ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

max time kernel
127s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21-01-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Size

333KB
MD5

db88a1bd11ca3aab7a0890a10a10f45d
SHA1

0e01e118613962e364b76869bcfb9d26cf0a6505
SHA256

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d
SHA512

b6e374ea42e023d973baa2c8c3ce8c34a7c8ffa1aefd52f787eb51f980e1e1f8c2c6081d90cd0cf1b15166b86ed57dc2d7b9adde5021dd00cc629f8aae8df023
SSDEEP

6144:YemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8ABInatk1:/9cm+M9vFl/1HrNInatk1

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

F:\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">QBScQmwPoOK/FKgrNAUoWgQlGJTfw9fduWHloO/h82FjBRY3pAq297UcasRU7p5CIJSJlya5OBVPZhfXwb7bFJHrUIb+4MeEvGsobJ5YyLJrv1BRcx0xiTZENdxCxgezsoMMno2KAfpauDKhOFQd1PGY7e5Bs1lqHUD36gN73OuFV9tmNZhjfVztSE1okdx9j9THHvBepPzQNbN83S6E6kxgYoqOs7aRQg2ggnyXBUMx0eAL67llYxwJNx0YWkgpm8RnSlXWm2bROWt/+/SYRq++farlx33/Y6K5bMhU6qzMQz5Yc26XgxlSmvIh386GsiO0WMTJP/BQ+9+IyNkLeS9F60SFct7HWG23y5BOP7ZjXO6ALLQgPRecNKg0rIqve4pc7O7hlHSJkGhCPHWVjxGDxy8K0WsQQnbnTngQdZ8WRTsearcbRPm+FO43PFCiuxv9HilJEjX+jEq4t+/F+EzfNYK1r1zFm0wCS61Xg8SKppiTCpw4VoMFwdgo5V92XCIDXjxsINZl9XJZ7ClpAr3g8/4gnGSWyxHpk6qHIqKTdSoHvQkVOFy43AEoAeeFLY5hKjepUU6eYePUflib50ynxwQbO5xVX5U+6lp9K3jv0KVW6+2vz9B2eGztkFu+lJUjehlA77zKCWeO8fuiCPeJZbZ4w3yslftPGCXTEGUOjkMeJCYxMhOHxLt9n62fEPM4qtxPdn4P9c9ma9XFnbSwXzUfoOdJMKrToW0b7Lhvt0WwHh+xckdNeknpDftTYhu9PuTrr0wsUPMj+sJ5Y5BTQ4Hj6bBir9r3LLO3/VMbRNWswkHRJl9BIfPHOi7n1Os1pu2lgIoyqjw18xmIDxSodjRo2s0klxNVByfkDclJGJsSND34s2T5oDBwBTw82fgJY4W8JcyMYTcDprkCR/Vmijf/YzISRhdr+wKngLCGdCCf6+uqkAmHxrmvFvw8hXACUuNlrBbYfXFUTzOFWYVmlwWWZTGHtx1uFfPU6OuKgcQ4QJaSfgmHSkk50W2oxTlXvQXchkXW/IgJNt4HgHS4Z+cgjU9ac7U6wGk7FUWi2Bg2U2ljX1M2omHo57VE2nKfKhMJtyrqXTqAKaDGDlE4jvNc4EPFgZ3Tm7sH1/QPN8uQ/Tb8PaPFHLx4n7EX5t/YNmBaePyBvqpq25WI3yqnPGRizJCpRG4WJK9q8hc3UU+fhzXZAJvcEKsW+SE5qi2IiS6B0rskwtNxUoe6h3B0AelTZzMJ2+6dbhkXST/YduHyrgIpErA5o83fwtvQk53idxQ/a+zZsd0rZ4yiWQki1gT/RJ2qsByvCEg952lIMqbYvyzBjArLIc2EGOZ4UJmH5xav1pbFZPh/Bb7zLbmaznS9vfiC2HSvldjHhB8CSq/aRPikjexC9cBBMSbCHkNPzo2bEk5kdxNndcWeua8Y1SQwmdm5hN0AeM0w50DDYmJmbaWtxzQdNJLziL3rrWWFmsXJHpTqrBesa0p8kxIJ9jRQasXi8VuuuYqMUUEjy4D2up1PEO4pk57WzyzXqGYMaT0ngZ1oxIB4D+RAiezaFhnozD9w9GTRMaMs3t1v7xEPLy7pabpx9ZLm8b1hgO8xnFiz7cOhoRnAgexFFP+Qp/fFvOFrIJd4/AZLcj4/fSjHbk/CBeiovQkGPTi93YVOFMNoTBS7VM3BbXOP/C0hhf81WpW6i6P91G8eQLY=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1320 created 1188	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	18

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2616	bcdedit.exe
2852	bcdedit.exe

