236
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵PID:692
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵PID:1068
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:1392
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IN.exe\\?\C:\Users\Admin\AppData\Local\Temp\IN.exe -network2⤵
- Adds Run key to start application
- System policy modification
PID:1956
-
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD548452522857b81bf9b83755d38ef5e26
SHA1fc3a10874957587e1af69238824e3768fdb19817
SHA25622f5f633aa2cd31220742d59aada5fcb19e055ccbc4c26b10d95797f39db918e
SHA512d87557b0ab2442f6ddc687a8c6a196c5adc115864624da6c40cff03d5e4a66e15bffdfe943403202612242cd820feb0da125a99f84dcd1e6abb2a5af71fdf128
-
Filesize
1KB
MD5199478f663af48df9ec6ae188c1cc172
SHA182e15a4ef733271315e2df4ac9fc9268a2aa8c62
SHA256d0887138e3ba84af7096f3045c06b6c7b9b574622cf7723dc1d03440f4559afd
SHA5122ae6ac62e0b7ee9b1ee066894582df84ec1b7daaa3d670a5038f33dbcd6a9f6ada654f050df96af694e16b81d91f76631d0a59b237318371a580c4e37542538f
-
Filesize
1KB
MD5e5b0db35d56400f48188c95b55da3798
SHA133acb2ad5490a63b70ef713d6cec64e135de3a41
SHA256c3876929b44f55509f773386b47c04425f037ce1cf47635411fab7759a5b6a49
SHA5123f71875da4b8280062ff386eee52235b50d4e097e77ab5f8e14cbcb1173fce29e70865c3316817f9c7127f33c27ee7f79a8a621d67a96fe514b09e03c6cf190d
-
Filesize
1KB
MD5138e03605263af78e6eb831af5116052
SHA161d5141fae9e36f5bc62c02a3e0d0d906e61a13b
SHA256fd4cc74be9d3637c05f6bfefe872b2054e17491b1df72a2649e8779888621f21
SHA5129c9e589fc7b440f28ae175db0e08b151d45325edd1114a5bb3b7cc5e20bc065986ccd3d1fa97c935705e7224378719c5867525a456503592cfa7c1de50011ed6
-
Filesize
1KB
MD536eefa9cb22dfdaf8dc49a89af19a26b
SHA1fdfd3c03c0642cd19464fde9248c853c750f2dad
SHA2561a18bf09aae35ed699a9ab6861683d2b7bcedbe6f05a9f95e8ebeac6a7e2b25c
SHA5128f07df099e96217bc5522dc64c86a9f6a9b212b727352f907353fc8d78b5d3c78677d20715c14c249e79405b1462fcee964158440d9b556e69ddc17fc67beba1
-
Filesize
1KB
MD5d7002f81474b154e6a004768cd01672f
SHA1766a4cac87f480c78eebaa6ca1f182a72cc90c1e
SHA2565a811812aa8ada0d647f87d99f596fa5bb20ff78fa2245d96bdc64cfcf44c202
SHA51258178ba34c27a8ddee643fae29567eab96e1bc2f569885dc9bca9495a4bbf66b236e249cd6edbd4faa50fb6ee8bc190cf5f0c992eecc614ce94505385bc180fb
-
Filesize
240KB
MD54f3b20d78f1d35a400e107b99e91c6ef
SHA1c69cbacd2bb58bdf18077b1daeaec2981741f63d
SHA256fc295fabed69a0123c438ae3591ac6c2287f52fb973e8b0708afdd742d21644f
SHA51283a4e88234099b87bc6c0d638bf3f1657d391306174639888618c529982dad174c40f30f6917d7e0dd2f834fd58dfc33c2fe0e3f5df47a2f2a52ac75b5e2212e
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF
Filesize1KB
MD598784cab0b4e6e7ce65b08b8a1a720c9
SHA1bf826a9f1b5c32aa42c345a9c456117f97035e9a
SHA2567276195566f812e2c6f8b8ced7647cf903160f9dd73dd6ba4b3eb540781865c0
