ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

max time kernel
185s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21-01-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Size

333KB
MD5

db88a1bd11ca3aab7a0890a10a10f45d
SHA1

0e01e118613962e364b76869bcfb9d26cf0a6505
SHA256

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d
SHA512

b6e374ea42e023d973baa2c8c3ce8c34a7c8ffa1aefd52f787eb51f980e1e1f8c2c6081d90cd0cf1b15166b86ed57dc2d7b9adde5021dd00cc629f8aae8df023
SSDEEP

6144:YemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8ABInatk1:/9cm+M9vFl/1HrNInatk1

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">JJ7+8Xa1aWJcLml2z0sYLIbrBMEnq4x0Rg323lYDo6dpJiLjdQdGtuKYkEVC+fCKvAOEKXNCi2xntwiR9q7Ko7js9S6RY+amwnPuma/sGxQad6uTiJtBiiX7VI/bz023cst8FQac+yYf9sxjAFf1WIQujNHsztzxSN9sRSah5rkO5qQKFNXm3U4h7J9q9QWmmbSEUGviWwVgn80DM3YpVKoVSYDzE4hGkbH5anPWC+xXNzPo0gcd888tQEZiU5uBLXLjygOgVYbh6WFDR+0PJObNf6F/vKiRnobzEr6pMZraPGG6BT5p+K6KmA7ceGAVsTk2VJJF4mJG9lshS2Q8GV8hGDqzoX+M5z0isrSAcPItPIR+w3RojglLLfky23uxuzDVbFNZdksADky7UEve3ulIuCVRHS3AmiEi5lt6SkpxtXhDGN1e4NFDDEKpDbOuxkgp7hCZ8YyvJ3vvhi2dvQGTi4jQSYr5Pk5MgCj8JpUVewZwnHL58jOUy1mXTqi3RsxNXjl05sU+46uKBLb+GibenvNWRG27mRoTCLUeufd6daIdXq1pwByLMYgZn/JP/JOqaW7f7T8TFDXtuxe0GBz7iJV+G8pk9e1QPY7xaRsC7pdgnqA/bjVdEV/faUruP55tbF45TczpK2EL6jB89GPdevIe1PN5sA6Zd1elzsael/h637tEVt7CGseyrcEJJ1etvE03LPzcakwD2Euc3sCSmqkAD7q8aiGWUcrYhey79imRSiYSMB2liW1kAt32YRp0VDeiudURKNcb570FkmjYSa/OgnWzpckQAJ7QOFwb2/y1xy5U/v53dlYvF5xR+7RZlRzVWu8G37tw+D4A1YllES8RfeVyFlM+eDhRDBgopfF/4aLVYj59HClftfMIPpgS6G7pGHC5OSi53uD9tmgOOqM/3WLXnYtteZ3RnXhvpcmJ01Z67AZdEs89iF8aJtgac5KlCwNiFlZy8kw/dneTq+wJ3bqYp+UdcDBSG18HEGDuvk1vCO9w8HK49EmHflEPKneaMNHhhna7sjTX6+WhApDl9WGA7wlmNy3m/J4IBkx4r0j8mIe1GIEUv/2aeMBoz98TJR5hyLUpjyGHuGncLROHEThFfhS6SAVgW4fZNRUf+Xnsulsgc5AbwYJTAgmx1N0ilelMSCNiv4pRd/okSFTrj4nmjS3hSyF1kfjUXdMFF+BhqYPjK8KfoJX4Kwrc3TPVGsIHwyEX40N7FGiMDPwgXAikx2hLX4Rm2Rw/E8OBm/8YCxGIpqds1svcG6AHCLa/aXOZquzKzRTVfWJ6h0HLotXyEK1mixndlocy4fhxywApXWgWaER1lDnROytR+jpaybV4GGBgZ+sJ7jPo4WFElYQM83ieKzWvgv8IJJj1/n29fo2FYLIFYhqzxJxBimxvx/tL9vdmprDHXHctH81HiZaj3cBfm1jkFD3JM/t12TbALrpj60CexjalrMQ3cFQbJsZh1BsmX5xP8YFAZEt4UB3bMGKFBmhPqap+vG01DhBAKA15vNTN+wLwPc8HSTU7HL6vK37JvXpTby63R5i9QKXhKU4Kx8F0GbuRplZwkvNGY3IZutkheoW7HRZDaInO018/eBDekAKqifElPz3Gmh52CH61wHpcAW8ow+uT283gHmbwib7LuLg/Dmz3gtWpmyJS/Xy1a/179x8qdkS3iKC9MEQAdM0hvSM=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2948 created 1264	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	17

