Malware Analysis Report

2024-09-11 01:52

Sample ID 231013-rcm3laac7z
Target IN.exe
SHA256 51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51
Tags
medusalocker evasion persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51

Threat Level: Known bad

The file IN.exe was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion persistence ransomware

Medusalocker family

MedusaLocker payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Deletes shadow copies

Renames multiple (7545) files with added filename extension

Renames multiple (4413) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes system backups

Deletes System State backups

Enumerates connected drives

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Runs net.exe

System policy modification

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Kills process with taskkill

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-10-13 14:03

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-13 14:03

Reported

2023-10-13 14:05

Platform

win7-20230831-en

Max time kernel

151s

Max time network

125s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2080 created 1288 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (7545) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IN.exe\"" C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IN.exe\"" C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Installed_schemas14.xss C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT98.POC C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Windows Media Player\es-ES\wmpnetwk.exe.mui C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\gadget.xml C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01561_.WMF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46B.GIF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\calendar.css C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Damascus C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107344.WMF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR13F.GIF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALNDR98.POC C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\ROGERS.COM.XML C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Luis C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\info.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06200_.WMF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsNotesBackground.wmv C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_CN.properties C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107138.WMF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.DPV C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\it-IT\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21307_.GIF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\NETWORK.ELM C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21343_.GIF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Chihuahua C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\utilityfunctions.js C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mousedown.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\bdcmetadata.xsd C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\CALENDAR.GIF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\trad_dot.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKACCS.ICO C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\HEADER.GIF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\THEMES.INF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107024.WMF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153398.WMF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_COL.HXT C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLTASKR.FAE C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.LEX C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\et.pak C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Cocos C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03795_.WMF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBOX.DPV C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Palmer C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBLR6.CHM C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01793_.WMF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR23F.GIF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files (x86)\Windows Media Player\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239611.WMF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2424 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2424 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2424 wrote to memory of 1212 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2080 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2800 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2800 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2800 wrote to memory of 2272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2080 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2720 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2720 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2720 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2080 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2668 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2668 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2668 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2668 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 1584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2540 wrote to memory of 1584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2540 wrote to memory of 1584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2080 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2564 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2564 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2564 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2512 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2512 wrote to memory of 2532 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2080 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2592 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2592 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2592 wrote to memory of 3064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3064 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3064 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3064 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2080 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\IN.exe

"C:\Users\Admin\AppData\Local\Temp\IN.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Users\Admin\AppData\Local\Temp\IN.exe

\\?\C:\Users\Admin\AppData\Local\Temp\IN.exe -network

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

\Device\HarddiskVolume1\Boot\da-DK\HOW_TO_BACK_FILES.html

MD5 a8514fd9f3a52ab2a00f57494d03b2fe
SHA1 0e204aabbd8b5d6ee1b36d10429d65eb436afd14
SHA256 056ae301d1686bbf2355fd96ef3363e2b18d593f58f912498d87de3569fa9028
SHA512 6250481712b51d19e13bf148e3cb046fbf669398b06f8ce757a8583a0fec36ca22140cb90d4706a731f27d1419795ff37ec079d170e15e9e2985020c1e6a1d5b

C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer

MD5 f546018fa9865b6ace4bf5f7ae39caec
SHA1 c3602bb8743dd823890965a9ce5301003c535880
SHA256 660b561f1a51169c795046ad272d0d139b4f334a37a3d752ee40d89dfd9bdff2
SHA512 4971a0836e4a542d70e393cd72b362b298c5da2a2838d6ae2b88eb9f825af4194395967c2a0c375de64aba3c64c946216a4947d501e7c66ffdbf2dbda9b4dfe4

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.infected

MD5 03a4c9721d5e6fb3fc4abcd2ad9f9212
SHA1 ed259566713f4d818d4423967468633dcdf7984c
SHA256 3275523740d5961a14c6d83a51df5ed92fccb3adfadf14233e9d092309ff33fd
SHA512 7ca8c44d36f5952681439c95a4d553e5d97975f08399c8194f34bc0c6e6e12dd0b7178ff24806790705a325b40261eef4fd57aac2dd435de55acf70e8dc289b8

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

MD5 1305489f4a55d4aaea10ee7a22ef079b
SHA1 238b16b9622050aa6bd8599d4fc87ac50df13acb
SHA256 4d5ab55ae1d766a0ced618c4ba446471e46f0595638e4342735837a24a28b7c6
SHA512 33f57e77561d5d37dc5a0bd22823d4e7580bcef7c28c776386e9f47cce5bddffe99b1515f481831775fc31af6e1f56f856283d4f2dc721bfc8d1e345f7915666

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

MD5 124e30d672732e6fc7800e0b35457212
SHA1 bd55057aa1380d867b88c1983f2c480bfee53f0c
SHA256 7f0b824d6d7d37abd2b2975f5d9db7d2855b1d4dc674bc2ba6b6b8cd475dae52
SHA512 9e9b94261366361adf19bf4187a5999531b21a96ae17e2158619d25811a229e8033113737576d04df8ddf6ee1ea8939ced55509ad771bd8adc09622330dc93b5