SHA5122aa0700a80cd1fc7eed20f22492ac0781bacb188a55f38e05f861dbabc1ed841c8a2d47ee16d925727edd32575212322011c595a1c28237cc787e39f1a51b106
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF
Filesize1KB
MD5bd3845477c369f46438b14f37f20bfea
SHA12cba279e4b24d741dcd9b504ff6b787915418dbd
SHA2565196d0cd831938e86202c4f564474c4aff52dfa26de2537ffba19e4ee73b8672
SHA5129985ead39ce6fda81b01f5277f519af3e9ceab9f55b45605cb879efbd6e26b0bdb14307eb0291c86f2c4738202d83ec17dd43c422440afc46839c069e5e5c97d
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF
Filesize1KB
MD5298b331a4bedf95b9ae820bab7b725bf
SHA1b337737e414e64ddc769c711fbd799e7b753101f
SHA25604c94f091a76d9bd6f3e11e4b470b406bf869e0faacec6bd17b23e3d98c12eb1
SHA51239835c013fc4a4d70952d8deaf8cd72620b63c95ad6264825f57c031af2e2fc707b658d1bf19d01f9bb2d2f33731eb5ae4d4a725198ff4edd5e3d3c1916a702e
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF
Filesize2KB
MD51c2ee5973c818179bc21bafc176e3761
SHA13d8314b49a086e9fc9e8568559f1cd717cc8b27f
SHA2560382392299a83d6ea07ca6489e476c1b815205526b3c2ca5a2242dafc82d0894
SHA5124ef8adca9c8d62769c0b6a9a484e6d40e00c14039e0c4917b2c28005a13c10b8419a6bf439cd444427216d0acd838947acf09e5ecdb86898d429245ce1817fcf
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF
Filesize2KB
MD51494cf5a46c3b23c878c83b893996c69
SHA1c8594f5616850211b0dc7e82f61bafc68ddd8c66
SHA25619aabf582755ff74cb224181cb3a98a9e165988c52cdcc7a082ad9e1c1114ed2
SHA51287b5736b2a20ccb6a6674e3a5f147b772b29f771812b366163ccfba97b53f90e0def2c6ea07e113a34abb2821058d268089e2358e03144f82d0e75f3d498af88
-
Filesize
2KB
MD544a9cc4ffebc99661110c0360bb12689
SHA1ff5b2bc603ffed12dcc0bb4d09b522facbf05bbd
SHA256f9eece11843f46998288065810be7616d94fc2ee60f20a6a34a18a394e41fcb6
SHA5125dea24a4e8be13436ac7e6a3816fd6dfaa8e9c8ffc9b535ef0090068457c8c61ae6698b287b2b8558f5b5b3f2e891943cb1b8d66cd7da8893ec1440f888b7e9f
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif
Filesize2KB
MD57fc541e2a356cd8678f82a60639806b0
SHA122ffa7a0820d470ccd1e87e0cbe26cb2a41cb5f3
SHA256a6040349a1b7a277124aa5453ce06c4798c3a58935d1917163448f2513a08cd2
SHA512771c11f5e9e34a14a712a52f05a570d20325001b61d50edb9abb6011fba96ad3153ed47b5cee89f082f01317db27259fc43a67564371c8dfb770b4ac0ac1d3c2
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif
Filesize2KB
MD5fcf3f8a2371b904a59c97ea9dead60dc
SHA13f4b5bafcf9828fa0868ac5585e09c34c5d15edf
SHA25635e8d4b8cd4feea2f59d1e59136af420f2fa76f42921386bb9724a5fdc8db7a4
SHA5120b3e7910971cd554968e77aef5cbe8f13c1eed7e119006c0527f0fe7505b088abb7a1538ccdcc47caa5635533d4d926abdbbdccde9c8a5c9d551c256fe18d063
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif
Filesize2KB
MD562fb1064fb64cefa9dca22b72c3fece8
SHA1b2a15396fad1b0e66619c489dc1a2d8acfbc75a1
SHA256abbbe84bfe5e950d7ead24c05971db38ce244104516063f955139d913142c6c3
