d7b21d35c8b924b9b59fbb4cb104c3e386a2cd2aec9eb9d149fd6f9cac9a4672

Analysis

max time kernel
556s
max time network
365s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
Size

334KB
MD5

4d8bdcee20a3de89ba08bd09cd4ea642
SHA1

cc4ddf3a821eb13db3d45ed7e4b0b2ed35c2a22e
SHA256

902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016
SHA512

024944b3910f72e80d1436627812fefb7bd4b4f3e9d541a747d549743a8edc5f279a0abf45fab6b3fc5ce47eea00b22958efa04513095c86c42efe24c450f28d
SSDEEP

6144:bkv89W2QcboLPlZvqEKvSlvgXCBVnTDg3GV06rPnek63AW1g3yEXq:bk09XelZvqEKv8gXCBlPHeByyEXq

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HOW_TO_BACK_FILES.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">80MZ2+5i6KaDDsL20UMvU/N8OaBuOYeT7FSE9hSrgQsJXj/CD/5JAaYDMb2Ye1cxDaGBcTl9k79mU1DoSMkn1Z1ZAzNYKsCX+AG+5l1cKsC4ZHSMmGUqNTRPXBQ2C9ZpbCNxb/h7echB5ge+s4gxGQlUGQcy4ueKO5WwFK94k1HY3dOFlDlutd/PHY6vAfwWsKoz0MXamqAxa2i3GeZvUY5GMd+qI5Pav0b9MnrkJpKvhh+KEhTgOzPqfeDI59cJm7OCvPPAcd8J/2bQ4frhKPkG5zhzpMtM4jdx2MEnn4vfPMLyttaehf9v3L0WZ0Ro9wfQcKv66dufZs2+69jlLGc57lXL5snIQ2AhqdGB5ibuHx0K/CPOub4Q325HLR0E8UxtuDpe3aDHPk73HXb5nQlKhPqavHIFvskZHRQWBa+AkYiDXbci6y2DI1TDdM57vNk2lb44e2USDZ+U2343O84Len/n15QoVAb4CTTqKVbGoHCYPmwbUZ+9okjeEEvn95OqBRCyfoBNPciE7YUHurxQ5Hk6zI7CbkW4SM1XAulIK/LcS2QTD3f3aoqO/6NBNsRqJ5NLBCTf8pi7N7vbOB3dFSgfYitifdNCxcsEBmwjCwygDPvTAYTE31zd6zGn5WugAS+C/F8MZphdDRKcogXusf1c6FvAfc+6n+UoHWJrSrlynSA1is1IyTDfnRvHIP4HiKtSbPfpFTpxvvni1f7J841pcQWvrJcgNneDOGIV/ngvlO16wjh5d665pddtexnGtGG7phUT7Upx7SaXlLkZe8ZQqEgYNoYuM5aYtU1Va5lc8GoTtKPeg0M5isH3dOjpQRBm2/DgXh9kM+bfX2j3jhUYaAc2Voe0j12rX59+z4paoNu39AcBFyfaGGqeZFPwaMSjsnw+uC6Tuq4VcM3M/KbB+HJzQNPjjGYsbcsDSwJBzyeENW1QXMzys36H8P2FvTM/kJouPu2DEPnBXdtjhffdKj0Zic+ZHq8wMiIG/km2WOLu+O4nn+fhjDRPjVjfRNXj2dQ8JZi8coHePeejwUO6AaOZ6xf4hH4UpditxuZzDtS0NVlgORSi69D/rbvqVY6l3lNbK2GEHdK0EE05nzV9+2PAII6+GAf0BTQPnd4MSGSMQ9klotkxpkMqJEiIfoaDJhdasqHKqedPjpQP+midT14ArAv+8EIUCRP1B8xuGUnAmCqH7NhUvvvrykFDHdjHeRS+A3cxitm4VlgcTaR66ZGVQI0Sp7/f27eKEHp+0UEFWx8IdN1bzs0gaEn9yYEObCOZxXHejW/XINiXXHH7QdrVPgT7FFAl08fpdp9fnKQQLiafSoL/IvGZh2eIVc1Wbt8UP0oM33lqRjzZVS8ZUTxw/cQJ2Z+6YPbo5hR+jALH7m8AAmwiTbJRPxpKAattj1JWKtfvcWku1RNkj7fbdalhAeDhkKIALreM51FlGnu9vSJFycKJO865kKBP3Ky4erTf+zU1RCNxmZLChvkBZQC51FxnaF1n+aQtiVC3IJWtiqmITJN7JCMiP2oLOhEq3a+SQ9UlE95bvY5elSqad9Npn+Ek51D4cLSGGnob3XA5yXZ2ZkVaaSXfJ2e55Yn1ixnlk6cQoxuPi46yOgPGCiL/jd4b7pM1TTALvN9imb7Dq6FDYXs7wGebTUuCQe79cExpXRNEHU6sPZ4YT6cx8/JIWNrk0OYB1Ik=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2476 created 1388	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	19