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

MD5 26d24c84b169ed7621db4c9d6a82ec53
SHA1 3dc942e99d7124c3ee50e59e1e7d2bd3fe53f9d1
SHA256 d86a3685e103366e53792a6b9a7eaca74ea56fd4b20b4f3cb1e3c6fb6fcbd845
SHA512 f742a402d14064eeea568294d16fdeae92bf814db2e421c3fce44b3008b4677ae055a506ff1dbc2f24be5f0d399055cfe3ab0a2c563e3c3ea9a46854bec6e9a7

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

MD5 aed4d293c52931f89cd344b6d017569b
SHA1 37459ddfd530a0d9679ed589aad728f8ab0b7d00
SHA256 0ad55117355c0b102d370a8373093b1eb02729643d927e62412ebc68680b557b
SHA512 cdc48a729fb8d51e7463cf40de5240bef022764d8e1338fbed8981bbd73d7b8ea4057d1dfcfc9f138190c1ccaa5a1449b995832ebcb38d6c053f1fe434765836

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

MD5 aaa1dcb4b6b2cbcf6628542e8ce9be20
SHA1 886b1e35bf355107634a5a4e12d832654e5750a8
SHA256 916140d2f1d05320e7dd27e6f6e13b83b42c49bf93d99c8647f57688bcca1fda
SHA512 c2c81c42c76422368b8b1dad9620e97e853712761a5b0cf2b6c0878e9379f71be109f8fa08670c5307dbca17fcdbe3c2ed5ef97bc4b8d33658a7a3cdcee02fe4

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 adfe1bce278c8b6c07fecf75bc8cb899
SHA1 97b923695b3d27d5bae03b1ceb458d9a4ac9f5e2
SHA256 de7bda0f7393385f171775324d5a35e1c40054b691ce72a2e043e61984b28198
SHA512 40aeb9e639960febb61c77218f56e9e35b746ca57b3df5ca91fba9006e4959d77cb848c697aa5e468c5a134b3d4e81b6ff4e86ba6b216f56721ec357ad0b1418

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 185ed89b35f68193ca4f49eca79290b2
SHA1 cfcb059c38eb2ebd95f3d433b7fa32e517c39c7e
SHA256 2ea10924ba4116d5d0add0e13309128a0dbc680dec7163993b22e7f46f63e3ff
SHA512 bd1f3e26405931f2d6465a114d40e70e52cbce9c7cd754816cf7957ab100acc929c937d9038a0e75e1963cd2d94d2ed8938ad46f1afbd0e9b511c9fdc6f2d607

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 8c2903c9f8c3ff038ba5e81496ffa88e
SHA1 c3aaab77902f15b26ce9d6cddfb2c2bafd714619
SHA256 e0585a3dd774276cc67a7a9222309bb959147e43b4eb81b0252c7faf43cc139f
SHA512 c6a21f408b45fc26ceb8c3d28a742e01d2c94df091d1b4e46477b8bf5db44bab3971df0470be3786dca2177d6fb2663a60f0a76cb41550c8cf879fb9b1ef47d0

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

MD5 80881b40bc14822560282edfeb5cab66
SHA1 bc7a83899ef5f2d08e95ffce5c8137c46c3b91e9
SHA256 54ed1efc1a7039f41cf20200cb4c187a40c3f599b9dd090426e850043bf450b3
SHA512 a42bdac3278f2199c42541be32f9881b5a33697cfd5bd5af38b44194cdb2c1ac9dbf9f13d7a0a22dcc306a06adea01fcef0013d28d4e60cd6e8acf6ed6b53eda

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html

MD5 36e69de3a0f952d1976088c704e425a4
SHA1 d0428343a1af3ebceb01204d6c3ee56489c9a6d6
SHA256 b3200c859ccb0763a6cb46d4832e70ad529da2d8d739588779900b8afaacbf78
SHA512 5c14120d2a45d543341fe6f620208a4ed8705ec6d3c34d167027b36b6315cf5d91e95925f8f63a8e42892245dbad696fde5b8120f0559bb68eddfb3b853bceea

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html

MD5 dca48728f86b631d5fd1a206c38b2922
SHA1 1ee5d70ad5483879a19110af5277aa7d25e92b63
SHA256 ecbd951f3cd628df2ac3d8628c6d1b5b02cd6009bd583e898d92d19f0083184b
SHA512 398e788a1aa45be5afd2168a3634f85096388f6778e4336303e805b9cf2ac806ed7137ae06141ff1d5e0864ca9832d6ecbbc3be5357f81d0c5bd4c685ba26b64

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden

MD5 da3f2c09eeb1ccfebf44acbbe1eb84cb
SHA1 0c5ec6bb403303534c06608d476febed42986a7d
SHA256 ffb1bf9f43ecacfe01c80b7cecbdaf8396daa49f935a5650b7f005806d13174b
SHA512 d2bafefaaef8876059109eb35150fb474c3820cafaeecc371b1681ceadfce59e93780f509d2ea465f2baa9fcecada7c00d78538e53e832467b091b439ec3fb3b