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1592	bcdedit.exe
776	bcdedit.exe

Renames multiple (7577) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1476	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2252	wbadmin.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\G:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\H:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\J:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\N:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\V:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Q:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\R:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\S:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\B:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\L:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\M:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\P:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\U:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\X:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Y:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\T:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\W:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\A:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\I:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\E:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\K:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\O:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Z:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh88	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_ButtonGraphic.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\ZoneInfoMappings	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105386.WMF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98.POC	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.bfc	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR26F.GIF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR49B.GIF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\wmlaunch.exe.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0240189.WMF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14582_.GIF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Thunder_Bay	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tabskb.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01044_.WMF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01039_.WMF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115835.GIF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianMergeLetter.Dotx	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Memo.jtp	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_down.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR7F.GIF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115856.GIF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\settings.css	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04332_.WMF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_SlateBlue.gif	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\picturePuzzle.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yerevan	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME22.CSS	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationLeft_ButtonGraphic.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\PREVIEW.GIF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2552	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
2404	taskkill.exe
1908	taskkill.exe
1640	taskkill.exe
2872	taskkill.exe
2280	taskkill.exe
2588	taskkill.exe
2528	taskkill.exe
1432	taskkill.exe
2908	taskkill.exe
1736	taskkill.exe
1620	taskkill.exe
1600	taskkill.exe
3020	taskkill.exe
2316	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	1432	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2288	WMIC.exe
Token: SeSecurityPrivilege	2288	WMIC.exe
Token: SeTakeOwnershipPrivilege	2288	WMIC.exe
Token: SeLoadDriverPrivilege	2288	WMIC.exe
Token: SeSystemProfilePrivilege	2288	WMIC.exe
Token: SeSystemtimePrivilege	2288	WMIC.exe
Token: SeProfSingleProcessPrivilege	2288	WMIC.exe
Token: SeIncBasePriorityPrivilege	2288	WMIC.exe
Token: SeCreatePagefilePrivilege	2288	WMIC.exe
Token: SeBackupPrivilege	2288	WMIC.exe
Token: SeRestorePrivilege	2288	WMIC.exe
Token: SeShutdownPrivilege	2288	WMIC.exe
Token: SeDebugPrivilege	2288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2288	WMIC.exe
Token: SeRemoteShutdownPrivilege	2288	WMIC.exe
Token: SeUndockPrivilege	2288	WMIC.exe