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1604	bcdedit.exe
2936	bcdedit.exe

Renames multiple (7562) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2964	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2648	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe\""	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe\""	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\V:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\W:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\F:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\K:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\Z:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\B:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\I:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\N:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\O:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\E:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\U:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\T:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\Y:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\P:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\R:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\X:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\A:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\H:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\L:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\M:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\S:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\J:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\Q:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\A:	cipher.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01575_.WMF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ACCTBOX.POC	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BAN98.POC	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\service.js	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00775_.WMF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_OFF.GIF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Tasks.accdt	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sq\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Hardcover.eftx	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Premium.css	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\gu.pak	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233018.WMF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV.HXS	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR6F.GIF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanResume.Dotx	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado21.tlb	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files\Windows Sidebar\it-IT\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\WinMail.exe.mui	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\gadget.xml	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200163.WMF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\WMPDMCCore.dll.mui	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_dot.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105520.WMF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Maroon.css	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_zh_CN.jar	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01292_.GIF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14582_.GIF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\localizedStrings.js	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvm.jar	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00208_.WMF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\FrameworkList.xml	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\org-openide-filesystems.jar	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153313.WMF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hebron	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00633_.WMF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_m.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\fr-FR\MoreGames.dll.mui	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086428.WMF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00798_.WMF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15173_.GIF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\MSTTSLoc.dll.mui	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2960	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
1908	taskkill.exe
1104	taskkill.exe
3036	taskkill.exe
2440	taskkill.exe
2592	taskkill.exe
2016	taskkill.exe
588	taskkill.exe
1328	taskkill.exe
3004	taskkill.exe
1068	taskkill.exe
696	taskkill.exe
2820	taskkill.exe
2912	taskkill.exe
2504	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	588	taskkill.exe
Token: SeDebugPrivilege	696	taskkill.exe
Token: SeDebugPrivilege	1104	taskkill.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	2504	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2512	WMIC.exe
Token: SeSecurityPrivilege	2512	WMIC.exe
Token: SeTakeOwnershipPrivilege	2512	WMIC.exe
Token: SeLoadDriverPrivilege	2512	WMIC.exe
Token: SeSystemProfilePrivilege	2512	WMIC.exe
Token: SeSystemtimePrivilege	2512	WMIC.exe
Token: SeProfSingleProcessPrivilege	2512	WMIC.exe
Token: SeIncBasePriorityPrivilege	2512	WMIC.exe
Token: SeCreatePagefilePrivilege	2512	WMIC.exe
Token: SeBackupPrivilege	2512	WMIC.exe
Token: SeRestorePrivilege	2512	WMIC.exe
Token: SeShutdownPrivilege	2512	WMIC.exe
Token: SeDebugPrivilege	2512	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2512	WMIC.exe
Token: SeRemoteShutdownPrivilege	2512	WMIC.exe
Token: SeUndockPrivilege	2512	WMIC.exe
Token: SeManageVolumePrivilege	2512	WMIC.exe
Token: 33	2512	WMIC.exe
Token: 34	2512	WMIC.exe
Token: 35	2512	WMIC.exe
Token: SeBackupPrivilege	2996	vssvc.exe
Token: SeRestorePrivilege	2996	vssvc.exe
Token: SeAuditPrivilege	2996	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2744	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	29
PID 2476 wrote to memory of 2744	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	29
PID 2476 wrote to memory of 2744	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	29
PID 2476 wrote to memory of 2744	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	29
PID 2744 wrote to memory of 2688	2744	cmd.exe	36
PID 2744 wrote to memory of 2688	2744	cmd.exe	36
PID 2744 wrote to memory of 2688	2744	cmd.exe	36
PID 2744 wrote to memory of 2688	2744	cmd.exe	36
PID 2476 wrote to memory of 2816	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	31
PID 2476 wrote to memory of 2816	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	31
PID 2476 wrote to memory of 2816	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	31
PID 2476 wrote to memory of 2816	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	31
PID 2816 wrote to memory of 2716	2816	cmd.exe	32
PID 2816 wrote to memory of 2716	2816	cmd.exe	32
PID 2816 wrote to memory of 2716	2816	cmd.exe	32
PID 2816 wrote to memory of 2716	2816	cmd.exe	32
PID 2716 wrote to memory of 2440	2716	cmd.exe	33
PID 2716 wrote to memory of 2440	2716	cmd.exe	33
PID 2716 wrote to memory of 2440	2716	cmd.exe	33
PID 2476 wrote to memory of 2780	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	37
PID 2476 wrote to memory of 2780	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	37
PID 2476 wrote to memory of 2780	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	37
PID 2476 wrote to memory of 2780	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	37
PID 2780 wrote to memory of 840	2780	cmd.exe	153
PID 2780 wrote to memory of 840	2780	cmd.exe	153
PID 2780 wrote to memory of 840	2780	cmd.exe	153
PID 2780 wrote to memory of 840	2780	cmd.exe	153
PID 840 wrote to memory of 2820	840	cmd.exe	38
PID 840 wrote to memory of 2820	840	cmd.exe	38
PID 840 wrote to memory of 2820	840	cmd.exe	38
PID 2476 wrote to memory of 2532	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	152
PID 2476 wrote to memory of 2532	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	152
PID 2476 wrote to memory of 2532	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	152
PID 2476 wrote to memory of 2532	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	152
PID 2532 wrote to memory of 2564	2532	cmd.exe	151
PID 2532 wrote to memory of 2564	2532	cmd.exe	151
PID 2532 wrote to memory of 2564	2532	cmd.exe	151
PID 2532 wrote to memory of 2564	2532	cmd.exe	151
PID 2564 wrote to memory of 2592	2564	cmd.exe	40
PID 2564 wrote to memory of 2592	2564	cmd.exe	40
PID 2564 wrote to memory of 2592	2564	cmd.exe	40
PID 2476 wrote to memory of 3060	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	150
PID 2476 wrote to memory of 3060	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	150
PID 2476 wrote to memory of 3060	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	150
PID 2476 wrote to memory of 3060	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	150
PID 3060 wrote to memory of 2416	3060	cmd.exe	149
PID 3060 wrote to memory of 2416	3060	cmd.exe	149
PID 3060 wrote to memory of 2416	3060	cmd.exe	149
PID 3060 wrote to memory of 2416	3060	cmd.exe	149
PID 2416 wrote to memory of 1908	2416	cmd.exe	42
PID 2416 wrote to memory of 1908	2416	cmd.exe	42
PID 2416 wrote to memory of 1908	2416	cmd.exe	42
PID 2476 wrote to memory of 868	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	148
PID 2476 wrote to memory of 868	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	148
PID 2476 wrote to memory of 868	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	148
PID 2476 wrote to memory of 868	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	148
PID 868 wrote to memory of 2900	868	cmd.exe	44
PID 868 wrote to memory of 2900	868	cmd.exe	44
PID 868 wrote to memory of 2900	868	cmd.exe	44
PID 868 wrote to memory of 2900	868	cmd.exe	44
PID 2900 wrote to memory of 2912	2900	cmd.exe	43
PID 2900 wrote to memory of 2912	2900	cmd.exe	43
PID 2900 wrote to memory of 2912	2900	cmd.exe	43
PID 2476 wrote to memory of 2940	2476	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	47