C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 9e2b4d8ebb68b683840bf5964d4fff2d
SHA1 f58f367bcd758fbbc26d2b5491b71d40b67594c0
SHA256 649591be527ad8bb0cb34ee53921f2da9f9412e313fb2c161e7b54bb4989f5fa
SHA512 cbcdf4f3e02e2e2a79fbbca0a4af5e7a6cfd40edc32f54bb4fd3838aa5eab7ccd1691d68629c1067ac212233ffb4038c189a71fea40eaec234a59244b46b3d87

C:\Program Files\Java\jre7\lib\zi\Etc\UTC.infected

MD5 fcbf75476749e31aca4f14afe700482e
SHA1 ed62ba9974c6509909f94692207707dda8283e4e
SHA256 bd1d12dc7a8708ff370c7efe4292fdc040bfc4fb1e41b8bcb20ec84aa5042413
SHA512 42732a1492e215a53acc8a8679daa55bf3d70cf07f09fe5d58c6e7118171aef701f3ffd48f53ebdf1c3b141dc8d86b87a741b115fe22e24d3b338dfe96475b11

C:\Program Files\Java\jre7\lib\zi\SystemV\MST7

MD5 8330845b84a2b8fcdfb52131b17a595c
SHA1 82b35ac530762637310950929a9dadacd56361f0
SHA256 1094274d712a9ff2d589ff70389e75e846e0cb5b8565d2fff532ec2b70b24105
SHA512 cba232945a952a0df853a47cd379e9c19e161a0006fa5fdd59868f83b00508a38cb5782fd3098b5914e19a649efd9c0592b8e2ad585119725b16a9367cdcc489

C:\Program Files\Java\jre7\lib\zi\SystemV\HST10

MD5 8e79f9682c66c4e4ece5bc48cf8a7a3a
SHA1 a851a04fee26700f209454ba125b708bb4b54ca1
SHA256 5bd7b1c0f9d45604218628c119527e80f329613908c00152da1312e34ca887f1
SHA512 eef88238c382cd841fe674654755d12a9e920bcc96972c7765ddfb3e124321acdabca26f35995a711e6777bdb4eb0a3db83e8c4b58d9c0141d7c8e51a5710551

C:\Program Files\Java\jre7\lib\zi\SystemV\EST5

MD5 28c694803310be781eb918d7523c9233
SHA1 b2ef29a93f097a46798aba423e588b587c573b2d
SHA256 2cb719358a7674e1f0e213bbbb071bad49e929b96b8769393765e1b2d5a6d98b
SHA512 ed0814e8bf01dfa99f44908dfd39cb2c734608bb53d643ce7f2d3cb06919c41831eee31c8782054fc051ef136c780e94a0acfb77da164d5325f9bb85c382b8b9

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

MD5 2ebe7920c0f1e4a6495bf69b30cdbd52
SHA1 b7c6dec35942dff7a0ec651988c2874fc9ab794f
SHA256 bad480c87ae2b7b7ff7bcb36afaa03a315781072eb9cebab9630eaa3ef55b586
SHA512 5f1c5e88271a2cc2338bdfecc0b3e809caf37b201afe05def4668d3dcfc8e99d7c9f47dd33c5d02051af20d669a30dcd1b786208ede05b391f25223c3acfcf77

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

MD5 199478f663af48df9ec6ae188c1cc172
SHA1 82e15a4ef733271315e2df4ac9fc9268a2aa8c62
SHA256 d0887138e3ba84af7096f3045c06b6c7b9b574622cf7723dc1d03440f4559afd
SHA512 2ae6ac62e0b7ee9b1ee066894582df84ec1b7daaa3d670a5038f33dbcd6a9f6ada654f050df96af694e16b81d91f76631d0a59b237318371a580c4e37542538f

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

MD5 48452522857b81bf9b83755d38ef5e26
SHA1 fc3a10874957587e1af69238824e3768fdb19817
SHA256 22f5f633aa2cd31220742d59aada5fcb19e055ccbc4c26b10d95797f39db918e
SHA512 d87557b0ab2442f6ddc687a8c6a196c5adc115864624da6c40cff03d5e4a66e15bffdfe943403202612242cd820feb0da125a99f84dcd1e6abb2a5af71fdf128

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

MD5 e5b0db35d56400f48188c95b55da3798
SHA1 33acb2ad5490a63b70ef713d6cec64e135de3a41
SHA256 c3876929b44f55509f773386b47c04425f037ce1cf47635411fab7759a5b6a49
SHA512 3f71875da4b8280062ff386eee52235b50d4e097e77ab5f8e14cbcb1173fce29e70865c3316817f9c7127f33c27ee7f79a8a621d67a96fe514b09e03c6cf190d