Token: SeManageVolumePrivilege	2288	WMIC.exe
Token: 33	2288	WMIC.exe
Token: 34	2288	WMIC.exe
Token: 35	2288	WMIC.exe
Token: SeBackupPrivilege	1452	vssvc.exe
Token: SeRestorePrivilege	1452	vssvc.exe
Token: SeAuditPrivilege	1452	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2716	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	30
PID 2948 wrote to memory of 2716	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	30
PID 2948 wrote to memory of 2716	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	30
PID 2948 wrote to memory of 2716	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	30
PID 2716 wrote to memory of 2620	2716	cmd.exe	32
PID 2716 wrote to memory of 2620	2716	cmd.exe	32
PID 2716 wrote to memory of 2620	2716	cmd.exe	32
PID 2716 wrote to memory of 2620	2716	cmd.exe	32
PID 2948 wrote to memory of 2848	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	33
PID 2948 wrote to memory of 2848	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	33
PID 2948 wrote to memory of 2848	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	33
PID 2948 wrote to memory of 2848	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	33
PID 2848 wrote to memory of 2568	2848	cmd.exe	35
PID 2848 wrote to memory of 2568	2848	cmd.exe	35
PID 2848 wrote to memory of 2568	2848	cmd.exe	35
PID 2848 wrote to memory of 2568	2848	cmd.exe	35
PID 2568 wrote to memory of 2588	2568	cmd.exe	36
PID 2568 wrote to memory of 2588	2568	cmd.exe	36
PID 2568 wrote to memory of 2588	2568	cmd.exe	36
PID 2948 wrote to memory of 2288	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	131
PID 2948 wrote to memory of 2288	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	131
PID 2948 wrote to memory of 2288	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	131
PID 2948 wrote to memory of 2288	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	131
PID 2288 wrote to memory of 2552	2288	WMIC.exe	133
PID 2288 wrote to memory of 2552	2288	WMIC.exe	133
PID 2288 wrote to memory of 2552	2288	WMIC.exe	133
PID 2288 wrote to memory of 2552	2288	WMIC.exe	133
PID 2552 wrote to memory of 1640	2552	vssadmin.exe	41
PID 2552 wrote to memory of 1640	2552	vssadmin.exe	41
PID 2552 wrote to memory of 1640	2552	vssadmin.exe	41
PID 2948 wrote to memory of 1944	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	42
PID 2948 wrote to memory of 1944	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	42
PID 2948 wrote to memory of 1944	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	42
PID 2948 wrote to memory of 1944	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	42
PID 1944 wrote to memory of 2860	1944	cmd.exe	128
PID 1944 wrote to memory of 2860	1944	cmd.exe	128
PID 1944 wrote to memory of 2860	1944	cmd.exe	128
PID 1944 wrote to memory of 2860	1944	cmd.exe	128
PID 2860 wrote to memory of 2872	2860	wbadmin.exe	45
PID 2860 wrote to memory of 2872	2860	wbadmin.exe	45
PID 2860 wrote to memory of 2872	2860	wbadmin.exe	45
PID 2948 wrote to memory of 2816	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	46
PID 2948 wrote to memory of 2816	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	46
PID 2948 wrote to memory of 2816	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	46
PID 2948 wrote to memory of 2816	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	46
PID 2816 wrote to memory of 2676	2816	cmd.exe	48
PID 2816 wrote to memory of 2676	2816	cmd.exe	48
PID 2816 wrote to memory of 2676	2816	cmd.exe	48
PID 2816 wrote to memory of 2676	2816	cmd.exe	48
PID 2676 wrote to memory of 3020	2676	cmd.exe	49
PID 2676 wrote to memory of 3020	2676	cmd.exe	49
PID 2676 wrote to memory of 3020	2676	cmd.exe	49
PID 2948 wrote to memory of 3024	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	50
PID 2948 wrote to memory of 3024	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	50
PID 2948 wrote to memory of 3024	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	50
PID 2948 wrote to memory of 3024	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	50
PID 3024 wrote to memory of 1476	3024	cmd.exe	130
PID 3024 wrote to memory of 1476	3024	cmd.exe	130
PID 3024 wrote to memory of 1476	3024	cmd.exe	130
PID 3024 wrote to memory of 1476	3024	cmd.exe	130
PID 1476 wrote to memory of 1736	1476	wbadmin.exe	53
PID 1476 wrote to memory of 1736	1476	wbadmin.exe	53
PID 1476 wrote to memory of 1736	1476	wbadmin.exe	53
PID 2948 wrote to memory of 1684	2948	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	55