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
"C:\Users\Admin\AppData\Local\Temp\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2476
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"
    3⤵
    PID:2688
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlbrowser.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2440
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:840
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
  2⤵
  PID:2940
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
  2⤵
  PID:2844
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
  2⤵
  PID:2292
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
  2⤵
  PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:368
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1608
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2588
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2936
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
  2⤵
  PID:1644
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:864
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  2⤵
  PID:2484
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:1896
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
  2⤵
  PID:2500
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  PID:2456
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
  2⤵
  PID:3032
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
  2⤵
  PID:1808
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:872
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
  2⤵
  PID:1776
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
  2⤵
  PID:1176
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
  2⤵
  PID:1184
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
  2⤵
  PID:1168
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
  2⤵
  PID:2320
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
  2⤵
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
  2⤵
  PID:2212
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
  2⤵
  PID:1256
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
  2⤵
  PID:2436
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
  2⤵
  PID:2420
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\A:
  2⤵
  - Enumerates connected drives
  PID:1560
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\F:
  2⤵
  - Enumerates connected drives
  PID:2388
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\C:
  2⤵
  PID:2932

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1388
- C:\Users\Admin\AppData\Local\Temp\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:1632

C:\Windows\system32\taskkill.exe
taskkill -f -im sql writer.exe
1⤵
- Kills process with taskkill
PID:2820

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlserv.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\taskkill.exe
taskkill -f -im msmdsrv.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\system32\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
1⤵
PID:2952
- C:\Windows\system32\taskkill.exe
  taskkill -f -im sqlceip.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3036