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

MD5 138e03605263af78e6eb831af5116052
SHA1 61d5141fae9e36f5bc62c02a3e0d0d906e61a13b
SHA256 fd4cc74be9d3637c05f6bfefe872b2054e17491b1df72a2649e8779888621f21
SHA512 9c9e589fc7b440f28ae175db0e08b151d45325edd1114a5bb3b7cc5e20bc065986ccd3d1fa97c935705e7224378719c5867525a456503592cfa7c1de50011ed6

C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK.infected

MD5 d7002f81474b154e6a004768cd01672f
SHA1 766a4cac87f480c78eebaa6ca1f182a72cc90c1e
SHA256 5a811812aa8ada0d647f87d99f596fa5bb20ff78fa2245d96bdc64cfcf44c202
SHA512 58178ba34c27a8ddee643fae29567eab96e1bc2f569885dc9bca9495a4bbf66b236e249cd6edbd4faa50fb6ee8bc190cf5f0c992eecc614ce94505385bc180fb

C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK

MD5 36eefa9cb22dfdaf8dc49a89af19a26b
SHA1 fdfd3c03c0642cd19464fde9248c853c750f2dad
SHA256 1a18bf09aae35ed699a9ab6861683d2b7bcedbe6f05a9f95e8ebeac6a7e2b25c
SHA512 8f07df099e96217bc5522dc64c86a9f6a9b212b727352f907353fc8d78b5d3c78677d20715c14c249e79405b1462fcee964158440d9b556e69ddc17fc67beba1

C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

MD5 4f3b20d78f1d35a400e107b99e91c6ef
SHA1 c69cbacd2bb58bdf18077b1daeaec2981741f63d
SHA256 fc295fabed69a0123c438ae3591ac6c2287f52fb973e8b0708afdd742d21644f
SHA512 83a4e88234099b87bc6c0d638bf3f1657d391306174639888618c529982dad174c40f30f6917d7e0dd2f834fd58dfc33c2fe0e3f5df47a2f2a52ac75b5e2212e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF

MD5 bd3845477c369f46438b14f37f20bfea
SHA1 2cba279e4b24d741dcd9b504ff6b787915418dbd
SHA256 5196d0cd831938e86202c4f564474c4aff52dfa26de2537ffba19e4ee73b8672
SHA512 9985ead39ce6fda81b01f5277f519af3e9ceab9f55b45605cb879efbd6e26b0bdb14307eb0291c86f2c4738202d83ec17dd43c422440afc46839c069e5e5c97d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF

MD5 98784cab0b4e6e7ce65b08b8a1a720c9
SHA1 bf826a9f1b5c32aa42c345a9c456117f97035e9a
SHA256 7276195566f812e2c6f8b8ced7647cf903160f9dd73dd6ba4b3eb540781865c0
SHA512 2aa0700a80cd1fc7eed20f22492ac0781bacb188a55f38e05f861dbabc1ed841c8a2d47ee16d925727edd32575212322011c595a1c28237cc787e39f1a51b106

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF

MD5 298b331a4bedf95b9ae820bab7b725bf
SHA1 b337737e414e64ddc769c711fbd799e7b753101f
SHA256 04c94f091a76d9bd6f3e11e4b470b406bf869e0faacec6bd17b23e3d98c12eb1
SHA512 39835c013fc4a4d70952d8deaf8cd72620b63c95ad6264825f57c031af2e2fc707b658d1bf19d01f9bb2d2f33731eb5ae4d4a725198ff4edd5e3d3c1916a702e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

MD5 1c2ee5973c818179bc21bafc176e3761
SHA1 3d8314b49a086e9fc9e8568559f1cd717cc8b27f
SHA256 0382392299a83d6ea07ca6489e476c1b815205526b3c2ca5a2242dafc82d0894
SHA512 4ef8adca9c8d62769c0b6a9a484e6d40e00c14039e0c4917b2c28005a13c10b8419a6bf439cd444427216d0acd838947acf09e5ecdb86898d429245ce1817fcf

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

MD5 1494cf5a46c3b23c878c83b893996c69
SHA1 c8594f5616850211b0dc7e82f61bafc68ddd8c66
SHA256 19aabf582755ff74cb224181cb3a98a9e165988c52cdcc7a082ad9e1c1114ed2
SHA512 87b5736b2a20ccb6a6674e3a5f147b772b29f771812b366163ccfba97b53f90e0def2c6ea07e113a34abb2821058d268089e2358e03144f82d0e75f3d498af88

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

MD5 44a9cc4ffebc99661110c0360bb12689
SHA1 ff5b2bc603ffed12dcc0bb4d09b522facbf05bbd
SHA256 f9eece11843f46998288065810be7616d94fc2ee60f20a6a34a18a394e41fcb6
SHA512 5dea24a4e8be13436ac7e6a3816fd6dfaa8e9c8ffc9b535ef0090068457c8c61ae6698b287b2b8558f5b5b3f2e891943cb1b8d66cd7da8893ec1440f888b7e9f

