6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
Size

334KB
MD5

7112401374cf8903070d6927e2e1f395
SHA1

1668adc483cf5549e30197217ccf4dd4ab667eff
SHA256

6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b
SHA512

e93aeb0f651773e9b6291e684ecfd1939f14baa2f0eab3146765de484fd980b636c3bd878455b326c0ad0c2c23980371f9bde5efce20e1067166e06490aa7d50
SSDEEP

6144:Pkv89W2QcboLPlZbqEKvSlvgXCBVnTDg3GV06rPnej63AVLyEXq:Pk09XelZbqEKv8gXCBlPHeHLyEXq

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\HOW_TO_BACK_FILES.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">9efGYKzqHKXoHBjhXKZDPRZ+9lokGdW6Y5D61CouQyCrpfLE1AG8TQkmibk0vlgD2Yk8FgxuhARUhZYR2Hnh45TT2WJQ1jlDTfY/aVGSDDTNKmG4BaPScrPh7pwaqU0kJcQpoCPc1+/Cbqnowl7BdJ47pA/bzqs1Y0pbgaLHDVz0l/ZBI0Di+/MnkJ2x7dugjKq+fA0oR/7XEnL9IsoSV9U9+pnvYS6NkhowNxRgiwgbMwrS+KwJYD9WaBysRvCvSSf/RV2r+b89gKDKMsDQzf2yOiavnsMASVEGXwo8BVRKpoUsCmDf5rla6yG9W9sf5f5Q7o37c1cxS/Nmux3POHr//UEX41bgvWkf+Qqc8CAfhsw4s/2aWnYeZ+4p/8OQOagC+TPLMh9FoqG5Eah/iHvWHcePnF+2KZPfBHzqFmocchs04RWMku4K2d5CMpM10N6DwWD6T2U6NuSZMmnFdtVz9XxxktBbt9wJMMmdo7hWg5CJwf8owxUtwJmZmjdxu2QWk2d1SD5dBkYyo/6TiyoOUTZLITQgoMK/+RgYIYXqc5z7ZfoI79lyHPE660WzmjKgInlR1henk+jlAaJFZB/sdfFA07mWyIyqpypHAlgoJhU4yuwQDl+VpKQGC9PViwF/mhRjkuT94TWMcwSS/JNgqUNKxF/ZGzI+xdxU7XpqF5sNCtY4/Q7fAfedw5rbzM+YyNKkMwkFGWVWsoNNNA7o31IFG1KdJov7Zo/L8Zwa4LEDOdtVjvI7ISri0GwploMLHO+ObxSOiCWlsV30IdKefk9QtBD9/+uPIVmr8JNhX5vYDZmS1fYh32gClgp5lVWmSeGfR0tFOcee/FKY6MP04ex0FLkeKEESrBpLe785GwAXExcAumsMedDYpQwlkH+5CNkhBGSsp+3mB8wmxC5bHeGZZWXosZ3VLG7Hv2sdvy55+2/gcsgOLEEi6okGabzskSx7yLVm2yY/3mGMgQlEO6cS7KO+EQLmDPOsPNz+coaIzTByGuUDSMG8zt038iK/VGljPy9+9/OfQQTcg0mHo1QwFDCUb8GYvg3G2j7jWokzQEFgnApfFZFqfo+r3SVFJtEAFiB/4KnGqehoYI6LYMImGkDxPNBalCQAvKtRnu4D7hj3wMnKY3d3mdYdQA/hqqlGSUY3IHLwR2KuKmc9uheeHG+d+ZDmmUbHu2J91uK1KIHHWEofpDdFDCD++9NV8RkrnBbE0TRcp7rrRmgytZZWyIvld21J4FZDylJSmbi3/eZ6rfDysg3MMpO0gCL8Qw4b2IqtBhxXruM+/xx3nFC07rhyr8yzdy6p3w9aPd26M1BO9cdpOCZG8HqRB6Wc9/LDM4hc4G11MU4yeF87dOy0MaAV+PUWbhnnLNGWb51gRrFQeeVIe4e5nTRxUraY+vsc9nBuD0LZI5FTnH1/0iTsttdrbaR1L5o/Uw2yMW8lrf5Zw37jhyw4v0ODVp3eCjSgLu2iNbxZq7vdkN/onG7Jxg5hHRWVC6Y71coRaRlj2gpy5Hw2Rq/gi9vhLN4DEmEFT1j7ohbo9a522h4E8bqHS3wTnYwIeeQP4J3hSracpUF4NeV5KJ8gqZiSzKy/7BaDOPW5vIpcvWBoxD1oovbnOWGyI7niTF5WzNjYQOfLJrg1HYhXoogOWkxPtQLEQQJBHTsAQA1SSBuZW28bAcoJD9V9bVIAegHwvjo=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe

description	pid	Process	procid_target
PID 2924 created 1204	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	11

