d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae

Analysis

max time kernel
158s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
Size

335KB
MD5

c3d5522f176830c4a24223c96439f668
SHA1

46574cd17ee2a1f2084dc83a65df94e13ce25061
SHA256

d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae
SHA512

0ed0510f4bba6280e4319f3742d1775d7d251c35517f74f1e2f7350ac68239879b0171a279aab252947163977f363cf3852d52747b225aa160f882cb82bc532b
SSDEEP

6144:1YS9RhUoKV8TCylQ0MWNns5wiSvypQof+9RpfbMPrac6bhMq:1/9T0ylQ0MWNns5xSvyp7W6MMq

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">aIiZvMoTfIPWN3V/3tbqsRFki7kdfeIu/9RXIpf7TyFjIS/i6fbUgx89oN2eCnLDwpnrKfGndgogVjmvT1/l9QGOeQPc6KSZy6YNyDBaOmwXFeLSUdnqBVkqOQx9yK2Pmp8A+dErg3dUc8WwWkDvlqzl0bPrMy1VopBgQs+MTOJrqx3v5/gPmTFq02SnBckuHap5Gm59d4TClTiAVdj9RE3FhvUs+/f18/NQfuJcqSuQTJhFM/LKAOn9f0aF/ZSoQP4ADo/uPT5Jze7F94+ExEDBnIlZ/HE1RpxgHC7E4bhiVy8drekzO7MsZiBKBZ3ch1J5pYwXN5cf5+Lry3nm0AZGvO/Fm+tN0y1sAIRQRVhMBjBab+3dKM38Ip/3Jy298JfxiMH1WNImrGLM5aYIyQkQg31nur8gQubUuv1kf99IM/q7PZRSwRBs1XLSdEGUMEUxlaR1JUUpIl4kjfiMbKYBufLKJI1NfIeNdGQXluBvAQ4XjrMmNJ8VZZmux6sVgVReOV6izVreGb9GLFmwYj8H2HlDg74w/189BpQ66GUN0W61S9P97yckLyG7HW3LsUXk7m4bwtpRNiAaDT+B96i3VzGFSCNjKiBgEIQe0hwgd0v68fGb9tIGawTS9CIt3VLdUC5K8Z/bXI2gVkox/KKN3Djvs0y+cdDFWPxlFtSq9H46w2TYfXC6+GE5rZ6SCHQOnJcQRJ/72yw48hqyKe0o3gszth6FKK1rNiKrc5Sfem1dXDJ45B8AhR0huIB1mTAr2lncXfcOaBO5rNtalE6yFGgz7TPxl1g46cMVuVUCDP9noazZWT1slFUSZpoPr3Fsr0bcBVgCYEj3xb2817hwrrZCnCL77bhEQhmeM7wUGzJBu/tSb9XqQRz6uTIFisWRpF5/hWA/fqiU8+Z8LaiwiuUTDh/SuX1hUsopAZU+Vx+e+54Tq+Xi4YjRniZG3rwhWVKW6yOvM1lZr9vbe4Qb48loIze0wF00PZRDHffk9wCjtBnJX3+rk4Pm/DNYI1YL3cAFOFBegX8EYwKsdYnv1bOA/bc8xM7WwyMSqgnc8Dz9EoBe+qc0W+ShkpgmYOtvlULJbfUG1TK8GMLC8oAF0gklK39MXZxXDg5BkXflbZCaP24fhTLU51HExog7n8JSdt9kpF2Dy3Z3iip+YIwNF0DFRRcDxvvIe0Z848n8Cpj0ESqDxOFX84R8h2vgopSZ8zzLVSSp1IuVRJIdZc4sJWg+5dkQaMxd6Qhl9QQwMHMCWz12Xxv3F5Zm1dsRrkt9HpTkpH8m3lqjokOqeUD5WCAu/NBwE5jFfDQ8sTNykb/QR/3greVr8qc18BwSjBOPUwSH1aWEf4Pi3b+r0JO+BhOcWcUKOEOzX5/PRm2Uqi9FegE1xiw7P2QRWTEb8dpAaib2Z/2fXQ3QtL/KGX9//tZW9iGoexgWuuRGAdqNIaTnBCvJL6phNEbYraOIuBbDv3CRDJ1IyW2vKHyb4MzvUrVF4VkMFeHEQGJ3+zn+ZME0NeZQpbauuNl6UJz5xfi1L+mj50kNCR4Wm7ruaOs1ri2pju1hZ6+GbX5qpeGByvx4EQxfImaULf33V1DUc04JxYIlGmHOAwqWxTAz4S+WtbvnLgTa6E9KAnrE9H3FbhVZK1faEhi4Rh8SKlAuPfzzqHYLy8a6CstWCJPRWjPxnsEV1pMILvq5L3WW7cM=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2492 created 1264	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	13