Renames multiple (7544) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2880	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1996	wbadmin.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Z:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\F:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\A:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\B:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\G:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\P:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\V:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\K:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\M:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\X:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\S:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\U:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\E:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\O:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\T:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\I:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\J:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\R:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\H:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\L:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\N:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Q:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Y:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Anadyr	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02124_.WMF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\greenStateIcon.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\mpvis.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18250_.WMF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\subscription.xsd	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199483.WMF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\it-IT\sqloledb.rll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Common Files\Adobe\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\micaut.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Choibalsan	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert.css	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BROCHURE.XML	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR32F.GIF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BloodPressureTracker.xltx	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01152_.WMF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART7.BDR	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_sml.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\ChkrRes.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01657_.WMF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14794_.GIF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\wordpad.exe.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Maceio	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02793_.WMF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\flyoutBack.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_splitter\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_docked.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\VDK10.LIC	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Perspective.eftx	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-last-quarter_partly-cloudy.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tabskb.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0157167.WMF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196110.WMF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309920.WMF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Essential.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Adak	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_left_mousedown.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2308	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
2868	taskkill.exe
2612	taskkill.exe
2344	taskkill.exe
816	taskkill.exe
2592	taskkill.exe
2060	taskkill.exe
2588	taskkill.exe
2300	taskkill.exe
2120	taskkill.exe
2648	taskkill.exe
1636	taskkill.exe
2856	taskkill.exe
2972	taskkill.exe
1240	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeDebugPrivilege	816	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2908	WMIC.exe
Token: SeSecurityPrivilege	2908	WMIC.exe
Token: SeTakeOwnershipPrivilege	2908	WMIC.exe
Token: SeLoadDriverPrivilege	2908	WMIC.exe
Token: SeSystemProfilePrivilege	2908	WMIC.exe
Token: SeSystemtimePrivilege	2908	WMIC.exe
Token: SeProfSingleProcessPrivilege	2908	WMIC.exe
Token: SeIncBasePriorityPrivilege	2908	WMIC.exe
Token: SeCreatePagefilePrivilege	2908	WMIC.exe
Token: SeBackupPrivilege	2908	WMIC.exe
Token: SeRestorePrivilege	2908	WMIC.exe
Token: SeShutdownPrivilege	2908	WMIC.exe
Token: SeDebugPrivilege	2908	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2908	WMIC.exe
Token: SeRemoteShutdownPrivilege	2908	WMIC.exe
Token: SeUndockPrivilege	2908	WMIC.exe
Token: SeManageVolumePrivilege	2908	WMIC.exe
Token: 33	2908	WMIC.exe
Token: 34	2908	WMIC.exe
Token: 35	2908	WMIC.exe
Token: SeBackupPrivilege	3000	vssvc.exe
Token: SeRestorePrivilege	3000	vssvc.exe
Token: SeAuditPrivilege	3000	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 2796	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	29
PID 1320 wrote to memory of 2796	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	29
PID 1320 wrote to memory of 2796	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	29
PID 1320 wrote to memory of 2796	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	29
PID 2796 wrote to memory of 2456	2796	cmd.exe	34
PID 2796 wrote to memory of 2456	2796	cmd.exe	34
PID 2796 wrote to memory of 2456	2796	cmd.exe	34
PID 2796 wrote to memory of 2456	2796	cmd.exe	34
PID 1320 wrote to memory of 2392	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	31
PID 1320 wrote to memory of 2392	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	31
PID 1320 wrote to memory of 2392	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	31
PID 1320 wrote to memory of 2392	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	31
PID 2392 wrote to memory of 2756	2392	cmd.exe	32
PID 2392 wrote to memory of 2756	2392	cmd.exe	32
PID 2392 wrote to memory of 2756	2392	cmd.exe	32
PID 2392 wrote to memory of 2756	2392	cmd.exe	32
PID 2756 wrote to memory of 2868	2756	cmd.exe	35
PID 2756 wrote to memory of 2868	2756	cmd.exe	35
PID 2756 wrote to memory of 2868	2756	cmd.exe	35
PID 1320 wrote to memory of 3020	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	38
PID 1320 wrote to memory of 3020	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	38
PID 1320 wrote to memory of 3020	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	38
PID 1320 wrote to memory of 3020	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	38
PID 3020 wrote to memory of 3016	3020	cmd.exe	40
PID 3020 wrote to memory of 3016	3020	cmd.exe	40
PID 3020 wrote to memory of 3016	3020	cmd.exe	40
PID 3020 wrote to memory of 3016	3020	cmd.exe	40
PID 3016 wrote to memory of 2120	3016	cmd.exe	39
PID 3016 wrote to memory of 2120	3016	cmd.exe	39
PID 3016 wrote to memory of 2120	3016	cmd.exe	39
PID 1320 wrote to memory of 2912	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	44
PID 1320 wrote to memory of 2912	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	44
PID 1320 wrote to memory of 2912	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	44
PID 1320 wrote to memory of 2912	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	44
PID 2912 wrote to memory of 2944	2912	cmd.exe	41
PID 2912 wrote to memory of 2944	2912	cmd.exe	41
PID 2912 wrote to memory of 2944	2912	cmd.exe	41
PID 2912 wrote to memory of 2944	2912	cmd.exe	41
PID 2944 wrote to memory of 2648	2944	cmd.exe	43
PID 2944 wrote to memory of 2648	2944	cmd.exe	43
PID 2944 wrote to memory of 2648	2944	cmd.exe	43
PID 1320 wrote to memory of 2908	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	150
PID 1320 wrote to memory of 2908	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	150
PID 1320 wrote to memory of 2908	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	150
PID 1320 wrote to memory of 2908	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	150
PID 2908 wrote to memory of 2568	2908	WMIC.exe	46
PID 2908 wrote to memory of 2568	2908	WMIC.exe	46
PID 2908 wrote to memory of 2568	2908	WMIC.exe	46
PID 2908 wrote to memory of 2568	2908	WMIC.exe	46
PID 2568 wrote to memory of 2612	2568	cmd.exe	45
PID 2568 wrote to memory of 2612	2568	cmd.exe	45
PID 2568 wrote to memory of 2612	2568	cmd.exe	45
PID 1320 wrote to memory of 2680	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	48
PID 1320 wrote to memory of 2680	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	48
PID 1320 wrote to memory of 2680	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	48
PID 1320 wrote to memory of 2680	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	48
PID 2680 wrote to memory of 2140	2680	cmd.exe	50
PID 2680 wrote to memory of 2140	2680	cmd.exe	50
PID 2680 wrote to memory of 2140	2680	cmd.exe	50
PID 2680 wrote to memory of 2140	2680	cmd.exe	50
PID 2140 wrote to memory of 2344	2140	cmd.exe	49
PID 2140 wrote to memory of 2344	2140	cmd.exe	49
PID 2140 wrote to memory of 2344	2140	cmd.exe	49
PID 1320 wrote to memory of 2124	1320	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	52