SHA51284080f9f88734267a6de986be9bac34ec26f5fa95e15be35abeedcbf42ede93bc9b92a23dbd8fb5dbf48ef681410b818860f9d8b275736c87e777b866db00944
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif
Filesize2KB
MD51bd9b2dca6ae4e42aa530412f69d939f
SHA10b814377543d1a8aa275a6898089b2b317f034d1
SHA256ffaeea56c18720a34a424777a69555be2a94ca808809e94a8deee75ad88f98b5
SHA512dc462ae055600dd931df6c581e8319e8e49ef01f29bfeeb40b790c313532c69a7783c8b3aef2cbbf9831122a6817dbb3eafe6702209384057b056b541c963772
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif
Filesize2KB
MD56d131195bab3b0e3764a6aae52447352
SHA18dba474586c2c2687d23dd7f4bcfd4ef42694a54
SHA256fbbe5c7e7f8d78f8347d797c81a569817c4c81bcc6eea4a925d0f3f6a6b2336f
SHA5126625daf5723045994fd57fe2ce98877c3ffcaf75a36c162f4a5bedd5041d07a65e4bb350f8056e9ea67cd2bf2cf4a9ebc37d89d6bc17f6f2bc548da5698a0c5b
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif
Filesize2KB
MD5fc4f28bad2232367757ee1ce93572bd9
SHA1b9b950e5570029a8512c3a819c7d0fdc89ded6a2
SHA2562a999ede73d0b2e8a632959a0c8557e7d0085dfc70601c9d329c7f2d7778a586
SHA512dd80f1bc7f96c4dd5f1fbae44fb9ec106fbe689033aa55c7e0ddb58a4b314ebc85b012d8d961217841a636c0eeca8f0130faf1185a96b0a658d308a753f5a31e
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif
Filesize2KB
MD5a6aca18990b30c7b03d9d267b9bfe605
SHA1c6a03f773f1133ff77eb8fd4e8a82409519504a1
SHA2563e800b976344a7dd2973aed5f7042ee1d9f9032fcb4befcb551e57d7a7fb65ae
SHA512c2c7b84bb98d7380192b5e378d4380075edcae7e54bf80b74df525f36b09093252438a4edc1637fc2c4da514011d6ccc654487954c5e5c8bbda63594e676ecbf
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif
Filesize2KB
MD5900d02b47cb7aaae0bfe14cd9b376f74
SHA12b798d7eb8580999b56626b33c5c19955b69e646
SHA25641c77e3c6f3cb3446fdacc17e0b66dfb3078553a65efac6fdd77415e458d060e
SHA51203f96c390febb8aa7f0762cbec5fae836f2d6ef9d88fc3a598875446a854a2f4c81d1c7e1d6a293b4ccfe2065fb107a0b2d1eeb88d35b725fb1d2197bd5bb33b
-
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml.infected
Filesize248KB
MD5ef899b6429ea294a097bdda74dd97a69
SHA1b16fb57162d9e4daf87f6e382abab04bee89a701
SHA2569ce2a59df0679ccfbafbaa3bb522aff25e787d1212d1fc45253d796eb8a31419
SHA512f9c438946daa9940c2143342a2972b102c9d90ca72f4b4d073e9b92373a254c1be2621e855555d5b48e19421346008d4ea4a9b6b0f9c18b8d974d2aa82bc9437
-
Filesize
2KB
MD5bfd8822fba10856263e56548658d519a
SHA16371a05a879cb94f08d3eb984642fcfe2b09b9a9
SHA25680df43b521f25fa2a046e01459f74fa633ac1d8d2f84054d40da251b6f25d400
SHA51242b32c8979f767f54dd863583d718199dd7459a994c307d2d7126ed2187a8427e071d51690ef5cd7ea32ba901b4196c19ff6e8faba74f7504c3e4562621207eb
-
Filesize
2KB
MD5811635f156d75e3604ce3a8751ce81f7
SHA1e87c5ddcc424a9a8a23b0273fb6a9f9d0be2cb2f
SHA25641da1f55bff0c246c71f4e742640be15683b4a1783b3039c684a1480d2f41999