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2724	bcdedit.exe
2896	bcdedit.exe

Renames multiple (4281) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2736	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1596	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe\""	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe\""	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\J:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\L:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\M:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\N:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\P:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\U:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\A:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\I:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\O:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\Q:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\S:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\T:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\V:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\W:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\H:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\G:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\K:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\X:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\Y:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\E:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\R:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\Z:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\F:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5EDT	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\STINTL.DLL.IDX_DLL	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\STUDIO.ELM	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Eucla	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\js\ui.js	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\SETUP.XML	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\.lastModified	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_notes-txt-background.png	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Mazatlan	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files (x86)\Common Files\Adobe\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\EXPEDITN.INF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0228959.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\HideApprove.doc	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Microsoft Games\More Games\de-DE\MoreGames.dll.mui	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\Keywords.HxK	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_zh_CN.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BOATINST.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fr.pak	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\DVDMaker.exe.mui	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\RSSFeeds.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveDrop32x32.gif	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0230553.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\BLUEPRNT.ELM	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00021_.GIF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086424.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Warsaw	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management-agent.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\RADIAL.INF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2584	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
572	taskkill.exe
1516	taskkill.exe
1180	taskkill.exe
2944	taskkill.exe
1640	taskkill.exe
2884	taskkill.exe
1584	taskkill.exe
2808	taskkill.exe
1736	taskkill.exe
2528	taskkill.exe
1668	taskkill.exe
2956	taskkill.exe
1208	taskkill.exe
3040	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	2884	taskkill.exe
Token: SeDebugPrivilege	572	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe
Token: SeDebugPrivilege	1584	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeDebugPrivilege	2944	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1980	WMIC.exe
Token: SeSecurityPrivilege	1980	WMIC.exe
Token: SeTakeOwnershipPrivilege	1980	WMIC.exe
Token: SeLoadDriverPrivilege	1980	WMIC.exe
Token: SeSystemProfilePrivilege	1980	WMIC.exe
Token: SeSystemtimePrivilege	1980	WMIC.exe
Token: SeProfSingleProcessPrivilege	1980	WMIC.exe
Token: SeIncBasePriorityPrivilege	1980	WMIC.exe
Token: SeCreatePagefilePrivilege	1980	WMIC.exe
Token: SeBackupPrivilege	1980	WMIC.exe
Token: SeRestorePrivilege	1980	WMIC.exe
Token: SeShutdownPrivilege	1980	WMIC.exe
Token: SeDebugPrivilege	1980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1980	WMIC.exe
Token: SeRemoteShutdownPrivilege	1980	WMIC.exe
Token: SeUndockPrivilege	1980	WMIC.exe
Token: SeManageVolumePrivilege	1980	WMIC.exe
Token: 33	1980	WMIC.exe
Token: 34	1980	WMIC.exe
Token: 35	1980	WMIC.exe
Token: SeBackupPrivilege	320	vssvc.exe
Token: SeRestorePrivilege	320	vssvc.exe
Token: SeAuditPrivilege	320	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2724	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	29
PID 2492 wrote to memory of 2724	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	29
PID 2492 wrote to memory of 2724	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	29
PID 2492 wrote to memory of 2724	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	29
PID 2724 wrote to memory of 2144	2724	cmd.exe	31
PID 2724 wrote to memory of 2144	2724	cmd.exe	31
PID 2724 wrote to memory of 2144	2724	cmd.exe	31
PID 2724 wrote to memory of 2144	2724	cmd.exe	31
PID 2492 wrote to memory of 2692	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	32
PID 2492 wrote to memory of 2692	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	32
PID 2492 wrote to memory of 2692	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	32
PID 2492 wrote to memory of 2692	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	32
PID 2692 wrote to memory of 2796	2692	cmd.exe	34
PID 2692 wrote to memory of 2796	2692	cmd.exe	34
PID 2692 wrote to memory of 2796	2692	cmd.exe	34
PID 2692 wrote to memory of 2796	2692	cmd.exe	34
PID 2796 wrote to memory of 2808	2796	cmd.exe	35
PID 2796 wrote to memory of 2808	2796	cmd.exe	35
PID 2796 wrote to memory of 2808	2796	cmd.exe	35
PID 2492 wrote to memory of 2648	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	37
PID 2492 wrote to memory of 2648	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	37
PID 2492 wrote to memory of 2648	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	37
PID 2492 wrote to memory of 2648	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	37
PID 2648 wrote to memory of 3028	2648	cmd.exe	40
PID 2648 wrote to memory of 3028	2648	cmd.exe	40
PID 2648 wrote to memory of 3028	2648	cmd.exe	40
PID 2648 wrote to memory of 3028	2648	cmd.exe	40
PID 3028 wrote to memory of 3040	3028	cmd.exe	39
PID 3028 wrote to memory of 3040	3028	cmd.exe	39
PID 3028 wrote to memory of 3040	3028	cmd.exe	39
PID 2492 wrote to memory of 2288	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	42
PID 2492 wrote to memory of 2288	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	42
PID 2492 wrote to memory of 2288	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	42
PID 2492 wrote to memory of 2288	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	42
PID 2288 wrote to memory of 2552	2288	cmd.exe	43
PID 2288 wrote to memory of 2552	2288	cmd.exe	43
PID 2288 wrote to memory of 2552	2288	cmd.exe	43
PID 2288 wrote to memory of 2552	2288	cmd.exe	43
PID 2552 wrote to memory of 1640	2552	cmd.exe	44
PID 2552 wrote to memory of 1640	2552	cmd.exe	44
PID 2552 wrote to memory of 1640	2552	cmd.exe	44
PID 2492 wrote to memory of 2644	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	45
PID 2492 wrote to memory of 2644	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	45
PID 2492 wrote to memory of 2644	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	45
PID 2492 wrote to memory of 2644	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	45
PID 2644 wrote to memory of 2880	2644	cmd.exe	47
PID 2644 wrote to memory of 2880	2644	cmd.exe	47
PID 2644 wrote to memory of 2880	2644	cmd.exe	47
PID 2644 wrote to memory of 2880	2644	cmd.exe	47
PID 2880 wrote to memory of 2884	2880	cmd.exe	48
PID 2880 wrote to memory of 2884	2880	cmd.exe	48
PID 2880 wrote to memory of 2884	2880	cmd.exe	48
PID 2492 wrote to memory of 324	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	49
PID 2492 wrote to memory of 324	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	49
PID 2492 wrote to memory of 324	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	49
PID 2492 wrote to memory of 324	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	49
PID 324 wrote to memory of 3016	324	cmd.exe	52
PID 324 wrote to memory of 3016	324	cmd.exe	52
PID 324 wrote to memory of 3016	324	cmd.exe	52
PID 324 wrote to memory of 3016	324	cmd.exe	52
PID 3016 wrote to memory of 572	3016	cmd.exe	51
PID 3016 wrote to memory of 572	3016	cmd.exe	51
PID 3016 wrote to memory of 572	3016	cmd.exe	51
PID 2492 wrote to memory of 2476	2492	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	53