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
1⤵
PID:1588
- C:\Windows\system32\taskkill.exe
  taskkill -f -im Ssms.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:588

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
1⤵
PID:2904
- C:\Windows\system32\taskkill.exe
  taskkill -f -im SQLAGENT.EXE
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:696

C:\Windows\system32\taskkill.exe
taskkill -f -im fdhost.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\taskkill.exe
taskkill -f -im ReportingServicesService.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\system32\taskkill.exe
taskkill -f -im msftesql.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
1⤵
PID:2108
- C:\Windows\system32\taskkill.exe
  taskkill -f -im pg_ctl.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2504

C:\Windows\system32\taskkill.exe
taskkill -f -impostgres.exe
1⤵
- Kills process with taskkill
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
1⤵
PID:1532

C:\Windows\system32\net.exe
net stop MSSQLServerADHelper100
1⤵
PID:2376
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop MSSQLServerADHelper100
  2⤵
  PID:1336

C:\Windows\system32\net.exe
net stop MSSQL$ISARS
1⤵
PID:1492
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop MSSQL$ISARS
  2⤵
  PID:1664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
1⤵
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
1⤵
PID:1272
- C:\Windows\system32\net.exe
  net stop SQLAgent$ISARS
  2⤵
  PID:1144

C:\Windows\system32\net.exe
net stop SQLAgent$MSFW
1⤵
PID:340
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop SQLAgent$MSFW
  2⤵
  PID:928

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
1⤵
PID:904
- C:\Windows\system32\net.exe
  net stop SQLBrowser
  2⤵
  PID:2488

C:\Windows\system32\net.exe
net stop REportServer$ISARS
1⤵
PID:456
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop REportServer$ISARS
  2⤵
  PID:3048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter
1⤵
PID:3044

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
1⤵
PID:1688
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2960

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
1⤵
PID:2732
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  PID:2964

C:\Windows\system32\wbadmin.exe
wbadmin delete backup -keepVersion:0 -quiet
1⤵
- Deletes system backups
- Drops file in Windows directory
PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
1⤵
PID:2740
- C:\Windows\System32\Wbem\WMIC.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2512

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoverynabled No
1⤵
- Modifies boot configuration data using bcdedit
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
1⤵
PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
1⤵
PID:1704
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  2⤵
  PID:556

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
1⤵
PID:2972

C:\Windows\system32\net.exe
net stop SQLWriter
1⤵
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
1⤵
PID:3016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
1⤵
PID:1136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
1⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
1⤵
PID:1096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
1⤵
PID:2308

C:\Windows\system32\net.exe
net stop MSSQL$MSFW
1⤵
PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
1⤵
PID:820

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
1⤵
PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
1⤵
PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
1⤵
PID:1180

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
1⤵
PID:1508

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
1⤵
PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HOW_TO_BACK_FILES.html

Filesize
5KB

MD5
a8ba88e166407af4c893822bf3590959

SHA1
5daafd7578d5079db80a67e9ba37da77a62977ba

SHA256
0ef756c2e808be4761e24cfe95b9d500e500f723332e5e9dbf53ef3a879a6da0

SHA512
04b1ba3bd14ac7b46f475c81fdd022deaf6099b57d14ac54f538a99f1bcf94e8e1fe58227f08e07301e2fd619d742f99e3980c8ccd876bd23456f780bdc59904

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
1KB

MD5
6ee80656f7846ffccf9ccc6f91c4f79e

SHA1
ee4c81f5ee6c40eacc9a37082ecba23efea86825

SHA256
3410d76c3c8845b1331f192e8a8758cff57984249007b6d7cd130acf8f9b4bb5

SHA512
a892978578d5902599ce41c4be1508d8e516311214d74a54dab06b7a3a21240abcd5df0985083e269b94d11638da3eae4dbf76e2c432a2e404fbe4c02fbba159

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
1KB

MD5
29b337b7753cde26b692ea7c42b5b4c9

SHA1
124480043fc3ebc6073bdb95cbdbb0559f09d783

SHA256
8bed3b1a488318bbdbe397b45ea59bc06ebdf1c9181ea3e3138b0de7769c7cb6

SHA512
e28b12eb329a0c2c90370e005317413c2ed9466018edb82fe887370c178efdf71fe3ce13b0dc68d9a83ce17a1cff492879ea225a40e5c3d65bb0a936eb019ec7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
7159875158f213615b7e0261dadceb0d