SHA512d0f024188a4f58828d8327d4d7556b90f5987155ac8b43810937ba74843caba8fec707e8021eaafedd2032b0b31607d204431989243a3ab5144c8a58010d775e
-
Filesize
7KB
MD5f546018fa9865b6ace4bf5f7ae39caec
SHA1c3602bb8743dd823890965a9ce5301003c535880
SHA256660b561f1a51169c795046ad272d0d139b4f334a37a3d752ee40d89dfd9bdff2
SHA5124971a0836e4a542d70e393cd72b362b298c5da2a2838d6ae2b88eb9f825af4194395967c2a0c375de64aba3c64c946216a4947d501e7c66ffdbf2dbda9b4dfe4
-
Filesize
1KB
MD503a4c9721d5e6fb3fc4abcd2ad9f9212
SHA1ed259566713f4d818d4423967468633dcdf7984c
SHA2563275523740d5961a14c6d83a51df5ed92fccb3adfadf14233e9d092309ff33fd
SHA5127ca8c44d36f5952681439c95a4d553e5d97975f08399c8194f34bc0c6e6e12dd0b7178ff24806790705a325b40261eef4fd57aac2dd435de55acf70e8dc289b8
-
Filesize
1KB
MD51305489f4a55d4aaea10ee7a22ef079b
SHA1238b16b9622050aa6bd8599d4fc87ac50df13acb
SHA2564d5ab55ae1d766a0ced618c4ba446471e46f0595638e4342735837a24a28b7c6
SHA51233f57e77561d5d37dc5a0bd22823d4e7580bcef7c28c776386e9f47cce5bddffe99b1515f481831775fc31af6e1f56f856283d4f2dc721bfc8d1e345f7915666
-
Filesize
1KB
MD5aed4d293c52931f89cd344b6d017569b
SHA137459ddfd530a0d9679ed589aad728f8ab0b7d00
SHA2560ad55117355c0b102d370a8373093b1eb02729643d927e62412ebc68680b557b
SHA512cdc48a729fb8d51e7463cf40de5240bef022764d8e1338fbed8981bbd73d7b8ea4057d1dfcfc9f138190c1ccaa5a1449b995832ebcb38d6c053f1fe434765836
-
Filesize
1KB
MD526d24c84b169ed7621db4c9d6a82ec53
SHA13dc942e99d7124c3ee50e59e1e7d2bd3fe53f9d1
SHA256d86a3685e103366e53792a6b9a7eaca74ea56fd4b20b4f3cb1e3c6fb6fcbd845
SHA512f742a402d14064eeea568294d16fdeae92bf814db2e421c3fce44b3008b4677ae055a506ff1dbc2f24be5f0d399055cfe3ab0a2c563e3c3ea9a46854bec6e9a7
-
Filesize
1KB
MD5124e30d672732e6fc7800e0b35457212
SHA1bd55057aa1380d867b88c1983f2c480bfee53f0c
SHA2567f0b824d6d7d37abd2b2975f5d9db7d2855b1d4dc674bc2ba6b6b8cd475dae52
SHA5129e9b94261366361adf19bf4187a5999531b21a96ae17e2158619d25811a229e8033113737576d04df8ddf6ee1ea8939ced55509ad771bd8adc09622330dc93b5
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize13KB
MD5185ed89b35f68193ca4f49eca79290b2
SHA1cfcb059c38eb2ebd95f3d433b7fa32e517c39c7e
SHA2562ea10924ba4116d5d0add0e13309128a0dbc680dec7163993b22e7f46f63e3ff
SHA512bd1f3e26405931f2d6465a114d40e70e52cbce9c7cd754816cf7957ab100acc929c937d9038a0e75e1963cd2d94d2ed8938ad46f1afbd0e9b511c9fdc6f2d607
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize10KB
MD5adfe1bce278c8b6c07fecf75bc8cb899
SHA197b923695b3d27d5bae03b1ceb458d9a4ac9f5e2
SHA256de7bda0f7393385f171775324d5a35e1c40054b691ce72a2e043e61984b28198
SHA51240aeb9e639960febb61c77218f56e9e35b746ca57b3df5ca91fba9006e4959d77cb848c697aa5e468c5a134b3d4e81b6ff4e86ba6b216f56721ec357ad0b1418
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf
Filesize1KB
MD5aaa1dcb4b6b2cbcf6628542e8ce9be20