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
"C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1320
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im sqlbrowser.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2868
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
  2⤵
  PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:2328
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
  2⤵
  PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
  2⤵
  PID:1304
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
  2⤵
  PID:1144
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
  2⤵
  PID:404
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
  2⤵
  PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:2548
  - - C:\Windows\system32\taskkill.exe
      taskkill -f -im ReportingServicesService.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2060
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
  2⤵
  PID:2908
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
  2⤵
  PID:2096
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
  2⤵
  PID:2808
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
  2⤵
  PID:488
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:1140
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
  2⤵
  PID:272
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:1072
  - - C:\Windows\system32\net.exe
      net stop MSSQLServerADHelper100
      4⤵
      PID:2396
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        5⤵
        
        PID:636
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
  2⤵
  PID:1484
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
  2⤵
  PID:1128
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:308
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
  2⤵
  PID:1480
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:2056
  - - C:\Windows\system32\net.exe
      net stop SQLAgent$ISARS
      4⤵
      PID:2272
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
  2⤵
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
  2⤵
  PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:612
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
  2⤵
  PID:2488
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
  2⤵
  PID:928
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
  2⤵
  PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:1740
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} recoverynabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2616
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2860
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2852
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
  2⤵
  PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:2364
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic.exe SHADOWCOPY /nointeractive
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2908
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  2⤵
  PID:1632
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:2192
  - - C:\Windows\system32\wbadmin.exe
      wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      Deletes System State backups
      Drops file in Windows directory
      PID:2880
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
  2⤵
  PID:2536
- C:\Windows\SysWOW64\cmd.exe
  \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  PID:2688
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\F:
  2⤵
  - Enumerates connected drives
  PID:1092
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\A:
  2⤵
  - Enumerates connected drives
  PID:3060
- C:\Windows\SysWOW64\cipher.exe
  cipher /w:\\?\C:
  2⤵
  PID:1688

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe -network
  2⤵
  - System policy modification
  PID:980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:1584

C:\Windows\system32\taskkill.exe
taskkill -f -im sql writer.exe
1⤵
- Kills process with taskkill
PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\system32\taskkill.exe
  taskkill -f -im sqlserv.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2648

C:\Windows\system32\taskkill.exe
taskkill -f -im msmdsrv.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\system32\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlceip.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\system32\taskkill.exe
taskkill -f -im Ssms.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\system32\taskkill.exe
taskkill -f -im SQLAGENT.EXE
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
1⤵
PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
1⤵
PID:1568
- C:\Windows\system32\taskkill.exe
  taskkill -f -im fdhost.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1636