SHA1
67b6ec8381028a80d66dbf658971ff9429452466

SHA256
a353736bd2678ad106c77f26efc4cb6321c652a71b0fc2b6347620efbfe694c4

SHA512
bc5859c98c7d50ba3ba088197a39ee7d9a216ef9e0d630fb8d8eba9e15e2402ec0f94f8eebb5166e40958a83ee58a8e14ceb4df0fb84e85f71508b2a01bac9f7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
fe6116fb5f041556a15b37c8a5fb49a7

SHA1
037c721399a68ec5e5092f98dda6f17d2896c4d8

SHA256
333eea0c96c890c29d24cf99feadf2085ef1643d5d05833c6899baf75bdcbd29

SHA512
f8628d14b7b34562ab125b48ee8c3d1cbb31d16fd9a820d9ab276d640fecc2e6b6c4a4ec10936c4323fdc7c6cd66af801c38410e925083dd8b5a09f33ac91785

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK

Filesize
1KB

MD5
4f869f6bc77bd945e8e6e311f3c70d87

SHA1
6376a38a47fb963e3d268b07274a9527e2cb8704

SHA256
48123e32bab5bf4ee9112c4d1babada11ee9c97508bb123409504baf3614ebb7

SHA512
c974c13f7269af19dc758b32671d510d9054f533fe3b2e56b11a8c15e5bfac2223b4fe059471bd73c8d8c2a0ebbe50e652dfc6a9cff56eaa9220c05006e02526

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK

Filesize
1KB

MD5
917858b406cdfadc95f28b56d149aa5e

SHA1
b39f62171890f1993c8c1142e68552d357a1273b

SHA256
2cf7f21b6c393760ea250c5bdf99711abb4556a7f2f5eac41b57370b2b8e112f

SHA512
c95b2f5a1b62872ac11035cb170f12818de14ca41bb896822d3dd87dc422737866e1e7b5322780278c99672fe3fd979c8f63067bbec9c380bff3a543a058a8ef

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
240KB

MD5
acaf12da4627226d2b083a841abdcd04

SHA1
c605561b681f0ee2ead2d4624d6f19582b1aa3f7

SHA256
83dafbbe547e24534062cf2625a27da9097bb23217bbfe9992aaeb7e3bc95935

SHA512
73ca265d176dfd26306bb409b13dc7a9e92ce339d9926cfbd8612945a8f1a9757ba1980775fc6872c879b0971def10b50f387daa2af9313316479fd1c3617a74

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF.alock

Filesize
1KB

MD5
3eebf996f70b432ac7420d3a5edfd0cc

SHA1
5522641cc3d1b57628a7a3c8a7f6c2595d16784d

SHA256
55a233459f9cb8dd2b79bd3589a9ee2c810e817acbb17b4c699d8a0a79e01bc8

SHA512
819361a0628bc9fce053ecc294529f3ea4cc3b17311a873bcdd7806b1db6df3e678c825b35c9753867b800d79a6d273780d9fd01b649657eedec16e62d7bc54e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF.alock

Filesize
1KB

MD5
529804d266d30c786c2dda4d28767937

SHA1
a3cc1f64a879498e0c07a5fb5cebdd0de9d9d42d

SHA256
19614b537f054a5b2bba94c1f8d2dfa3e8a70d2d9288162cca3fbb0515ba95e5

SHA512
a5c650a501db3c7662e566bcffade9627d032236d0589b70fd0f495a55f54f5bf62e5fa417ca0ef45e7c96a0fef195f9dee67448e32284379a295eece8ca8888

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
39bb5b823efff1facd8442d031108e73

SHA1
6c550cf8a8b14a60e527104dc738712e4003401f

SHA256
dd0a73cd88c024181c0c0eaad537d4c8883efd3d940ec21d6bf531e898c32488

SHA512
a10a2b610450d1643dea0ac20085a53f06a6aaef703566202388d51b273b863fdff18e0e0b4b0572aec34694df7db785bfe5744482e8d223fd9a3dbcf632923d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
856c71959522217837db60a2b31a6b44

SHA1
f5e870074ae6ca3b58bbc6108f21938c7fa72d86

SHA256
f1057ce033b9c1547d56781b9f708bff948318f30ae6f8e33e030c6a40558afb

SHA512
8e7dc33ab61561c6803e486b9e87f8080859f0b515715010ae0971434dfd5ec87ecc7637f9a0b40dafcef7c4aae21f9ae6e8a0e7f79bd39597a317be865d2681

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
2KB

MD5
b0f0e387c5c00406e364f084e0e86444

SHA1
7f937ced818e571f774fb872a15b4d53416cd0e7

SHA256
bec79588181cae420ddc768357d0ab9a8194d0502c6582fdce501fac3f802f50

SHA512
c9ea22e7de32022464172ac799fd34a5e2b85008e28f87aa4d80c9b8dc0e7749f0170407ea9d3a74cc2e9794314548fc210b5cb2dc1e9813a13eafe5f6787709