SHA1886b1e35bf355107634a5a4e12d832654e5750a8
SHA256916140d2f1d05320e7dd27e6f6e13b83b42c49bf93d99c8647f57688bcca1fda
SHA512c2c81c42c76422368b8b1dad9620e97e853712761a5b0cf2b6c0878e9379f71be109f8fa08670c5307dbca17fcdbe3c2ed5ef97bc4b8d33658a7a3cdcee02fe4
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA
Filesize9KB
MD580881b40bc14822560282edfeb5cab66
SHA1bc7a83899ef5f2d08e95ffce5c8137c46c3b91e9
SHA25654ed1efc1a7039f41cf20200cb4c187a40c3f599b9dd090426e850043bf450b3
SHA512a42bdac3278f2199c42541be32f9881b5a33697cfd5bd5af38b44194cdb2c1ac9dbf9f13d7a0a22dcc306a06adea01fcef0013d28d4e60cd6e8acf6ed6b53eda
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize12KB
MD58c2903c9f8c3ff038ba5e81496ffa88e
SHA1c3aaab77902f15b26ce9d6cddfb2c2bafd714619
SHA256e0585a3dd774276cc67a7a9222309bb959147e43b4eb81b0252c7faf43cc139f
SHA512c6a21f408b45fc26ceb8c3d28a742e01d2c94df091d1b4e46477b8bf5db44bab3971df0470be3786dca2177d6fb2663a60f0a76cb41550c8cf879fb9b1ef47d0
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html
Filesize10KB
MD5dca48728f86b631d5fd1a206c38b2922
SHA11ee5d70ad5483879a19110af5277aa7d25e92b63
SHA256ecbd951f3cd628df2ac3d8628c6d1b5b02cd6009bd583e898d92d19f0083184b
SHA512398e788a1aa45be5afd2168a3634f85096388f6778e4336303e805b9cf2ac806ed7137ae06141ff1d5e0864ca9832d6ecbbc3be5357f81d0c5bd4c685ba26b64
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html
Filesize13KB
MD536e69de3a0f952d1976088c704e425a4
SHA1d0428343a1af3ebceb01204d6c3ee56489c9a6d6
SHA256b3200c859ccb0763a6cb46d4832e70ad529da2d8d739588779900b8afaacbf78
SHA5125c14120d2a45d543341fe6f620208a4ed8705ec6d3c34d167027b36b6315cf5d91e95925f8f63a8e42892245dbad696fde5b8120f0559bb68eddfb3b853bceea
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden
Filesize1KB
MD5da3f2c09eeb1ccfebf44acbbe1eb84cb
SHA10c5ec6bb403303534c06608d476febed42986a7d
SHA256ffb1bf9f43ecacfe01c80b7cecbdaf8396daa49f935a5650b7f005806d13174b
SHA512d2bafefaaef8876059109eb35150fb474c3820cafaeecc371b1681ceadfce59e93780f509d2ea465f2baa9fcecada7c00d78538e53e832467b091b439ec3fb3b
-
Filesize
1KB
MD59e2b4d8ebb68b683840bf5964d4fff2d
SHA1f58f367bcd758fbbc26d2b5491b71d40b67594c0
SHA256649591be527ad8bb0cb34ee53921f2da9f9412e313fb2c161e7b54bb4989f5fa
SHA512cbcdf4f3e02e2e2a79fbbca0a4af5e7a6cfd40edc32f54bb4fd3838aa5eab7ccd1691d68629c1067ac212233ffb4038c189a71fea40eaec234a59244b46b3d87
-
Filesize
1KB
MD5fcbf75476749e31aca4f14afe700482e
SHA1ed62ba9974c6509909f94692207707dda8283e4e
SHA256bd1d12dc7a8708ff370c7efe4292fdc040bfc4fb1e41b8bcb20ec84aa5042413
SHA51242732a1492e215a53acc8a8679daa55bf3d70cf07f09fe5d58c6e7118171aef701f3ffd48f53ebdf1c3b141dc8d86b87a741b115fe22e24d3b338dfe96475b11
-
Filesize
1KB
MD528c694803310be781eb918d7523c9233
SHA1b2ef29a93f097a46798aba423e588b587c573b2d