C:\Windows\system32\taskkill.exe
taskkill -f -im msftesql.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
1⤵
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
1⤵
PID:2112
- C:\Windows\system32\taskkill.exe
  taskkill -f -im pg_ctl.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2300

C:\Windows\system32\taskkill.exe
taskkill -f -impostgres.exe
1⤵
- Kills process with taskkill
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
1⤵
PID:1080
- C:\Windows\system32\net.exe
  net stop MSSQL$ISARS
  2⤵
  PID:1900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
1⤵
PID:856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
1⤵
PID:412

C:\Windows\system32\net.exe
net stop MSSQL$MSFW
1⤵
PID:688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
1⤵
PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
1⤵
PID:1308
- C:\Windows\system32\net.exe
  net stop SQLAgent$MSFW
  2⤵
  PID:1620
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SQLAgent$MSFW
    3⤵
    PID:2020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
1⤵
PID:1664

C:\Windows\system32\net.exe
net stop SQLBrowser
1⤵
PID:1908

C:\Windows\system32\net.exe
net stop REportServer$ISARS
1⤵
PID:692
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop REportServer$ISARS
  2⤵
  PID:840

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
1⤵
PID:3064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter
1⤵
PID:2288

C:\Windows\system32\net.exe
net stop SQLWriter
1⤵
PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
1⤵
PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
1⤵
PID:2044
- C:\Windows\system32\wbadmin.exe
  wbadmin delete backup -keepVersion:0 -quiet
  2⤵
  - Deletes system backups
  - Drops file in Windows directory
  PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
1⤵
PID:888
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  2⤵
  PID:2892

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
1⤵
PID:2188
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
1KB

MD5
f82520152a34b5b7e5b0c6173b6a6ec4

SHA1
953ceb418cd5844cffaca0179a7f18f6ef90f28d

SHA256
3374b2b83ce2f25e7a914485cb523dc51e6b1dfdedd58ef58f277fc3be1bd5bc

SHA512
d27fc75447f80f74a2615a8dde8300fa4b19e750b8dd32ac1efd904f804a2f2eb8569fccae62f29fa93cd7cd7408606acb0a1e0f1cac9cdb77871a29a5fa95f9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
1KB

MD5
df6404498799322cad7c59fe2e06f652

SHA1
c15549888c22189dc79ae4e2a0300dc6968473ce

SHA256
50e5ac9a7e749c0c88f760b9975313fd23f11bd2f49a8d27371167c2b1f4a16e

SHA512
7fa973c3c3529247f1e88a53ca128278aa3de01ef96b6b953125ff8407b5a75d6c229c700fe2d5c36e83c887b453e240da4e5dbeeda6a1db1687418ce03a0083

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
bd9213c32eea7506c0bea038cba33fa0

SHA1
b2eb6418eae41482eeaac0542e21fb6746d72465

SHA256
8a9363c8e2f167ab4ceeb3b3363d8bac4da4aba4f8d0dc5fdb1fa64b0d27cbe5

SHA512
c4cd7f5f75cfdb26c33807fecb92f47eb5dce45f6e7ad997dda074c0d08111a808123276eb7c78c1cb2aeffcb5207136aa53ecfa72073839fb92a138a7d309a5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
8c74a3de5769b017d8122311fb80f3d8

SHA1
969bf0bf3d4b52b14964e70ee2a74dbd7eb08982

SHA256
80b9b2187414aea2aac0b2ec2f87ec2f03b620cac9d9c5d8cf7f2906e88b2e38

SHA512
a55df748c5d22b883e4dcfb044feb87c6e33476528a09bc08bd4502c77dbcfb9ce127cf08f4f287a1512caaaec6bd14a315127d8ae6109712c19bfe321f93e80

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK

Filesize
1KB

MD5
7bbdbeb1c35cda35c5add093995dbbd8

SHA1
3c0c84c81d907bdaef164a28b36440ccbb8542e9

SHA256
3069882979f89a32cebbd81c1fe2a11d2cfb22ebc9ca118fb11cbba5f7096e1a

SHA512
f81a68729ed293f5770ef024a311baaaa7dcef0d499cbd7906eaa7d8b9904d2e61ad1b1f32660bbeaac9e392992d650fe56ca24c69670f00c5d9ab12347de6dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK

Filesize
1KB

MD5
5ac3eaa049e7b4df2b83d0c3f98a8265

SHA1
731850711ca312036ba68efccdcf93733cc21ad4

SHA256
b2831ff1c59f890e3891a9be0122993d79d27fa4b1459379093dd4ea33c21051

SHA512
ffbd599152220d3220bef0d9cbf29d6bf25a5ccd41343530f5ca346f5c72862639d380d27d6c403c324cf8b46c2a8e2239d8a469032dd0ea800493c5447c3ee4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK

Filesize
1KB

MD5
f53ac217abcebdd67f62a9abbb757c6b

SHA1
14e7d9181482985ebd0e467431ac93ee80ca7e63

SHA256
0a37d89f37adab6ebd8cd4b69431e6318014e830cd9231a33129e08f4226f950

SHA512
ff0fbd7dd24bdd94382147f1cf768c1edcdbeb12ef05e90f5865cdb444ebf76f2e82f2bf0576473419d5452b544a2a674a198b06d64a1acc0be388b1b8c7a92a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK

Filesize
1KB

MD5
6beb3c47f52da4e36f7f48d816cdd9ed

SHA1
1b22c18929e9ea278a248d361d219247beaf6e7e

SHA256
a0b8be22285b07bd617beabcc569a2de5cfb2b753a984df9d69df5a85828936c

SHA512
97dc1d4be50e5bc80b84d4b6b0605255498b14f7dfc57f0f37794e588af00570e21e50a561141e4534757fb826f615fa068f9a7435d217b2b54479ae85ad8cb8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
240KB

MD5
59952fdf18e3074463f7a689c6b6f960

SHA1
a816a4d63c01535d0f11697da03ce2f6d6c2c775

SHA256
8702520fe9eba3b9400838402ae249610db9e56227d081bbb039878bbbe400f8

SHA512
4a8a55973cc36c3c717be99e21c29ad5d0db80e188c86934ec7230421b3cee98ad2441c303a80825232adde548292b7dac7fba1838db507278065c112b50c08b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
1efd714651e4f37890101a415118b9a9

SHA1
f66c5438c3a326df55407735b9c26b1ab6a15ad4

SHA256
a40fcdb3d97aefbcb18580a91fb6a2a07dbe5160ed18a82292ca4a9216376cad

SHA512
8f5290b08a245616105a0e4c8292d72b969504080875fda26db09471f9cf28c9d658996ff7f2bec8cea35fd189d49796d984f6617872586a6a1185a43427e19c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
a0c1bc92893c9c822dd753f8e379a502

SHA1
c6ba09062fc27ece3c04e48564755f166af53d53

SHA256
04009eb362fd39e5334814b680a58b8f1dbb9186f6566570f530b63204fad143

SHA512
feb0ba684ee5877c9b394e56475e52c41ef7c1428555322dcbcc14a4e31778f2ea154a8b17c4338c792900e8de27f33257cf20334dd84e2acae072708cb8e1de

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO

Filesize
1KB

MD5
b2aab17380e6fa19d42126a2eed18fc2

SHA1
d95c05f9753fc7b8f3279f8e3fa39a5f47397ea2

SHA256
291db39c6a6e1b6a117ef80312616a7c6d2e09e1d7070f3e443156012671b68a

SHA512
cc72eccd94fe1727bb272d77def655aa1858cf92b3810046c921a24cdbb0e9224033b837d937327f48110acc937cc971561ca4d52370f7e77af07ff57e19557b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
1KB

MD5
08fbe1e5586b8fb0e0af4c258d38973a

SHA1
3355bdd790e0bcf0bd8a5b1d59feb642e27af19e

SHA256
2c084bda688c8e7e2005296e10bcc21d673f0ec48a7b409f8f59f6526bcde1f3

SHA512
97f40d5b0e22d697e126e0cddc5e8cf057047e35880ebef3c0a275e5bc0fa68ff23f3ef25e89a37f1b7f218d489b8d2e1a2338878da061589ecb1d2997c4e632

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

Filesize
2KB

MD5
4d3a876bf2f8206e331a013b616a10fe

SHA1
4210cfbef8fbac0ad526c336f5175cb6c3c0b859

SHA256
006d8bf3832e7da1f3b89a6b9aa2d6c817509caa4b362caf23bfb679b2c5079b

SHA512
e2dae54cc0491cc6394cb4324ea4ddb26066478a07a5c99f2de2ac218365711bc2d9ad09104e88bcdb2f4becaa5afaee518aa38f022b6ee59c8a2708136614bc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

Filesize
2KB

MD5
ff780e109097e5d2f61f9f58196a5789

SHA1
19e9366b6ad959d388b0632d6ba53ac9cd16f4f4

SHA256
a781c2725fb4a2fc3d15b04cc9b5cd8721eaeb15bc7eb6fece00e4e496679d0b

SHA512
1543146ff75534125428af0483071429c535602c80e46bfabed0bff686e8f918055b2e6eeaeda2a7f3422cebb8a5c7d44500a54ddbfeaacf983bfc1cacbeb4ba

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_OFF.GIF

Filesize
1KB

MD5
1285b89913d2667b1036686315af5af5

SHA1
d94473f0b9b473072017450133e874b961ddd1f5

SHA256
e11dce1edfebd892edb45b086a979d54c7030c132e72f746bbc43576bfba00f6

SHA512
358928f0ee7cd7949cefa9c400347b235d5151b23db08c9d591233a8c2c87783db2a7ef69c8bc19bd981209ac945e2992e96bd39fb9c0b58f24359b85171b7c2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_ON.GIF