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

MD5 a6aca18990b30c7b03d9d267b9bfe605
SHA1 c6a03f773f1133ff77eb8fd4e8a82409519504a1
SHA256 3e800b976344a7dd2973aed5f7042ee1d9f9032fcb4befcb551e57d7a7fb65ae
SHA512 c2c7b84bb98d7380192b5e378d4380075edcae7e54bf80b74df525f36b09093252438a4edc1637fc2c4da514011d6ccc654487954c5e5c8bbda63594e676ecbf

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

MD5 7fc541e2a356cd8678f82a60639806b0
SHA1 22ffa7a0820d470ccd1e87e0cbe26cb2a41cb5f3
SHA256 a6040349a1b7a277124aa5453ce06c4798c3a58935d1917163448f2513a08cd2
SHA512 771c11f5e9e34a14a712a52f05a570d20325001b61d50edb9abb6011fba96ad3153ed47b5cee89f082f01317db27259fc43a67564371c8dfb770b4ac0ac1d3c2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

MD5 900d02b47cb7aaae0bfe14cd9b376f74
SHA1 2b798d7eb8580999b56626b33c5c19955b69e646
SHA256 41c77e3c6f3cb3446fdacc17e0b66dfb3078553a65efac6fdd77415e458d060e
SHA512 03f96c390febb8aa7f0762cbec5fae836f2d6ef9d88fc3a598875446a854a2f4c81d1c7e1d6a293b4ccfe2065fb107a0b2d1eeb88d35b725fb1d2197bd5bb33b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

MD5 6d131195bab3b0e3764a6aae52447352
SHA1 8dba474586c2c2687d23dd7f4bcfd4ef42694a54
SHA256 fbbe5c7e7f8d78f8347d797c81a569817c4c81bcc6eea4a925d0f3f6a6b2336f
SHA512 6625daf5723045994fd57fe2ce98877c3ffcaf75a36c162f4a5bedd5041d07a65e4bb350f8056e9ea67cd2bf2cf4a9ebc37d89d6bc17f6f2bc548da5698a0c5b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

MD5 1bd9b2dca6ae4e42aa530412f69d939f
SHA1 0b814377543d1a8aa275a6898089b2b317f034d1
SHA256 ffaeea56c18720a34a424777a69555be2a94ca808809e94a8deee75ad88f98b5
SHA512 dc462ae055600dd931df6c581e8319e8e49ef01f29bfeeb40b790c313532c69a7783c8b3aef2cbbf9831122a6817dbb3eafe6702209384057b056b541c963772

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

MD5 62fb1064fb64cefa9dca22b72c3fece8
SHA1 b2a15396fad1b0e66619c489dc1a2d8acfbc75a1
SHA256 abbbe84bfe5e950d7ead24c05971db38ce244104516063f955139d913142c6c3
SHA512 84080f9f88734267a6de986be9bac34ec26f5fa95e15be35abeedcbf42ede93bc9b92a23dbd8fb5dbf48ef681410b818860f9d8b275736c87e777b866db00944

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

MD5 fc4f28bad2232367757ee1ce93572bd9
SHA1 b9b950e5570029a8512c3a819c7d0fdc89ded6a2
SHA256 2a999ede73d0b2e8a632959a0c8557e7d0085dfc70601c9d329c7f2d7778a586
SHA512 dd80f1bc7f96c4dd5f1fbae44fb9ec106fbe689033aa55c7e0ddb58a4b314ebc85b012d8d961217841a636c0eeca8f0130faf1185a96b0a658d308a753f5a31e

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

MD5 fcf3f8a2371b904a59c97ea9dead60dc
SHA1 3f4b5bafcf9828fa0868ac5585e09c34c5d15edf
SHA256 35e8d4b8cd4feea2f59d1e59136af420f2fa76f42921386bb9724a5fdc8db7a4
SHA512 0b3e7910971cd554968e77aef5cbe8f13c1eed7e119006c0527f0fe7505b088abb7a1538ccdcc47caa5635533d4d926abdbbdccde9c8a5c9d551c256fe18d063

C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml.infected

MD5 ef899b6429ea294a097bdda74dd97a69
SHA1 b16fb57162d9e4daf87f6e382abab04bee89a701
SHA256 9ce2a59df0679ccfbafbaa3bb522aff25e787d1212d1fc45253d796eb8a31419
SHA512 f9c438946daa9940c2143342a2972b102c9d90ca72f4b4d073e9b92373a254c1be2621e855555d5b48e19421346008d4ea4a9b6b0f9c18b8d974d2aa82bc9437

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

MD5 bfd8822fba10856263e56548658d519a
SHA1 6371a05a879cb94f08d3eb984642fcfe2b09b9a9
SHA256 80df43b521f25fa2a046e01459f74fa633ac1d8d2f84054d40da251b6f25d400
SHA512 42b32c8979f767f54dd863583d718199dd7459a994c307d2d7126ed2187a8427e071d51690ef5cd7ea32ba901b4196c19ff6e8faba74f7504c3e4562621207eb