SHA2562cb719358a7674e1f0e213bbbb071bad49e929b96b8769393765e1b2d5a6d98b
SHA512ed0814e8bf01dfa99f44908dfd39cb2c734608bb53d643ce7f2d3cb06919c41831eee31c8782054fc051ef136c780e94a0acfb77da164d5325f9bb85c382b8b9
-
Filesize
1KB
MD58e79f9682c66c4e4ece5bc48cf8a7a3a
SHA1a851a04fee26700f209454ba125b708bb4b54ca1
SHA2565bd7b1c0f9d45604218628c119527e80f329613908c00152da1312e34ca887f1
SHA512eef88238c382cd841fe674654755d12a9e920bcc96972c7765ddfb3e124321acdabca26f35995a711e6777bdb4eb0a3db83e8c4b58d9c0141d7c8e51a5710551
-
Filesize
1KB
MD58330845b84a2b8fcdfb52131b17a595c
SHA182b35ac530762637310950929a9dadacd56361f0
SHA2561094274d712a9ff2d589ff70389e75e846e0cb5b8565d2fff532ec2b70b24105
SHA512cba232945a952a0df853a47cd379e9c19e161a0006fa5fdd59868f83b00508a38cb5782fd3098b5914e19a649efd9c0592b8e2ad585119725b16a9367cdcc489
-
Filesize
609KB
MD52ebe7920c0f1e4a6495bf69b30cdbd52
SHA1b7c6dec35942dff7a0ec651988c2874fc9ab794f
SHA256bad480c87ae2b7b7ff7bcb36afaa03a315781072eb9cebab9630eaa3ef55b586
SHA5125f1c5e88271a2cc2338bdfecc0b3e809caf37b201afe05def4668d3dcfc8e99d7c9f47dd33c5d02051af20d669a30dcd1b786208ede05b391f25223c3acfcf77
-
Filesize
1KB
MD59d61121d40d5facba36956528574347c
SHA1e839e5dbd065705f4ac33208e67d5ef8f3d64453
SHA2563f0f8f467997bc3d157d61a8b7449c723c0cb3088977dfd11cb6f3cbda89c475
SHA51229975a505687635e6551bc8dac24dc926d3208c62c4910d3780c86b3eb3f2eaa173428375359ac4c04df85c0364df0b3ef4160902a2dd4eea2f516d5aa0407bc
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000
Filesize1KB
MD59f0d5dadfc3def66868f30eb57239e35
SHA182f4ad7dee5f9f20cef44ef526fb326f986ab3e6
SHA256844547a5d3841c21abbe6144b39819525206eedbb48bd17e1c0e02ac4c265f02
SHA512c344f70ae9d3e1566b5a3e825f98fcf6536fb33f9d25a1c10aaf6b107ded0aa01edb4286fd1ba4a35ac3b9e9349d2a47e832c9765ea0054e9fb031f9eca75e74
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.002
Filesize1KB
MD59d6ecb2c8a59b8b309aa5909cd477497
SHA1c6094a6c6fbcc4c85f64cbb828c6f25c066e25f1
SHA2561d7416951dbfc01871f9e854d8f2241f2320a01fc85ec9bf52cd6a6d4560ac69
SHA512c193cb0241938e076a49cc5c7ac5bdfc43f21a7ac12e100691b3b52316cfbf61e13dc4558624b1eaae6848aa79f4ebdd985039de5b444ce47e2f0b426184f0b6
-
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi
Filesize181KB
MD50ab8cbf35cd5f1aa467e7fc32c58b7d0
SHA1aa1566319fd3df47b6e70d6a656459c50d4b0cfc
SHA256e0a2a061cf6b2480599194c3344354c2836fef1f7a94fb7dbaf8d95b16d52e96
SHA512fd6f613419f949c23dc099bb4ccb89bbd8acaddf3021d07576f0c6487c45e1be7faba8587f3001ac258df7402c34d60efc5341d2623690fc134cc1dfa1890735
-
Filesize
3KB
MD5a8514fd9f3a52ab2a00f57494d03b2fe
SHA10e204aabbd8b5d6ee1b36d10429d65eb436afd14
SHA256056ae301d1686bbf2355fd96ef3363e2b18d593f58f912498d87de3569fa9028
SHA5126250481712b51d19e13bf148e3cb046fbf669398b06f8ce757a8583a0fec36ca22140cb90d4706a731f27d1419795ff37ec079d170e15e9e2985020c1e6a1d5b