Filesize
1KB

MD5
b19b762ce7895da527ea58cd9be38cbc

SHA1
e9d594dd065e382540378a0fb5a4e0ad048df87d

SHA256
3f1860af99e2405a98d11568f67a7c6a47946c073fa4ad8fb25ed8bdcd146de9

SHA512
ba24085511c2fad054875b2c0bfe86fd4e77cdb605a36ad0cdd4674b186db66b56763d3086251c65916ecd5c7336564427b9909b2c78f7fb8efdb462b15fd642

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
248KB

MD5
d73b8f4c5edb8ac53f0bae193b437028

SHA1
f6e4e0bf5acda1e39c51de45238050ef58ba2b7f

SHA256
100cdf19eb28357908472e5f70b7ac8d6de436a922e6c8528b443c0c7a3245f1

SHA512
67a2b0f76d3920c82f4ab451afd8c06a2a636454f2ccc7cefe15e43f3bc10370fefe1b6421309e9fcf99781e0ce701334cb6919e621961c524d87dee011e54f4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
2KB

MD5
cde5365ad636dbaeeabbc2680fb2de10

SHA1
88b04dd5eb5a5ed30cdf2308d1ae5c467d770886

SHA256
0a1ebe71da44bdc2ed6036aeef2578fb20faf9df1642c2a768c370b04dc46491

SHA512
f884962749aea06052cb9297fcf9631f5c0aeac9166e0c410df8db0167dfa376c8006e919b9d8608a36ba88d335819957b1ee4d3ea6a2fa4cf53e7b7ddc3b31b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
2KB

MD5
3c8ba14bf11a97522112f476e4f285f1

SHA1
cb5bee282a2ee7edf1b284fda6d7fae1f5fb18b3

SHA256
deecbb609f88556336d77dddd0323270d35e5f7afd3474777753c0fa7ae35dab

SHA512
f74422fde0d99b897282677b7203fc7a6d280a414140f00ffa432acd53e934d89baac541059d793cef8d882e7df7435782a0783b7bd9fb04a0f587622b242e18

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
7KB

MD5
e56fc0a3e46deee2070a6537e16b683f

SHA1
07cf864179b7a7c518b0e6b3bc6f09090af0c2e9

SHA256
10951d8d674aabb982f38feb85c23856e13a5fa19936525632d0942935cb4ca4

SHA512
98e3aa966dfe2da702f288eb9c6815790d95d32744d751220a20825b316b2c365a826096425f9a01ff6f9c6c1479bc79e374051f23345652b5f221a6348ca728

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
2b0f2843bcd8df9b6b4098e5d629b6e0

SHA1
49ba6778c38996825761bbaeb14cbbfb4707c067

SHA256
5df3bb6508e8d21fc5687ee157ae6a7534e69a5fc6c9798277fe0bb6215148ed

SHA512
3b4a5d9309fe70acefcdffb7be475d0b224ae1d98b26bdbf22c3d7f1823f009eea5a1263167283ff1076027e3eaf32d5346770ed13577f9ce954bade0ac454d5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
1KB

MD5
b1f31985a4104a768962a852acf901c7

SHA1
3befe87e5800216a58e4eded43aa59a573dd04c3

SHA256
39bc6a84139d50a752c25accb0f07b845503e981d48ba67bc270785e0d021125

SHA512
fb553a50d58cdc54d83b64e060dc1b94daa8aca3d8169fa844a82bc1a5d22ee757c8616027b925c91d7c5382fd1b33d131fb281b1bc9d0f0acc6480adc2a6b7d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
1KB

MD5
94da1dcf72d504a55a79c8cb1bcbce18

SHA1
9c79d4484d9ab8570e60a5246de46d5b19f2ab59

SHA256
30183283a88773debf669642c1ce6a17fee69685fd9a60c72c8c77f8462abb81

SHA512
598e17d84718f5a743707d8356c73e1e471439af8ae0233716fbb9adc12db967c84ef8dcf39b266d0ce85156c09034b285e1d4faa632e9e5036cb3e80d8e277f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
1KB

MD5
e8b913d3b4a85453495e3aaeb5eba88e

SHA1
bc3c5388070b959f329ced6cc8f3ab745254194b

SHA256
ba0adf8d241c8c9fe6edb07c8ce1eb5c38a6c93c88adc0c08deb5bb4cc45b241

SHA512
96c8c3b8118e7d904bc961f8797cfbbf17fad0e400d00bb542f50cff6a0ab3949b0925da8b9a9da28cda0cf61f694606ffa437bd759264a21003203b70b4f59b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
1KB