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
  "C:\Users\Admin\AppData\Local\Temp\d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:2476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      PID:900
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:1088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:1904
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:1684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      PID:2520
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:1628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:2284
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:1224
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:1328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:564
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:2444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:2952
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:1712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:2612
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:1908
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:400
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:2408
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:2456
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:1140
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:2356
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:912
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:1404
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:1656
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:1560
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:1080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:932
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:1820
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:1092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:1672
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:1780
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:1348
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:808
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:2656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:1752
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:2224
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:1344
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:3068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:3056
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:2660
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:1496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:1588
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:2916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:2196
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:2996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:2024
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        
        PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:1688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:2924
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        Drops file in Windows directory
        
        PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:2144
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:2504
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:2980
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2724
- C:\Users\Admin\AppData\Local\Temp\d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:1516

C:\Windows\system32\taskkill.exe
taskkill -f -im sql writer.exe
1⤵
- Kills process with taskkill
PID:3040

C:\Windows\system32\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\How_to_back_files.html

Filesize
5KB

MD5
b07db3b8b87843055e7855b7411b4188

SHA1
ed3fcfe59845816df9531e3a252e3ddd81fb08e1

SHA256
2aa1599d2a8a94b2b5502a76766c7c9d20029ced2bd1586385c5a3284b7160fc

SHA512
0c800246611c4bca3660c999b5d66571274450f029b456bbdb760a94759957adfeb4b5971bc50586d71caa61d3421333062b2e030013e76d596295b48cc93706