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
2KB

MD5
7c63145ad968231905246f5e297f941d

SHA1
2c4b7ee663989aaee423e38c5316836dddd5ed65

SHA256
6ab3d7e3f1b09c722e718fdac59e6240b0ee327655628f4748720452813d18bc

SHA512
2cfd66023754ad406246b721115383f5a5a4c13a8520db1965dbad63a807440194669794010de946f1499b83146c40054aa9bf53c588597a88a61fdb4d4815f8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
2KB

MD5
ba7101862913ce684a832d134725421d

SHA1
1a11e06e4c8c28418863106ea25b9f05e6908964

SHA256
8e6037f4e3c574558ed84fdb80c685b93a6712b04126997011f583f1dc1ba1fe

SHA512
4091efbbb7b0d8558a99228c0f2bc239ac2e876a3322102f0042e6df437789fccd03d26a17c0039a405b36b597c495e714637c603786030b84684a09580690b0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
2KB

MD5
f1f6199953d4f9b4d034960539a804e6

SHA1
151360b27c1b2de6500c0720a70df84a6e988bf4

SHA256
dbf9397e30d94ef126bd633e897e5205c41029f14ba4b2093648fe3da6d0fa39

SHA512
3a91f66427681dfe3a9d1f27d4c1f3119d5ddabbc6681bd374027bc1c1602b3b418cada7a07a062e88ff622ab54d20a8930df248e4d1d81889ce1075b3cbbec2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
2KB

MD5
35ec167f7fd6defa6118b339e646620c

SHA1
cbd820af9aa3c001f174786fab83ecd79f0a1322

SHA256
9b19d99e905ae89bf575336be7de8dedbf879bb764f75f9b1354623947dfc7c2

SHA512
a3740fa1b8a680ce47095389d1519713f57bcb24130af8a758fba6381db7f807ce8b0252a0ea89be7935e77078c26180e8981b74d46ab381bc67d56a40487418

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
2KB

MD5
d401d804f6b290b062233d73481303d6

SHA1
1a6a879a39c409573c6dcd4ee89aab033a1ad171

SHA256
ca6e24e15a10491d197da1eb563819434780a3e89247fe781940e3c4ec1e92d3

SHA512
d8c578186abf44d1b403bd3f2d297505950d96e0385f6136a485c1635cf43d4cfe3697135934dbc61d316fa640e8cafdf72fb107301a9cee1c6ca2f3308cb1ad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
248KB

MD5
c6b60047017e53d45ffc36dd18b503ea

SHA1
9ff8932db951540852350b7a671eee55acabea7d

SHA256
9cc3c97f169ccf15d77ab12d7a89b32391ac1ace369b78b7dda567f3cf87cfa8

SHA512
0ee38b5b856ec9123608aa23bccb61644c093fb056f025c772694a4bfb1d2315c08af9ea1342581f09d7013a2b13096f2a081cd9d4c81905bf0887157f157762

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
2KB

MD5
f66a26e43017ad4cdc49c1cd0500b7b9

SHA1
e4d4eefe388bc055b38afadfea760d32aea36db2

SHA256
91d327b7f9a79ca184166bae3d54ed6699706bca0b120f8b22cf3d2c446f80d2

SHA512
aeee6965673dbafc386d80d91dc75925ca753b7691d39a11832668f5941597cfde5d848b1ee2b0413b30e15d9849bca63896bf754d60542542c1288a8be8d2b5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
2KB

MD5
3d4a536140bae27e34e7f8774b1280e2

SHA1
64ecf5f288da0d99cc2a6f55391ac8624b15d029

SHA256
f40295fd381636a036565ba640d0b524dbcced0373b3c8f5dc8998612d5e654d

SHA512
5f95b5509d0ce0a2b5d5e940bb9b4578c4fe2ddddcdad5d43bf4014549c2e6a063d4a4eb265285a197d7649a48b59fd501c3e6e6fea0257300211ebac4a289c1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
7KB

MD5
f76bd4f7d267047b529cc8330d77377a

SHA1
c5789d34f9483a2e003b84cdd9dcfddbc8ad9777

SHA256
0271319a809065cc2f7398e9c425e1846cfc9bd78a78fc5dc7c3a28437f1d8cf

SHA512
179eb6c9c56b7e48fb1f71e37ca2b208cb89f4d258dad06827e0e4bfd98408fa369dabf2641feb1eff456c9769a9dff17fd83676401c1d463f52f828e72b98b1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
1KB