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.NO.XML

MD5 811635f156d75e3604ce3a8751ce81f7
SHA1 e87c5ddcc424a9a8a23b0273fb6a9f9d0be2cb2f
SHA256 41da1f55bff0c246c71f4e742640be15683b4a1783b3039c684a1480d2f41999
SHA512 d0f024188a4f58828d8327d4d7556b90f5987155ac8b43810937ba74843caba8fec707e8021eaafedd2032b0b31607d204431989243a3ab5144c8a58010d775e

C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

MD5 9d61121d40d5facba36956528574347c
SHA1 e839e5dbd065705f4ac33208e67d5ef8f3d64453
SHA256 3f0f8f467997bc3d157d61a8b7449c723c0cb3088977dfd11cb6f3cbda89c475
SHA512 29975a505687635e6551bc8dac24dc926d3208c62c4910d3780c86b3eb3f2eaa173428375359ac4c04df85c0364df0b3ef4160902a2dd4eea2f516d5aa0407bc

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.002

MD5 9d6ecb2c8a59b8b309aa5909cd477497
SHA1 c6094a6c6fbcc4c85f64cbb828c6f25c066e25f1
SHA256 1d7416951dbfc01871f9e854d8f2241f2320a01fc85ec9bf52cd6a6d4560ac69
SHA512 c193cb0241938e076a49cc5c7ac5bdfc43f21a7ac12e100691b3b52316cfbf61e13dc4558624b1eaae6848aa79f4ebdd985039de5b444ce47e2f0b426184f0b6

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

MD5 9f0d5dadfc3def66868f30eb57239e35
SHA1 82f4ad7dee5f9f20cef44ef526fb326f986ab3e6
SHA256 844547a5d3841c21abbe6144b39819525206eedbb48bd17e1c0e02ac4c265f02
SHA512 c344f70ae9d3e1566b5a3e825f98fcf6536fb33f9d25a1c10aaf6b107ded0aa01edb4286fd1ba4a35ac3b9e9349d2a47e832c9765ea0054e9fb031f9eca75e74

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

MD5 0ab8cbf35cd5f1aa467e7fc32c58b7d0
SHA1 aa1566319fd3df47b6e70d6a656459c50d4b0cfc
SHA256 e0a2a061cf6b2480599194c3344354c2836fef1f7a94fb7dbaf8d95b16d52e96
SHA512 fd6f613419f949c23dc099bb4ccb89bbd8acaddf3021d07576f0c6487c45e1be7faba8587f3001ac258df7402c34d60efc5341d2623690fc134cc1dfa1890735

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-13 14:03

Reported

2023-10-13 14:05

Platform

win10v2004-20230915-en

Max time kernel

152s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4772 created 3192 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (4413) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IN.exe\"" C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IN.exe\"" C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\5.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_KMS_Client_AE-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\db2v0801.xsl C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLargeTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\LargeLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\vpaid.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\2.jpg C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\tzmappings C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\FRSCRIPT.TTF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\39.jpg C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\PCHEALTH\ERRORREP\QHEADLES\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipssve.xml C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\es.pak C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\org-openide-filesystems.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\boot.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\bin\dtplugin\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\index.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-BA\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_TileWide.scale-200.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.GIF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.ELM C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\office.x-none.msi.16.x-none.vreg.dat C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageStoreLogo.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\msjet.xsl C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MEDIA\ARROW.WAV C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\plugins.dat C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\PREVIEW.GIF C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GameBar_SplashScreen.scale-125.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-150.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\156.png C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\assets\images\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4772 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1228 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1228 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4772 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3640 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4196 wrote to memory of 332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4196 wrote to memory of 332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4772 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1848 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2288 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2288 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4772 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 1760 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1760 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3692 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3692 wrote to memory of 4944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4772 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4280 wrote to memory of 4028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4280 wrote to memory of 4028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4772 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2312 wrote to memory of 1280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1280 wrote to memory of 232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1280 wrote to memory of 232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4772 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 3712 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3712 wrote to memory of 3156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3156 wrote to memory of 4476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4772 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4872 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3812 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3812 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4772 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 4276 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4276 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4276 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3872 wrote to memory of 4928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3872 wrote to memory of 4928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4772 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe
PID 4772 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IN.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\IN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\IN.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\IN.exe

"C:\Users\Admin\AppData\Local\Temp\IN.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Users\Admin\AppData\Local\Temp\IN.exe

\\?\C:\Users\Admin\AppData\Local\Temp\IN.exe -network

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

C:\odt\HOW_TO_BACK_FILES.html

MD5 a8514fd9f3a52ab2a00f57494d03b2fe
SHA1 0e204aabbd8b5d6ee1b36d10429d65eb436afd14
SHA256 056ae301d1686bbf2355fd96ef3363e2b18d593f58f912498d87de3569fa9028
SHA512 6250481712b51d19e13bf148e3cb046fbf669398b06f8ce757a8583a0fec36ca22140cb90d4706a731f27d1419795ff37ec079d170e15e9e2985020c1e6a1d5b