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
  "C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    PID:2288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      PID:2552
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      PID:2860
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      PID:1476
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:1684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:1628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:1372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:2236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:2032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:840
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:1052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:1408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:988
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:1352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:1716
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:956
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:2148
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:3000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:2064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:2052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:2068
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:824
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:1076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:2112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:2792
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:2688
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:776
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:3032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:2492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:1000
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\C:
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    PID:2004
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    PID:1556
- C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe -network
  2⤵
  - System policy modification
  PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:2960

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlceip.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\taskkill.exe
taskkill -f -im Ssms.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\system32\taskkill.exe
taskkill -f -im SQLAGENT.EXE
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\system32\taskkill.exe
taskkill -f -im fdhost.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\system32\taskkill.exe
taskkill -f -im ReportingServicesService.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
1⤵
PID:2416

C:\Windows\system32\taskkill.exe
taskkill -f -im pg_ctl.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
1⤵
PID:2408

C:\Windows\system32\taskkill.exe
taskkill -f -impostgres.exe
1⤵
- Kills process with taskkill
PID:1600

C:\Windows\system32\net.exe
net stop MSSQLServerADHelper100
1⤵
PID:1624
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop MSSQLServerADHelper100
  2⤵
  PID:312

C:\Windows\system32\net.exe
net stop MSSQL$ISARS
1⤵
PID:1092
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop MSSQL$ISARS
  2⤵
  PID:2308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
1⤵
PID:2140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
1⤵
PID:2224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
1⤵
PID:2008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
1⤵
PID:2916

C:\Windows\system32\net.exe
net stop SQLBrowser
1⤵
PID:3064

C:\Windows\system32\net.exe
net stop SQLAgent$MSFW
1⤵
PID:2088

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter
1⤵
PID:2196

C:\Windows\system32\net.exe
net stop SQLWriter
1⤵
PID:2180

C:\Windows\system32\wbadmin.exe
wbadmin delete backup -keepVersion:0 -quiet
1⤵
- Deletes system backups
- Drops file in Windows directory
PID:2252

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
1⤵
- Deletes System State backups
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
1⤵
- Interacts with shadow copies
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:2416
- C:\Windows\system32\taskkill.exe
  taskkill -f -im msftesql.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
1⤵
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
1⤵
PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
1⤵
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
008231a718eeab61c25dc98901b70e03

SHA1
a97d95c6111d6b8f6e6497e92aff72b28e1406cd

SHA256
058b3183ce5418747a3861df5033d3e2ab1706ad3d84f43fdad99a9ca44eba5c

SHA512
a611e91503138790b30fbf1c90bf2a075a0e947bdaaba14cc87c45092fc2cf7577cc83274578dc77f2d33188cf989b80b0d61b4aeb42053c79d22abbb6cd4a21

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
505f15b3cce857463c5e3068f092dcd2

SHA1
ff5ca749452db3dfe4873852eaa87c8dadfcadc8

SHA256
01958624f0eead958c975d6a267b19516c27a6a4981f5f2e3cd926d81f4a7723

SHA512
4f3619f9a7b24dc6183de4436823ccfafeac6601032d387fc6c7afc9b4c3d46d22ec65c15a6cf5b72224f6b25ce25224ab9895055cba5f9ad2a03c5b0639a6d2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_OFF.GIF

Filesize
1KB

MD5
d7667dfbe1e4ca67f285da420d8c44f8

SHA1
d07f0cb4722558af52ea82bb82510f422925aec2

SHA256
19d1b437eee091b9e261721331a7dceb50ddffc8777e23b23c9d8f463fcc50f0

SHA512
f22590cfd65eeedd17285215950e03496ca94eace7dd34a0aad8569cf3bf83eb1eef94d4a578d5b36b030d9178b7e8444c6c7784c1e63f25dba3844a1866baa7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_ON.GIF

Filesize
1KB

MD5
42d610565906567d3173f1c1026ed21b

SHA1
713a2415460d794ba866e2864fd532df4858c3bf

SHA256
9a5a1502d1da2cd75b2d278d72dbb6a713e2c739f41c40379dd7dd8b85691b45

SHA512
cbe73ad064dfaffe66f8ce82c6b53ec17c6bbc5fee5f5b977b9ce3ff589ad82d6887560711a945205d8cb57b8d2d4a6757097733f67f836479cb962be16fb3ec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK

Filesize
1KB

MD5
32e297bb59f207a2239e172958f66ef8

SHA1
971d1bbb80253b8bef8e19e92dce4ed263931267

SHA256
0af91adbd709116ca7661a392ffaaa158122a6515a407c882f62654f9b6e6a04

SHA512
93f8641d8882b19dcbc17283544fd70a84f2bc87c95ac8353f9c938d76455f8743aa77c25d23bc2def9b6065389a5f424690b1de6066baae79cf69386171c701

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK

Filesize
1KB

MD5
09f86df0083b8df6349af6a120ae2cb5

SHA1
237e293942607d6fb8965b25b58bd71fad271cf4

SHA256
7df660af0f93dd9701d90fbf51493f4b5826c8e6a2c0bd9e46bc386ad7b67830

SHA512
dc0eaa9fb11cd467dc4906931dca46fd70221a7384cd56d11f067e2830faf675f4928de3ed6d9a6a5b425cc12e02126e3705b3df8b17403a7c8cacf21d5b45ed