MD5
116f5d0cee87dce39cd7c4879899f4f6

SHA1
4135aa874cac49fbcf270698f8979d8e2daaa83d

SHA256
f7b298984e9006b59e07a2cb51dd0f753324744ef6338ca64a53f4f0b2617c84

SHA512
91ffd7d967167ed5ae6db9cc9abd4c3e974415f178a89f69d74940045a2cbebd5e834f39a891ba58fe4dcf95b94fa5c581d9f0cee319341407edce4c862d5ae4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
841c86efa6c3b55dac4d6d92ac918b4b

SHA1
74d11f09ce4286c353f83f216f947b1b63e897c1

SHA256
631ea565816b1e1a3776515b4eeefe4936ca777d0264a7482fa58cb1f77e9f7e

SHA512
f1ffc47f4930bdedeb9fb5bd94fc1247399bb6a31439bcfeb887a0e892ff69e15152ec4bcd476cce613b804c190e797546bb72cbe1ccabdb74168c93b34ae6df

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
ebdb94714e4c50735ac8b32f251c2073

SHA1
e94e07ca8bef7fd0971baf75dff804f506562c8d

SHA256
97778f999ac9bc3f02b0405fd2f281a44dc592093382c3dd8d895610e3eb2192

SHA512
6fc632d769808bf9c56df1f834be4d23e25479e13b1b1a881c94ce8dbd53c88d6ddd6be84cdc136d877a24eab2d963aa5001753c3b8b2090d29cedee38584b87

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
8b20da96266d8a9da3e8f8885be2a9fe

SHA1
8383ee99ea196ce607a7a78fe9a8edcc141cf547

SHA256
614589fb3e31ecc480afc5e230f0979b8ae1160ab5dba8846b4be8e483358fc6

SHA512
5be66a04eeb010efe01a08a191ac4d03faab71bfc63662cb615b395e00da126a01be72c3a71ebaf477d0af4f8cbcc8894ffb98e648dc50f6a662b653431c66fa

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
57d68280d73b74457598c26994df29c3

SHA1
55b4372179be6ff2f1a028a8691a8b05e93e5b8c

SHA256
fb4a6a5f9aa3063695a7ef482f192dbd837679d50952924c031f3f38f941aa54

SHA512
8e774765611ed895d7d02baf976b55a0789766adac00082939df7774b901ab4f552f53ae83d6d85c724540744ea50cdac38340a81b0219b6ea73f63fe4c84bcc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
c8df12583818a8f4bd8ecae3dd1faa19

SHA1
bea000022e2a1480994a8dd871d1eabf0827269a

SHA256
9491593d9ce87c432a983576d66b8153ddfb19a204b0e47ef010e5b7c54228f6

SHA512
56b2dd9d76a83648e082d16849d599dcdb8ac5072a2f9da7191c71fcef0670a2cde993abf4975a2a38f18ea11f7bd9ae1568683f240a9d3e21ab840eebc126e9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html

Filesize
13KB

MD5
b215b036e10ee06d3345a69faf77fea9

SHA1
2aee888253efc4fe158eb897e72c81dd2907a52b

SHA256
6b721f430652f1f8119e8895db500e3f195d941e0afacac99c91c44a447d7bf6

SHA512
7a9580ded48bc8bd8023a063879a6b8ff16ef6394904be990aaa02ccd64f5bb9be70d2435484adeadf2227d51b1c90c69a5858e12a7e7b81a6a0f3683b65e7ce

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html

Filesize
10KB

MD5
e1e40da81513220d88e4f9546444f88f

SHA1
8fc2c2370fed0251ed8de0c35efbd70268444630

SHA256
f46515c89a5aeea2eeeff682c39ef69add82ee632bcdf7459bbe991999e32841

SHA512
605b16c63a0865d6b52828e6d3fe0dfba9a4c0a742389351cd4692cb960b60709e02a67a0f27adf8a258ef24d4a28d3afdc8191fd3d00e22f3091c60567786dd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden

Filesize
1KB

MD5
3cf93e0bbab18cab1f747fb2880ece63

SHA1
a3f66d2e67aa72ca5fc10f08aff142d0a30eb5ed

SHA256
ff6be17f6f888ec3539c17268b082948ae8915778eb880ded808096fcd02ab9a

SHA512
f553e1c99c494f02c476b265f731395aa623e63fc303396f3ca72e19379099c245c20f898ce7ad0ee142ab80a324182fbebac424acaa4697880db9740222af6e

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
da79731b917f6a1aede6626923a76997

SHA1
02d3cadf6c1aff9788ca219c3813c4e9ce906838

SHA256
4b3943d1d6690b028654f92d56b3460ea76bf1642ab2ed14b0de64c7090ca811

SHA512
e09889fddfbd92e483eb7e629ba773f9021c98f7021916779477173d76acbfb1d6979dd396fca0390d383f916d82c70a22c8dc4d7632265fc263c0c50d8741df