C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl

MD5 28a6afd89f9337d301dfb35a6817414c
SHA1 116f3cb33941467b9c4e71284a9f96ae10004746
SHA256 23ad790a1817e1d514bd4a3b4b9dcd6bd140afc7cc7ae630db4631910df7806c
SHA512 da4ee7a2045f482cbc5e347b638384d4d5617480def4ed9e64df829099ce37671f015cb8ed283627aba0bcfa704070e5215fa05a92f97e9f76b7e2940befc5ad

C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif

MD5 2dcb29e20dec2736c8798632db3cc75b
SHA1 6f1555f49711e4ef92bcd158c7451ede94a8155e
SHA256 5735519631074e9c8042b53a5fc7a93630b5b4f8263aad0d6d47853d4836ce42
SHA512 c8ef8508a7d672a27ca1c83fee0e60e4f34478906e6851fa85c5d4b6e0863e09eeface7b6ba9f3696b31935fa2d9137c8120fcdf3b7d994ac57f2461368c62f2

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 4d199889d2ea955dad481d26b2ccba07
SHA1 4214537ab79144a5308a20789cac0d71031d31cd
SHA256 926484930167651b2a765f0b8e49a3e313f4bcad41c1410663741f8aec636404
SHA512 e407acdf1ab1ce70e3045e4a4337802eeaf692e82286f65f2e14d3f58f0e7aaf56771d97b8ab31cdb62bf72291e9f1dfafd3afb6a7eb3e143813ba817be56ed2

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

MD5 4d928959b99041df39bddaaaf5ed43d2
SHA1 0370630d91d7c86486a29acac6fceae81d38b7ad
SHA256 ae5298011bb700c82082b176009c89e47c1d5c4d617b464c9ba4de8aec4190f5
SHA512 baa7fdc1f41bded76cb5fa50ace1b8f5a2abd5a9c379fcbda26f016f6385f9d97f054bb3e463ead0a50832aa467f84cc1c00514e83f27d3850b2074a20ca71c1

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 0981b86ee2087f4ca974b8aa4e8c4f0b
SHA1 f190c9a8b4238b6ba27b917a12c56ec0816e4b13
SHA256 e92465ca30da1ce7c312e0845fd6643de80196e6255c6c22e560e96b1de58607
SHA512 f4f740ce34862a3b0702b6f706511beed30882ae5b01fd581c9e2ca1c4abfe36f21bdea3ea3466a5199df00f7de6895eea3dd66c2965d9d3bdd1753977f83295

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

MD5 87f94e12bb84df29dbab343e0c53a0ed
SHA1 043e0f833667dbbfb3191ef9c7e53a7acddd9cba
SHA256 fac1745022f03639377217e5969f977f0129ab6a21c415acc9972b7cb1162280
SHA512 e227dab5dd9b643aad0eb11768f65a0ef46eafff31046e0c2fc0c420adb897691614db3cd6a3677f1d361a71ba7c4235d0206fc294a9a2939b80e5454bdd4b87

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 fea781b1796bdfe4e3a4847dd3456d88
SHA1 450b14cfc9c7cebc75831f7bbca8ee14b49ea4e0
SHA256 6858fec11fce03065e63b607faf2871faeabcec4f0508cc18fc4fa39f95337f4
SHA512 e1ba24bb86d654fff00fdc9b20fda2d01fe378717a38242968759a48a9f7224386301a7caa65529d9edac610b7d0d3af586f4f54fb1beee1832363c8211e6139

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

MD5 aa539b674c32f0029f814b729a8ef90f
SHA1 511e6253e4b3e72f3a0a378dd39e55bdbf0cfe4a
SHA256 043630cb420c156e886347c8888ff566ea06ae14ab3c8377b9b3a0b54e7cc410
SHA512 12e92e4cbfba2b5f2c08c96f726663b51ad62b3b3e6a5d8c12d3941921b7c38ae77b55fb0cdd6d596364c5541c88c95f1f59ebf4e926313fe9109d0ea9a59f5c

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

MD5 ad942aadd190d5f87a81dc0ebb425d5c
SHA1 5645c5fdaf20c48b96eee0101e5089f8533d4b23
SHA256 1f87f3ecf3a823be7cd79c0049097836cc015647bb6ab5a69280c15ffc4259e5
SHA512 85c3d92413a03b81b888db7c11f98db295f45371aae2ff81d7bfb2821170e330b3bc53cb133cb768c3a1dce2365f9ec3605830c5181398332ce58e401bdb6b79

C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden

MD5 81f75a6bafd5eef356465894b88da1e4
SHA1 cd9de4cb54cf65bd41e450a6f79b5b32dae5fe11
SHA256 91e3f9d00ee9eb35751befb48dd34407d8a59d0345ef85dfee63130318db0de1
SHA512 5112bf778b34b58bb9fb376e5acb689c1d509b7313952ea1b8f8a3dce522049ff1ac6cf3844569d74698ab8a1041bf36b98e49dadbdc18b4903f4819cac49114