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_F_COL.HXK.itlock20

Filesize
1KB

MD5
483919910d758235b6a3b7202362e4b9

SHA1
2502b2cdd942658ebeee5e507add24d9d9183907

SHA256
3dcdeee85413c4f1b285718905e92a7b30c3d85448d95a5d3856ab9a034fa979

SHA512
fefcf78f018f44f7b5c771ff68257513254b1ab47756c555f4eebf06756644798f03f95c6877fec4eb25e490467ff0f013ad0e5e07a36f256c30402ffa8ebe72

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_K_COL.HXK

Filesize
1KB

MD5
4901ec193ae7fc99ad7ad8732387b5df

SHA1
e83b0de806d3475ddca8549c5ac43b8c2628d4da

SHA256
d106684c70abbc6159baaa81d62992614c6ffcb5b6cf3ec42c7cb2d51260a5c4

SHA512
9815aa79de20ca88223b39aa41e5a08df430299a277a0a296f34a2d9489582ceeddb1bb59eb76cb0344f99d1e105d5be7b841d1f4bc9bb71182271c769270667

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK

Filesize
1KB

MD5
f37b053bee3f800608e71338947917b7

SHA1
02ed9d8cadf06a75e5a6523905e4813cdaa3ca91

SHA256
3f5ae9c57dc7180ef73b5b7f43755847f8012ddd3dabda4a354d38126c4e78e6

SHA512
5457fedcfda46ab0cf8e0b6a78786639deb1a825dc2d0d80b66c52875f4d88fa4bc2c665a5ca457de7fa6565fb0fffed4b5f5ae86d463ce92813ed2d4ce37b8b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK

Filesize
1KB

MD5
cb5b926398435986c3ab4583b09a1ea5

SHA1
6295aab6299a089d5d8406bd6c7ccd00b455f915

SHA256
3bb0ec1ac86665bee109c1b62eb8bd12649cde905c6145c7882e648b0fc9421f

SHA512
99958c1f13e8a7bee2d318809d2f0b1342889755fef9889e5fbdc625025effbabce4ccc0a69cee0279b40cb420fd801e0c3c500e6a035d9a1ad58040dc69fa7d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
240KB

MD5
bdef11ba28ef20e4ac21238f5f5cedca

SHA1
c90283737351655edcabe55c4ebe255878132475

SHA256
ac6e8e1b1c5623888a4e1560a25a69f2708c0a4ae5085362c1e8442492c0ee14

SHA512
1b3e844a946e918bbae71ec9d51804a4441e4cfbb87d5b2ce8b04af5d8a0378ffc9b97de8edcbbbd70cbf8c745508551c17d5c2b8eba7bfde3df5b835604af91

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
c2177a09fd1d2341823d58a6fdf74059

SHA1
463bd6e90b8de3503ddfeba82526302eef7b38c1

SHA256
1be93f986537810bcc374250f4683c554a6b5c88dd5d0730de85d15843935e0b

SHA512
379f8093064256cab2db8a97e51a1a98e7fb56336ce1089c6cc728c2f21106482ad1b2d52b08948150217db8bfddbd292826d81f94a90ae0059e9f8b17672f40

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
b655d11f6e93c61d18be849d1d3c4221

SHA1
0df7066dd6de2430a0d305d820c6ffeff561c026

SHA256
33cc7e3d64d068d6b2fd45435132c67ec638e74b7f4c12d4bfa917d4e2ef1445

SHA512
0efd5aa4b80ccef10e375dda7ed89d2c6732fe9c2e34ffde238a9aa404990d1c7d8b0b409ff41a2035f1a8d0a0675154908b9072153299d4951e3e10e244177c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
f01944678771767bfe3b18cfe30a4163

SHA1
6065b01e20b4fb7f06ff6e2f0e0712dc1e449a49

SHA256
069ce80231083f9e27f7b45d74657e12a6182a6a7de22b4c4d269e2cac371961

SHA512
f9317ffeda1eb7ebf8d244c76f1b52585c17d6b5205ab15bfe0cc2c185062ad08418320bf39a8abaed38080964ddb341db4566b65561e19f10db10ca5780ef8d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
9bac6897c214d049f5378658035600ae

SHA1
3ab7745c09da52f7d5762cde209c1de31e69ed83

SHA256
c13b2c9b41d07eed4244ea5f929bae9e70da08f18fcec3514fb41642ed775ab7

SHA512
be877068d6160bb0c282745cf8dea8ea3f7ac6d80f6be93490a0da777a54a22be4c21a35b9beead46f77399581621abff9fdf3c529f92e99f8dff93f7556546f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
248KB