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\ij

Filesize
7KB

MD5
215ed5329cd3e2dfe30ba9fe9dd35c75

SHA1
255e0c9a84c773fefae9a6158b7dc1667b7087ed

SHA256
b2422dd352b8ab2536d8bea8af3db6c4fc43cb9af797dcb2a77343d272cfda28

SHA512
0b635d817a2cacff1e823a8c266e718fb48b68adab15879dd174b533b77f0b6e94cf35825bc93400d89537edb59cc45394a501792e8b83d6978932dcb8cdf27b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
86cee42ea5a57d7f3ca531e5b3551acc

SHA1
87a5029b0877108463060cfeba69bcfabc26b347

SHA256
47cdf1791786cd2b47f1b2f23cd1e5aa5ba931eaee77fe204f5c0f456c7bbcb5

SHA512
1306c7976d0556c672b5cf254ea8d97f26130049b526fb4fee729a870a44e267ab994879cec75c8cadeebd43aea0c536285641eb6981ca78c2ac5fd797c4b28d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
1KB

MD5
daa200ab9aae931e52951b1eb28b2f47

SHA1
9edd8eb1ab4432917c0c0260e0b15237b4ae78e5

SHA256
8500e43dd21f0b50c62dda781798c7590ce39233c66f1c4e0dbf7e378f8e5380

SHA512
035833427b3d9496d8cb08a654eb936d7a3f915f2e232d25134d37abcbca20fd9a8a12c066d5a214845df61b284b64ad1ba356c60658e0a382a163f1f9955f91

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
1KB

MD5
5eabd5030e45470358a19218a3f13247

SHA1
d2c21631aeb07918e218f18b0522c728916043eb

SHA256
f7367fc9c7a4d45d939076407af6179783b24203ec2af8f77ec33fd91b264756

SHA512
d39b7bbd3ce2b034f04da746fcb2fab05adc719f32d991df4c106f2b42e011731c554a8c0bc5ed845d9d4a834589074df7d31f27ca25e3384c197947894a9b72

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
1KB

MD5
0bff1b7a924b54ef23cb60bc38a7330c

SHA1
52234094cdc268f83a4e79577f20522820b4b74d

SHA256
9aa52292e6c09806b0eedd576c72c38ec17c1808b396b29ec9f15204006ddf26

SHA512
261b7212078607628cb8ade53b3327915ef32427986a7d3bb88fad10ac56b51644d4b67e1e14ca87c445c779ccdc9999101f9f989a3caad35696e0243ee112af

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
1KB

MD5
3373159f8846163acee698e259ec96d6

SHA1
608ac8ba57a7f0ad3c83001a744ee9ab997cbf6c

SHA256
aa7455649eeb38e42b74b4c018140b7e99b27f746b036e6a9e665b6f3adb5125

SHA512
97d914fd3f7a6d0c7edf1b857feeea6b521473db4af91bb4f7b087476895f23e1271a572c9ce4fbd9370c466cd79d2816dc26cfd25b645ed2345ef9c75b0bda7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
57b270e252015323a74295d04b0fee28

SHA1
85b9a0673980a2fe1fd827b0f86568c75aaaf644

SHA256
ca26fdefd2608bcfb3365245c27077a82cc40b0b523c342081dc7d964e5d4eb2

SHA512
4157acf0e025ec216f48bf855b46f16e27911092f4778eefd8d70e068708757b49bed2700cabd7e2aa88cb4b54a15ac5305ba086ac2bbceade1015c506ae4f0c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
fbb1004ce945d314f44d6207c74ebe0e

SHA1
6d1cb8e019438bda793015103597c052e09e6389

SHA256
e99a5295aa8bd56dfd9f17b0e523a0e784fac8d2a73548cb5891ccc2e8e70a6b

SHA512
05abb3fc46fe33446ab1b78725f5e6a5de8394e85d94971fe92e806706261b5686e8a20fcb478cb1908dfd4aa9584594f1ff358d32e786e66b01f8aa76a2ded0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
b6a91604da417b9ba59f8dd482318377

SHA1
b75feee211969e68cf236c711cef6766d49f078a

SHA256
e09ad29583885a714d9b70186f2710391ddc841424ffa5c5a3eeba82bc7a5770

SHA512
81848ec9715c560a12a851f2c2ba505900c93426fc42f965ccaa707733941a0952cfc2b6e19a85523de440c320dc57cb11d72e72d71b0d750d729b76e7b165be

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
680f55177702ac12803290fc45f9cebe