C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gif.infected

MD5 4561d109aa8086b9d1f74f0970230095
SHA1 088b57a3fa1a4b6c76d81f4692de523777813b21
SHA256 b1fa85695d305b5f72e82fc546430e199f9b965add31705e266f084a3d688f2a
SHA512 898b764254886f56fa203e92c1200218674e45f86571d7ad67a41fbf30f1b440994da0123e29f1d63ffe9fda0d9c81e3d0b5aa50f5d1451ca545dbb606b88c82

C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt.infected

MD5 4ac5e7732771e7b12f780a94863423fd
SHA1 aa78502d4f8522f55aaaa226fcb33f2b8b23a4cd
SHA256 656e1e8e0e37dffd0fa5496f13b3329510c4d69a981a0c1b9e93bdcf60351ee5
SHA512 fee9fc978414fba3a85eff78a2a60f305ec7c0ce085b871d9ccf54e666d2b61d1fd8faeb9496bfe8be081271d12d89f9b6f4d447b1928242f7565b782b238324

C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK

MD5 2e073ac53a2314755ea00e78b3fa2763
SHA1 bd48bf0a80a70c4ed0d2ec88a315df7f0b964ff3
SHA256 f3d1d5125c5a8f794dc5ae0cc1229d69dcef6861b490f61b1937da4f57bb2acd
SHA512 4d283bc2c8145d84de597733e2fccb579d0d51028f09b49061b5d75b68a76b5acc0767458248d8e35bfdf325bddc7fbed28a57f77f6f1c0f2df9284d68536f9b

C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK

MD5 ed47191157d21d3c844b9bdbb949f3ea
SHA1 b47ec4423063693d6af4fd44ffebef995da1865e
SHA256 2d234711e173873237c80142872c71fb805f9727ed68fe5a1a14bd062e95deb1
SHA512 db4d3814106e1da285ce319ffbe6bdede012978d3b64ff8729bb9241c028c969f304a61e8cb56dd7b9a12eb11e9f34b03ffc61d8d22780c6664d18cc9d407828

C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config

MD5 cf9b6b0ec15b730323e23b4054a0ae0d
SHA1 423ce19fe8e176e11fa5093556a365ec609faa4b
SHA256 0ace23bc9e265043709195e6acd77abd01d9334c0c25e0e3dcf9fad2037ac4df
SHA512 0451ebd1dfec4415e513887ddf05c7577246095d90605729bfb8164d86c8ee11d6601cb0a7fa248e7a6c3c9d4f2b7d385c50bf82e2655bbfe3d41c27bc0cd3b7

C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL

MD5 87f73a28d3a04f54daf361e764776bda
SHA1 d52485be9dd300cd5293e480cf8a5bd7942e0b43
SHA256 78f99c3155154052f3f2467a14542550dffaa1e028b1dc7505e62973e04a4cb5
SHA512 80dedcc3b71b67c276eb8f8710d496e64e1937de3aeded38a666a327111b9173209faff88aadc56ed525e40b739a6291954b22ebea30a359041756d1f6cdf657

C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub.infected

MD5 6ad824473d09e175c531dc9875be522c
SHA1 93b9a532c95295e385c2dc9a17fb36f48af6092c
SHA256 955bdac0ab3eb391068cc2446095d694dd26b66f52f9147c0e92aa23d6b36acf
SHA512 1b88eae97a8906f1ecc14b010eda4907a0fc246cae0aeeda5554ed2994adf9097a39dc65a178d6b302ca34114454f720d5589924b819b8fd4adb679eca13f9a3

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi

MD5 e561ffaeaa34f8b31ba37ef1d7eebb9c
SHA1 247ce123ffe096e51700c9a732f2a94357a8afb7
SHA256 f4fc6409b91f149f0e9b10082e1bd26f14664d4cce0b661581edf4f5900521ef
SHA512 e38896eae49db6a549066fdcbbd3299688bfd3412ba9f0d3f9e976856038f2eda92140544a85dd68bf255ca42726c1b3985fe9606a65a84a484e08350b90e201

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

MD5 669b3d340709b21e3bd793ffe3ba5458
SHA1 82db99cc8b6c2b556b3167b6e8d9015dc24a863e
SHA256 a02f53728436b57056c675b283e7af40191067ad83b6ac5362cf2ffb0c80730b
SHA512 74f9dd6f898273f9c40ad0ea5d7e8473c0792221c750ccd82a51e7657adfd0a9776d463c288f4815690a8fa5225aee8aa57fdcb208bc940e9587c3c1ded9ec9b

C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

MD5 21a50a201e4cde6353f7d43f27b7a9d1
SHA1 b1e362b0f7044cfa5ae8e264f6e1c6514b329c1e
SHA256 b9e2cb4ec22edf971bd67f8cd37609b4194cd52f26d2a364831f8fbda2f52e53
SHA512 26a05a3fd228c680fdd978aede5982b24642b1fb8305424937cc42cf30b571e0031ecb398692055501899e369614e44f97f7b5bd98856e01069311045f1bbe35