MD5
243fd00fc98be4ef4c0c97a93f662564

SHA1
3013183882f36a4553e4dad2b022a0b87872c78e

SHA256
5ca10f77dd4ee4c1d2aecf23eb7b24768b0a6dccedb2cd16cd0d99150088ef38

SHA512
bfb91afa6203633e42c703c39faf16d6a90ad55736b448dff535b1ad56af48b5e318705bb8737acf4ec9549bc9d3755821fa87ba788bd1f1792119101acc1c88

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
2KB

MD5
32c9512bc24cf6f28b0a2c14c8141fd7

SHA1
dbe12f5e6be67145524183f9650cce682351c69d

SHA256
18646955a7101515c5f3b57be840e98b9e15fee488c505e8b46bcf741eb1bda0

SHA512
b4e86fc6e29fe1d94b4cb13dd0b554383ccdf6314a6580b13b12d66097d5cdf1c57254ead6ba7077c9eeca6667b19b83fc3f4e511fa27a703484597503ef5fc7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
2KB

MD5
bae0b138644bb7dedd1faca01b4e9403

SHA1
b7c141f3df3f727bf1722c65e57610eed516b102

SHA256
9f3aa3b3ca51b76ed8fd41bbcf712bf2cc74d94600ef0558804e07a69b215727

SHA512
ad7f16ced7e9dff8a56ef57ac5aa778db7917f88705ddc2b7e8e1c12bec9fabead0f98f9ccf67af495a847e046d1bdcebd787b48f0e3abc9a4e0938a498f3444

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
7KB

MD5
25b4dff2f185d7ad73aa66f127f22130

SHA1
04f0539000f037dd6fa107ca3a91c9b6161d0c39

SHA256
203e89b9ff5b347c99eee354f956723e32950eb026d896df559f974187a73e01

SHA512
dc0487a10723731e26bdb2f4442d9fa8f734a47a1dabe1c54b84c4504c4bf934b549a4e4f5ed042419d670ec5871280ca02be02b89961eb56151f97dd9b0aea4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
2ed69f2626a58a636bb1c0006d3d40f6

SHA1
45250eb2b450b27ff3be45c3901eda9476cc3963

SHA256
7c50d27193304a93f2134fe598b43e401d2fd96a79a7606e44406dd557f8557e

SHA512
147d27a89a9e4f94e01c18f614125269f69a1f22d19b749f33c01c2f063e9eec92b9f14b9afa93b4d4b86cb312aae933494d214e9a4714646c0aff6a81876bf0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT

Filesize
1KB

MD5
ef7734620a608d3b7c287998c076a1fb

SHA1
fb14f3a3dd918db514795cb48b5de6601f3b0e46

SHA256
ad99fb0c6a424bf09ae81b43f0e4c3b87def916f2d3f6177e4a2885c10af48b5

SHA512
3371b784c296e65168b41400054af1b68f89eb63f403d1502f9e1cd41d5b72eab76bc4c7da39fd451addbe90aa7a198b6b45ef50710483ea38122cae70590096

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
888c3b9aa9cc214e783ceca9440d188e

SHA1
b26ae204bf731aa2d7883c97590270017dd28781

SHA256
4b433ab273ee900632a012fe687aa08abc747775cddae16cb81e441784f0fb58

SHA512
a4ef2136483e6626eee189f4fd2fe6ecc804926cef9b36ea147481f4684e7eb8f57873a99da9923321ca1efb09787b7bd6630ef7b8afcf7fe338b2ea498a6233

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
c1e0ced74c87e40a0cea9276cad359e5

SHA1
1f1306dcfbbfdc077aeeb4893ad3e2885d826cf9

SHA256
fcd09f984d6e6fe45efd6cb902110ec59b1462a4ff2b853f10129a5742ac517b

SHA512
a7b5ca2d13743a0b522e59e672352b08aabbd05d9abd02005cb09cfd7515c753b2c448e91896ba320c3ae7dd9bbfc8c70633d0273ccb68096e60ae13d1bc89c9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
b5dbfd51771677236b9c10f586a4e613