MD5
cccd721881310d7c889961057beb6dbb

SHA1
cbce4254ed818579b10043524ab0e20dd2e417d8

SHA256
cd50fe9436189d56a80efd3bb9d77ce4c55de172985abbf46771679ebb590c26

SHA512
b2cdc1b0e01ce74ab3637c6127df352e94659e6093f3a4f21c2ee1811d8bba0a95e00dddbce8be3a6435b114482f0490ed69957e5ddd6fd80c654df0c8a7b021

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
1KB

MD5
09d8fe90ed4ffa912b1786e6e33aca3a

SHA1
9a9e50d55bc55f19c6ed1ce30574aaf8eb952511

SHA256
be82127491b4c767aa19a8d50e2f74af7db91b2f479de4e612696b2bed34e3e8

SHA512
d205f63d4c8b95f194f940a71339527b865b90bee338a6cf7cae9b7ffbe5bf6b95b9b57b452f6d6b533a4b3a226af204e390c3076666f337f67efe825d0a18bb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
1KB

MD5
5b82faed887378883d604f4903bbed92

SHA1
5483599fd083627616d5d8b02e5a13e1b5c48234

SHA256
b362f162aaf93d5efc8eb8547381ee78b063f58a36d1f04665f21d59454c681e

SHA512
6ebf889386f9874c55c6295b91c5efd43eaa43ddc187fcc3345a74bd6e8b1ee7f5d3afb90031b6708c7cd2fbadc91615b49a5255f47f857578d8bc81016417b6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
1KB

MD5
0c2fab9ca1ba5a51744e52bf5742f27e

SHA1
89f4a6b488e7c657167610bab20909a3e7a1348a

SHA256
8c195661ebdef9dc5620a195f8dd790e21e3823ed65554d21625eb5dfe1a0f0c

SHA512
816c267e123c0bc17bd85254eaa334b93db3c05117c3308378156c6c18015cb9d51a718af17cb916685014bcba6b5fb777960aae746d0ed6d69a292f24bb2724

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
1KB

MD5
aa23c90c36405f4db50ce927f028a3f3

SHA1
d1ff87b9b210b4dd3fa7d675019f0253468691fd

SHA256
ed9ba71ac4549a831ee014549c3b054aee79d3a0b68f4dcbfc02c8cc93a8bcef

SHA512
46e7a7b8fab0b3f2abc55f4637e774fcd2aa88741aa43eca8b5a70fe3780fe89ade81cdeef1f19eb6fb035d1fc4bda554242ce5bd85f732996acae3e9e40e268

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
96bde13745ab7ab972637cec3de8ec89

SHA1
d31861550e5ce8173512f28af26cd5a69a8a1566

SHA256
868d266cb7a5487a853897382d989ac0979ea3fa0b071ceb2a3cf1a2b1c00845

SHA512
d33c86943ac155d0786ee1570a3fc0a60e2df21339fbd39c1dbe0fbd3724d52117bccd1a1af8ee3d6c95200c23ae93deb9a33c7c0d7a5d3f09338c26ff8a6dd2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html

Filesize
10KB

MD5
9ac8a6896a54514904e515d782138298

SHA1
dd4befc919ff752d1dfa04f2b6d0cbc7a917eb6c

SHA256
de5c60543ce4ee1770f80cf05a7d87bb98d19b8a485a8a03f5604e14875dfb44

SHA512
d7374bd405c05372ca2064d999be8fa4924879c135f3e42f519d752c82633d64e848f732d98ebb13f86780315fb85874ca56fc3266e59b487eea34038539d886

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
79d469226dd1997fdffbecb0d67c55cc

SHA1
93bcc8d3313a2c959924f2179b9bbaef5b8bed35

SHA256
2b9838ba6800e16a019b3a6cd933ee17bc8f58348117801fe618f64eda458777

SHA512
eaa0a90bcd94ac4a5568a073e3be576a111b5b3bdb7bb71ffa76e30dfaa189c63f8924e835c54cf78b2ca08a84be5863c908b43ee2d9236184c2a4ee175819db

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
c199fcce28788c45510d318eec802d76

SHA1
fbf276e2984c0c9e0be6ddcdbd44a73c4fd513fb

SHA256
34b46b83867c211779178942003c883e34394e16b8ddee9512bac58acd13cd81

SHA512
305e60078d08b2b3baae476d81d41683e84b09cbefab812aff164bda3ad45ed972e3d20d3e92e8825707897dc718c66672c7ca501735f903e3f5987a12363c29

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
c1f65541708f664ae7497d9164ed096a