SHA1
0671dcc7aef2496f7a7e0359710917d0742cae82

SHA256
141c682146038905879d00cc01bb018e9420af03bac26699ba533ab5f14ab243

SHA512
145c54ae32aef30c8374ce9b881a10bb909223cbf094c56d3125981efbbe5dee7643daca2f49b9cabea7851752dbbf9e7a8d00dc7eab303192909b336e5b6405

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
07d8d0f2230347777c706e9fc6055126

SHA1
f04cb4196389af1b376dc759931ed9cabc6ce290

SHA256
e6b8ff4e49e6dae604548c4c857328f9dea0b0d8354d545bef90c4357ed556c5

SHA512
db1091a5ee54f04bd21862623a83e7b2b5e4fbabc06d2bc7e46452d6b66b32644b4839723fccf3bf95922a6099e1bc958ceac0cb5f9b8189dc9d0672d71f7e7f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
93fe17d9a042da56558f35470e042703

SHA1
9d6faab2ffe9a00cf56d09e0fc599b68857de25c

SHA256
51554a763ea71568af26959194324a8291e8ee9216bee6c4b6fefed0add9e041

SHA512
b499a1ccf2b4dab4ab7a766b726f9104920acc7df6c286697e816605ba2a2cda79d918fec904d150b42f3ab61f18e5296e70bacf6c0a3b484288750e9aaa65de

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
1KB

MD5
42aec7525a71a02c1fb5b0646c92be21

SHA1
d7035da5eee63bd44a2d527f18c69aff9d758240

SHA256
a1bb4267138d9943af2f2bc4d9244ddbe6b890f3c5e6433cc22dd92502d5344c

SHA512
e80830bedf9c7d432e32f49f1b1d717de02d1ca12e4319da8cd69f5f6dce513756e3604f2fbdfe6159674edd7cbd651fcbbcf47689d149b101fe76c361ddd0a6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-lib-uihandler.xml_hidden

Filesize
1KB

MD5
767a316905df76419e3acf67066eecdf

SHA1
56ccad634304cf1fb6641d9def61a60ac4bb62ea

SHA256
efb9b5b69c5314f792bf946164cafcf5691da7002ed5833cbdf59155ea53af8b

SHA512
f53d535b85f2664240cec39dcce04e205f3807f45b30325ed531fad463bd70972bd9917464e1fb9b478d6db02d26292990a6d96fe3b9d862891ee1aa63ba351d

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
1KB

MD5
6e03372e7d3114355176b261578a4e5a

SHA1
ece49c0e1da21df189b0e9a199c6f160e8cdbdcc

SHA256
ad8d39c3ecbd9338f0f3b9115cb5e37b27f2d825233a22deeb034a0019f1e7cd

SHA512
52d6a4b40996f5e92d0faf0e88e0fcba4b800e01e6ffd943f6a17b76d9d26b6d499a0ffb6b3cc5005071cb9b1992e74d7d1009c0bbda2fdda09ab1c6e4305886

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC

Filesize
1KB

MD5
74f0027504595159616bbcb4652f723c

SHA1
e843dc625edb17ff2a6911c33b14d6043aa7a6d4

SHA256
e3b23b838ea3ffc262a2982ea6641b7b0cae59d45087a148fe8199b7ea1bd3ed

SHA512
64cfb4900daab5398ac5855490f9a9ff925e01217167d6e8cc59154457037c056c9e94b3f7ee7f825277fba9e5672c1d0aa0a0a85aadd381f956268cfa2d3296

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
3344eea3d9d71b342035fbe14a39c54e

SHA1
435d9231a1b912dfb4f01a4148911bc6c24f110a

SHA256
0522976a0f545b404ac9d5748eb0d732d85d8ba72b9132f3e8d90c55300f54f0

SHA512
a41bb799d96ab518414b75c7996aaea5313a4210fd1365409743d7507727dba2ea5d7d93ae3998e40580f10a6add497b310975e589940c4b3e48d0027e953af4

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
eb798321fe17ce4b96c284b5712cc766

SHA1
72e52e3d3a78e46760d2bb4fe194302e899f9be5

SHA256
d331e87fb4d751a4d3caf992a93a94db606317a5fa91bb52114dd57cb57ca272

SHA512
6a6c2cfc8680f2c12a7cf08d24090681cb3cd493f39dab77c7d71b99500782c5bad74b85339037689eaccd8c81090bacbd0e1799f12d7f6cccb7e615d46e3954

Download Submit