SHA1
548d626c7bce797b0ecbee4f2f44715505fa8b30

SHA256
7c48e3368dc51b2bbcd65c796665eae218e4f837c9c9282832a08f8510387c49

SHA512
bfe27b07db2e00a3fd5ab3acac1aa1998b35dc2bd453a46c086ab3d73b2ba90eb4082b8aa6f596bba659e9b2a337eb98548938916dfd18af05c191bef2e4a3eb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
2e04d9e48bce9713647d6347a8e8c1d2

SHA1
0c73d272896944bb7f42f44b668547af721384b0

SHA256
43de8cbdb7fe6a09909bffa793cf0a8f9dd2c4116d6cf413ef8d872ae0977dee

SHA512
74e9e75738b95c519ae3468cca41e1582627bf2e3a5529bec5511d9572968e0e659404e133bd85c83de7974197666c1b2b24e092a42a774de218e05160fb4b35

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html

Filesize
10KB

MD5
8b2aca78a3935f9a9fef74b3bd41ac1c

SHA1
ebd4565984431223bb6db7e0c4193d4df1b59124

SHA256
adb72fa50a17f12b848f340b3152848d0836ecb8dc55a3196a67bf3d1775859e

SHA512
fc16db81e49f9df653e18f018e76792cc077f87a37cbbb7b95f55b7314a659031bbaf0e7caceeb1f9846be6cf6fc1fe73564a5e9d8a3ca274f7f9298af85ffee

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html

Filesize
13KB

MD5
b2a60507e8c1fe26a2805e2039d9b2d8

SHA1
48ad457c7d992279b4c2105ffe076ab8dc621410

SHA256
b805eea87bdbfc5c75da770d977979fa773bd40405f9df0f56ab13a604f72d3b

SHA512
351d2ba9cd90bd79660c3a88f1dcd5479ac773c77752fb2c750cd75f8e9ae447a0c46ddf1dd207f85edcacf813410c19d18d7c71e09fdc881372db796ccdb6f5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden

Filesize
1KB

MD5
031a744e7681545d77eb7b74df150a4e

SHA1
f58534146fa8db4531764383c94378248f5fe1a3

SHA256
c74b211806b7a5e8c2db05692182ad73fb2a0ee248d59adfb653eeee3e37c86c

SHA512
f87bb621a4d49c74b3b2e785e60e7b160c3e2b8a66f7a775614a1c0554913f0ef485dbdb82ded849dc7490c12ddafd36c9f72d7d7134f6b6e5f8aa9a10d85d12

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC

Filesize
1KB

MD5
a79adfe8179713a87376484473379457

SHA1
b4dfa75ed8f979a66972274d9b5eab975b46b7c5

SHA256
62828bd9aa80113f10aff86df1f3d737114f67a2106b3f34dfa568e6d2304bf7

SHA512
4e2229ae20f9747fe84ea4118f399ec47fdbf3d61d6bc2ae584a2b2a709ff7dce4ff4dd5cee28a0d714c6df9683f24b07c234956d8b67d77e5f5267f878e1bbf

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\EST5

Filesize
1KB

MD5
a2b9208b38f99a19afc78279b751073d

SHA1
a2e30e35e24980a3c16f1c5c6a0f3c4a6d68234e

SHA256
a538179a8454ba33bd3bd43cc74c35aa84b9fb715240575baeac2d9301a2e4b5

SHA512
8947d51cb8575ae292f6f881045c2b4070c63cb1bc4aac3d022233295a4ef763b815b636f8bcc1fd9ee9285334dc0b9ff817ac2ee6dcd15ed731a314ada2cf65

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\HST10

Filesize
1KB

MD5
14af8a682e5a67eaeee3b220a39409f7

SHA1
1f8a2e7ab9c38d7058a3ae9a1363e3771f97c5bc

SHA256
b757fcc2f9125dcfa88c5c71d6bf6e0f13431e23c58442e2810df448dee76467

SHA512
a157b71dd98e0fabc3028725fb2254f7aabe40913eb9d862bcb5ee560562c2f3ac6eb1204df1f31a051e83ea166212b0c4695eb6293070f6469fddfcf605955d

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\MST7

Filesize
1KB

MD5
616bc72361b9d9e4a6915a29ffbc5955

SHA1
adb4e1467361eb71232a62238cdbc3c6fba630b7

SHA256
7d667170d4bc5f87929a12c4caa54bc4057a36541326e2834c8d07ea2ea5efcb

SHA512
eb8f050e4436e94f3b2fc5e7763807807060147bf47398d40234ad98286607d36681473c112e41b3e8c943b11ba27738dc783acb940cf63cfb20fe1140f91abf