SHA1
317f50b98fdbdfb75b0e3e42759bbd304cff651a

SHA256
3f4f8ad59ca146a1bb97307cb7948cb87bb2e70d2aac6ba06540ffebbb9c529e

SHA512
86bcebe380dfb402bcbc8cce9e784edade8f188a6d359c3fbcf3ebebb173f15af8cb7a13f614c00359a260c22655a4bb5b3bbaf1d143548d78c5cf84df5dc0ab

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
bc1eeb90aee4137c56701f388ea7b27f

SHA1
a86e4f754658e1479575da7bf22497baaf122991

SHA256
b684b48696be13aa5ec0272a706fa1567bd124201e4a43941d2cf65b86a40147

SHA512
65463c966af8a1098fd5031e3ae50553753f6d9318b374f9d03000676ff06e9be9c7c59373240daa4066746fafca15b8e2f159f8d542ffbbf5d9bc758b6425ad

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden

Filesize
1KB

MD5
6c15bd9a280fbd93849d9f0e78d941c4

SHA1
10ee3ec3e666145d2accc70746f4fc8c94920a9e

SHA256
f67399a37905895a4e1a7931970ea7d95ffed78cb31ce34d67f25b629c5b2f3b

SHA512
14c9bf6902feb3ece1583e5bac7fd8e0e26aecf76fded957cb4e44571616300eb0bfab106be2ea4bfd57f4d58e9eb7685e336d2b3c21d6c7b1c4fdabfa68a134

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif

Filesize
1KB

MD5
281ac1f2deb0fa485603938107987f1e

SHA1
f12e8438e40ac6d18f9bc1dfb21608ced4a7c3e6

SHA256
874a0ef5e8d9f5665d36d4346f35e557cb3292196933d8c5c51119468948fb97

SHA512
322888f3ee76d5f957e87640db2063f6cda96dd8ffbd034511ad514eabb5a78914f34dd1e39dc3774a9198652f1c1a42abd02aa2080c455dc572b570cfa8b88e

Download Submit
C:\Program Files\Java\jre7\lib\zi\GMT

Filesize
1KB

MD5
57cd8b29736847b5a402f2f7a757968e

SHA1
4e0c1105242efcfbdf3db5819215e49c2b05efe4

SHA256
f0150d18fd9b296a77b895e7f6462e9fcab872bfa2e428c2e3e01a6cd7154abe

SHA512
e8b5dad59ec7c8dc27c96eba9934e60c6055fc53ffdef7527cae25d4d2bd6c76d44c76e20e340a278b0f13171af9b0805b79f247cd5838e0d728964623520e21

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\MST7

Filesize
1KB

MD5
391f0d1d4343fd411abe6cfb6e3fec58

SHA1
b99abec05071827211b7f19814e019c70561ca41

SHA256
c7694870157f6d1aa02aa6c4ea5c92ce0420225cedbc38b96e4cd20d3f1d3121

SHA512
cb2928f424b2200a9ac05bbab77e9eee8b381f98cc3ef32987eb778acf8b73af2a58f3e5be3f89c5c58c4fa5228dd7b81e8ef9c5a1997991b0b528b0bb0a3b38

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
549f9d4f314a33b868ae99f9b7a9e6f9

SHA1
7815b61766bcae46550e09aa53b5137bf35abc54

SHA256
9752c0d3a623a085a7e8021b2690b434e17c40ebe89f8986f9996060c8328b69

SHA512
0b16f8bef11ad12cf035783ed39b7b795090ded1d391eae53c6e47e85bfdd27fcd8be06b636e910d3426a7f0a01460d09a76004966d4b50eccf7094178d5885e

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
587KB

MD5
097faecc6647003e77a9c45449103a33

SHA1
7f1146eb259f4da002922e4629ad7230426c401c

SHA256
758369e928ef24481fc35a11a19fcf16b71142b6cea2e931cfc0ff018c6d5625

SHA512
e4415324db82e07c2786995f537e710e5a8afaca4a354e2b165f10be6f31146e43ea93595d5e45dc7211f084c3d9e67dd1b15ee45b6ad4859a022c587d1a2817

Download Submit
C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo

Filesize
545KB

MD5
d6d23644e1767c99f72c17e5a75d81ff

SHA1
f1571d2ee2dc3f3b5188d6485817e955cb9b9ca9

SHA256
92ecfa285c57ba3f8b8c56d030ad79f48f1284f2f05fd79a62dbb036e01c6788

SHA512
dd56aad2afa35bf6d3ed6e3582f7988b31ba81c8452620992d96ab756676e8b9a863a2409dcbad8677350533022cf19e3a66879f32fde94c50bf7cb919b6e53c

Download Submit