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC

Filesize
1KB

MD5
2117e35560ea27d2250d9cf72c72a200

SHA1
9557692df94e914ba02c69c4e8c6ed34fc117fc8

SHA256
edb514ef0b2eb01c8314c05408b706d5f35751e51b415c8f64da27fc38aa2f52

SHA512
5b073d360beb9ab9bf3500ed7c3ca4fa13c143045092fb28351054d6f2865dc70e935abc61a8112a39045b3bc6e665ddab42828b82dc97b8377a8fcf2a295bd1

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
b9598583d20ec9483a5ca2e5229dd0e9

SHA1
0e87cd4f18417b438ede54a04c1e95fdeef1b85b

SHA256
8a3bc94bddb4b9109f4167c1d4427da54814e0f08f1d67f9aa62ad56812d3957

SHA512
abed0699f73d74bd2385ba047d341b338590fd96df6c2f72b8f22f465e766196ab21a4247ca4c1008ef9563364a70c9bd2bde18bd66a0b018bff4c5bfe2a419c

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
f87c56ab6f72d76f7dadf47d2d7971d8

SHA1
bbc886ec1502eca5501a0bef0374cac7056ad49b

SHA256
ed698c3c19a6d6162b850aeb4cb9d7a49b5acb0bb3c17b25111211f53dc0ec25

SHA512
2abd855bc03284d606ec0b02816739bbe28a573c7bb0f14a9490d814ba9570332144d04774e90f773993f9008e62e2d80c8a45eb672c6189322be2910b3a1f16

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

Filesize
1KB

MD5
b9504a2e41e218b96d9fb7ef91c39d32

SHA1
cb9fef15d4168647b10e68dada8358682b59df2d

SHA256
c16109fbc4a171c6e1fee88634d083cb1d94e1a4d02cc1c4bcca6350179d58bf

SHA512
3874b1590f1fceaee99605fd5502c142cfe669e487034e74ee92436d20064559c96d40677e7079b061ae63bd1629727062a6fe20089d72b220ccbfddfff67c73

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MValidator.Lck

Filesize
1KB

MD5
b1d79e4e607688fa7f127f6cce553dda

SHA1
d8d34c1d0846b39b7801d320dfb6454aebe76a36

SHA256
05ac6ecee786f3c90b1f077b400b828e2528ecf403238d362fbb8486471508e4

SHA512
cbe4ab76913c54408eabaed9b788d1a86648d55aeb59a679b260a45a08e1ba7db13164616f2abcf416cf2e36da5ba0e60d52a15179e92620700d0c7914cfb14e

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
1KB

MD5
650c956123e52a36e40536f0f6482b54

SHA1
bfdcd4fcaf83cb29f2ffe637b7bcaef9bccd124d

SHA256
bf20f8fa465a6769810b66b4551c7475bf203cb8157edb52992d300e6a390c65

SHA512
44966b1d5332e9557e9a5127a541aa9037475b005c68bc7367a681c17cff2ce435a8b069fc37852ddb75b8861502609c8169874475360d1365c0602c36025b87

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

Filesize
1KB

MD5
a4347229369edd0899f91c83f1fe6312

SHA1
2ea58b488df738e5de4e4fcf1cbd06e7a1cefcf0

SHA256
84b65da311ddf27ba3beebadee338b7bf633b538d6a9baf8a40688ce1cf53250

SHA512
53908fc1bed783a02352367587cd5304e1c56d29dc01e14b7221b7e96968b78bca097972bb04db364089c43b7ea63083a0c3c51a102b5e85064e5e7848aaa1da

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
239dbd343d239e084c83f64675d8ea4c

SHA1
146ef7e1a22879a43c0053562a7eeb2bc544bf4f

SHA256
e48232ff4c8ec670f07d62e4787975f3029dc47edb9c263bf7d73143d5e88151

SHA512
c18fcf51c2c2ee47cb3b14fc5014013c232e7aac8909bb1ed5790a7a63f9ead5cf2ba8214ba684f0760d96882a3dcc798bc23e4d1ac7d14200f03c27b51ac8ef

Download Submit
F:\How_to_back_files.html

Filesize
5KB

MD5
f54fc94f36af2cf43972482d52e5da48

SHA1
dd939b74cdf413eeba722a4c4e6955aa71cd2599

SHA256
3842c14b4dd86afe228bca67e25672ed905588cfaa09e9e38e1dddf05b8ba612

SHA512
884b5db0bab0ef26e425c4e1dce9996a43de253d83a3985169f54d490fd72f57c132f56e9cd8168c024afae26701289c1b1e81c298ecc46d5ae803b9fd422612

Download Submit