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
1915921067d274b717d58ead70c91df9

SHA1
964d18b4f0e64e70bfbf70c1b823d4f075ca7a49

SHA256
7d9793a38a5846897039e63e928ecf70a5e72803af4c0989fee1ca4f8bdc6ffd

SHA512
dbf9327f7ae1b5aa7e1372fe93ffa7ee3e544b5627045f3c8694564770f29636862dbc6e1c52121f37e4518501d65d897510f64853530b1779f0607967f6a37c

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
8d4d8020661ff68d9bd9b977b7092734

SHA1
ad482921a62af6f88d6de4291f676a7ed1ecd299

SHA256
8acdeea4269a0b4e019c90afbece2422123626806ab19a802015959355c8b5cb

SHA512
2dbc263811d4dad68d0488ea4c6af902e51a2cd7c1496dee3025368e35316953792732956ac0e238a5be6f06b1695e0e075f8c93d7aed58074b2ebfab0fb90cf

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\vlc.mo

Filesize
764KB

MD5
e15831e211ef7686def13fa2d7053800

SHA1
da8b03a7808460b73827ec75c6f855a76537687d

SHA256
65d4a94b63f37aeddb522c4489005a39540350682df96cba89590cbcc88f5dc2

SHA512
171e3615755dee3a607074b65892f9c6dc178cf178b4cb64162a9b3116499ad2d09087170e697aeee02b3acd1f56c354f6da13512f1a40df2814cda86428a30b

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

Filesize
1KB

MD5
23a955ba7c4a817d7d8b12c900f9722a

SHA1
6e693f3520f282ec9e8bb32fcac13cff30480200

SHA256
19acd19604961cfb80c6396bb0645fe451f09da6162e8914baa8bbbeffbb55fa

SHA512
43406e4ff76ded78dd4e33f7bb1db0678b84a18613b6ceb6d90aacf00974389643f34baaa94195a5d88b8e8f33d4d3467c96b85e8f09a07e7f33ee155af659d8

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
1KB

MD5
3628dd9e37ec48ffd9f0b89af37c8845

SHA1
722a7032a579536fe3d4eae07a8d2f72142880c0

SHA256
d0a37bc916978a3437ffabae74d42c6cfe1ac2c029b2da9aa09da5e9cd650ae7

SHA512
ad4af37c64cb6cd387ac8ac10bce537335310e9e9c2242beea9e71cc2563585b8d7a50af8882439dc86290663e3352b128f6143ec3efab94dbcbadaf75c8c7bf

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

Filesize
1KB

MD5
0c78b119becba8133d3d7895d68daf59

SHA1
4c9c69790c78fb2a93c66eda1af10d8b49a99153

SHA256
25eb0b9f8bc0f27e12d967463255ba529e39dc754581efb9de30ee22eff119c8

SHA512
07a5887702a8805040f4ef76514e86d5c97415d1ede2e32a9d622c08e152b68116b446e70b4b04b1665e020c9c904f53f2adc41eb9ca810db30b8cdb387c7c45

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
2cc86477db812d4d8476a6f95c9e3197

SHA1
2d7a6935d2e323e95859af6015bc1ae35f36f0fc

SHA256
3dd7798d86b4417ceb377c656c03f85f6ce9fd4a1c3ab01a23defa58f982f877

SHA512
3220dd96e21d75913c97536a839b15e7bed146ee9397b99827355358cabe02c88b5046791c56fe930dcf12eb032b37ef11620684091e1474dc53934bbf7d788b

Download Submit
\Device\HarddiskVolume1\Boot\How_to_back_files.html

Filesize
5KB

MD5
e06c41001d8737942533a385bc97dff2

SHA1
1659fa9730a4b6929e97a5ae41527941f134197c

SHA256
8209a9d47c33283dd2892d6082abdd4df2ed20aa1387e22ccd166b75c90f1110

SHA512
947f230ca795692a1d9f01cce03c03dd82c2a4e39e265416592c85e218696f46d5762ff23a986dee87bb3b0ae7a82cf6e78995812bd470e656742c3f9c04c009

Download Submit