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exe

pid	Process
3048	bcdedit.exe
2748	bcdedit.exe

Renames multiple (7546) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

wbadmin.exe

pid	Process
2424	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

wbadmin.exe

pid	Process
2716	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe\""	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe\""	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.execipher.execipher.exe

description	ioc	Process
File opened (read-only)	\??\J:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\M:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\P:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\U:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\G:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\H:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\L:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\S:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\R:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\T:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\A:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\I:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\O:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\Q:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\B:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\Z:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\F:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\N:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\V:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\Y:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\E:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\K:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\W:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened (read-only)	\??\X:	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe

Drops file in Program Files directory 64 IoCs

Processes:

6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-12	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\HOW_TO_BACK_FILES.html	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0291984.WMF	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RECL.ICO	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MML2OMML.XSL	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBORDER.XML	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\TableTextServiceArray.txt	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Sakhalin	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UTC	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\wmplayer.exe.mui	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\TipRes.dll.mui	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107182.WMF	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBCOLOR.SCM	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Casual.gif	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bPrev-hot.png	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\settings.js	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183328.WMF	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_K_COL.HXK	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.PL.XML	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\HOW_TO_BACK_FILES.html	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File created	C:\Program Files\Common Files\Microsoft Shared\HOW_TO_BACK_FILES.html	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\GMT	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10297_.GIF	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\HOW_TO_BACK_FILES.html	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-templates_ja.jar	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281632.WMF	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HOW_TO_BACK_FILES.html	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Flow.eftx	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21294_.GIF	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME48.CSS	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Vladivostok	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\blank.jtp	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\DumontDUrville	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\HOW_TO_BACK_FILES.html	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\library.js	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\HOW_TO_BACK_FILES.html	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUISet.XML	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00462_.WMF	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287024.WMF	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_zh_CN.jar	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\HOW_TO_BACK_FILES.html	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\wmpnssci.dll.mui	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN027.XML	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POC	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Kerguelen	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\HOW_TO_BACK_FILES.html	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\slideShow.css	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18242_.WMF	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\delete_up.png	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090781.WMF	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exe

pid	Process
2492	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
2796	taskkill.exe
2640	taskkill.exe
2648	taskkill.exe
2104	taskkill.exe
1684	taskkill.exe
472	taskkill.exe
2564	taskkill.exe
2448	taskkill.exe
2652	taskkill.exe
832	taskkill.exe
2864	taskkill.exe
3012	taskkill.exe
2060	taskkill.exe
1152	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe

pid	Process
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	2640	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3032	WMIC.exe
Token: SeSecurityPrivilege	3032	WMIC.exe
Token: SeTakeOwnershipPrivilege	3032	WMIC.exe
Token: SeLoadDriverPrivilege	3032	WMIC.exe
Token: SeSystemProfilePrivilege	3032	WMIC.exe
Token: SeSystemtimePrivilege	3032	WMIC.exe
Token: SeProfSingleProcessPrivilege	3032	WMIC.exe
Token: SeIncBasePriorityPrivilege	3032	WMIC.exe
Token: SeCreatePagefilePrivilege	3032	WMIC.exe
Token: SeBackupPrivilege	3032	WMIC.exe
Token: SeRestorePrivilege	3032	WMIC.exe
Token: SeShutdownPrivilege	3032	WMIC.exe
Token: SeDebugPrivilege	3032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3032	WMIC.exe
Token: SeRemoteShutdownPrivilege	3032	WMIC.exe
Token: SeUndockPrivilege	3032	WMIC.exe
Token: SeManageVolumePrivilege	3032	WMIC.exe
Token: 33	3032	WMIC.exe
Token: 34	3032	WMIC.exe
Token: 35	3032	WMIC.exe
Token: SeBackupPrivilege	576	vssvc.exe
Token: SeRestorePrivilege	576	vssvc.exe
Token: SeAuditPrivilege	576	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2924 wrote to memory of 2876	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	29
PID 2924 wrote to memory of 2876	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	29
PID 2924 wrote to memory of 2876	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	29
PID 2924 wrote to memory of 2876	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	29
PID 2876 wrote to memory of 2188	2876	cmd.exe	31
PID 2876 wrote to memory of 2188	2876	cmd.exe	31
PID 2876 wrote to memory of 2188	2876	cmd.exe	31
PID 2876 wrote to memory of 2188	2876	cmd.exe	31
PID 2924 wrote to memory of 2120	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	32
PID 2924 wrote to memory of 2120	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	32
PID 2924 wrote to memory of 2120	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	32
PID 2924 wrote to memory of 2120	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	32
PID 2120 wrote to memory of 2620	2120	cmd.exe	34
PID 2120 wrote to memory of 2620	2120	cmd.exe	34
PID 2120 wrote to memory of 2620	2120	cmd.exe	34
PID 2120 wrote to memory of 2620	2120	cmd.exe	34
PID 2620 wrote to memory of 2640	2620	cmd.exe	35
PID 2620 wrote to memory of 2640	2620	cmd.exe	35
PID 2620 wrote to memory of 2640	2620	cmd.exe	35
PID 2924 wrote to memory of 2148	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	37
PID 2924 wrote to memory of 2148	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	37
PID 2924 wrote to memory of 2148	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	37
PID 2924 wrote to memory of 2148	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	37
PID 2148 wrote to memory of 2544	2148	cmd.exe	39
PID 2148 wrote to memory of 2544	2148	cmd.exe	39
PID 2148 wrote to memory of 2544	2148	cmd.exe	39
PID 2148 wrote to memory of 2544	2148	cmd.exe	39
PID 2544 wrote to memory of 2648	2544	cmd.exe	40
PID 2544 wrote to memory of 2648	2544	cmd.exe	40
PID 2544 wrote to memory of 2648	2544	cmd.exe	40
PID 2924 wrote to memory of 2712	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	41
PID 2924 wrote to memory of 2712	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	41
PID 2924 wrote to memory of 2712	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	41
PID 2924 wrote to memory of 2712	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	41
PID 2712 wrote to memory of 3064	2712	cmd.exe	43
PID 2712 wrote to memory of 3064	2712	cmd.exe	43
PID 2712 wrote to memory of 3064	2712	cmd.exe	43
PID 2712 wrote to memory of 3064	2712	cmd.exe	43
PID 3064 wrote to memory of 2564	3064	cmd.exe	44
PID 3064 wrote to memory of 2564	3064	cmd.exe	44
PID 3064 wrote to memory of 2564	3064	cmd.exe	44
PID 2924 wrote to memory of 2728	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	45
PID 2924 wrote to memory of 2728	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	45
PID 2924 wrote to memory of 2728	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	45
PID 2924 wrote to memory of 2728	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	45
PID 2728 wrote to memory of 2440	2728	cmd.exe	48
PID 2728 wrote to memory of 2440	2728	cmd.exe	48
PID 2728 wrote to memory of 2440	2728	cmd.exe	48
PID 2728 wrote to memory of 2440	2728	cmd.exe	48
PID 2440 wrote to memory of 2448	2440	cmd.exe	47
PID 2440 wrote to memory of 2448	2440	cmd.exe	47
PID 2440 wrote to memory of 2448	2440	cmd.exe	47
PID 2924 wrote to memory of 1912	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	49
PID 2924 wrote to memory of 1912	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	49
PID 2924 wrote to memory of 1912	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	49
PID 2924 wrote to memory of 1912	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	49
PID 1912 wrote to memory of 2984	1912	cmd.exe	51
PID 1912 wrote to memory of 2984	1912	cmd.exe	51
PID 1912 wrote to memory of 2984	1912	cmd.exe	51
PID 1912 wrote to memory of 2984	1912	cmd.exe	51
PID 2984 wrote to memory of 2104	2984	cmd.exe	52
PID 2984 wrote to memory of 2104	2984	cmd.exe	52
PID 2984 wrote to memory of 2104	2984	cmd.exe	52
PID 2924 wrote to memory of 1616	2924	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe	54

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
  "C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"
      4⤵
      PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:1616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      PID:2856
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:2972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:3032
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:2752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      PID:1728
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:2816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:1724
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:1200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:1716
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:2024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:2524
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:2900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:2408
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:2056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:784
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:288
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:472
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:1780
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:1740
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:412
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:1736
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:1632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:1364
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:1548
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:988
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:1552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1032
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:1324
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:1648
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:1828
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:1816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:856
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:2256
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:2252
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:904
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:2212
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:2176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:2260
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:1712
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:2292
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:2520
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2492
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:1484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:2360
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        Drops file in Windows directory
        
        PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:1500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:2044
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:1620
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:1624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:2208
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:1804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:2228
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:2232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:2756
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        
        PID:2424
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    PID:1364
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    PID:1028
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\C:
    3⤵
    PID:2260
- C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:1604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:2100

C:\Windows\system32\taskkill.exe
taskkill -f -im msmdsrv.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\HOW_TO_BACK_FILES.html

Filesize
5KB

MD5
94ecb61333bda39edbab82e57c954dc1

SHA1
99e37aa889e0705e02e87bb854009741668f7c6e

SHA256
96636af17b7a9988181c33723a6f30ee84f110f57a26004054d4149d0538b4f9

SHA512
d6b526895dca0ed7abc84807d3c5df9261767173955589323395dad270a9f22ce3ac587e07f99d96f557f6b894dce2951e7e70986a0dab70e4b8cc7f4945f359

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_K_COL.HXK

Filesize
1KB

MD5
0a827cb412244e4e392598f0c047bc25

SHA1
5044effd14845d0cd2c4d7b538c955c5f66262b6

SHA256
411da73cc3aa65691ca14d776512b947bcf25dc096de6f35321ba692c8c4f65b

SHA512
70ddefe0f07324321b1a031130a06494bc996ad19f2862c9756a3e6d4a2dcc3e8d470b5d7420bd76af78d1aa39731fe776be66b176b258d7d7198ab469318a1d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_F_COL.HXK

Filesize
1KB

MD5
89cf7bd951cc074286888a2f4f41b6ec

SHA1
862d591ec7a34bc5138164d93f77e98b33bda9ea

SHA256
10e483e96f1fbe9ce7ef8d73029179c003df1018d992b661ab7e6c6d037948f4

SHA512
2ee038b8c4d17d53658c26b60d0f99582c51f57689a731b773ade3a4cbdc036958164e939f2177528eaeee6ba8d98d4c724b76bdd4ace93ede004960837df056

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
a59c680beba3150991263808079627c0

SHA1
a923e81780cc2df12092398d64a065d29d76d734

SHA256
41311540fabad45e9f11fbc72743ce89cd45972fc6e263d4334882c574ac1e64

SHA512
0b9d2ec4bf62911800ab3a5c9633ab02e7f4239575d22cb4805f2176587990ce0264f9dca72aa286b86b80c8018ab9392bb05665ae9e1bae18d6c7a9df472d46

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
e9cd74ee1fdb498752007714859241d2

SHA1
ba4a61f9808b303e8e509ca32219142cce6b896c

SHA256
36f92237b7a7a7bbbf7ab5678789179297a32701ea51672691d9e91f59d8f60e

SHA512
0d8e41f04b17acbb839d1d22e71b803883fa380dbe9d68e66f579908d55bd06abfd5996768ba352e1e57ab6ae335330be0eecb27788076f38dcefaa2cc69dd9f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GB.XSL

Filesize
257KB

MD5
87a6e2fc1f4c2e9f5cb076c8f0a4a0b8

SHA1
044fcee304607f4a07866c077882ccf258f47e13

SHA256
fcf317fea43c36048904e03f70b4086e7f1a7ec7f829ca657ed86947a3cff56a

SHA512
f103fd031f956065b45b44a045511505ae0697f48e9a2e228d3c57894684af881acbf1abc4344144aa3ec987b39a7ca61a91630b3c0344f3eecf97820efd2305

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF

Filesize
1KB

MD5
65f4f0abae57aa70e56208603b581b20

SHA1
b22612c425586aedcedac3189e9df70873a22275

SHA256
60a604eb890b1fbef9d133e53b0a3a057ddc43b310dc906d98c87c3a69cc604e

SHA512
bb43fed051905b64d09ecf73a9b631ee1d246dd541937fc0f01d11f5b111ade2efb67479aa608fbb369602762c4de389409b065666ea4283dda3cb276bc93ac0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
eeb4ca922907b39fb0be8dd4a2f23835

SHA1
a2334efb1c9c61cc74a9c2e2b22e0a40593a75e6

SHA256
21ddd31416dd456233a303eee77573b2b9b3302e13e289043a8f6b54a278ca5b

SHA512
593371b65bd285af548c513cd43f71c0af30ce2672220436d0b035a3bd745f243f30d03ff49bfea744d0d440eda05c86dff704b4c01d2279c65bed7c9fae4f4b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
1KB

MD5
463f9322de9f48be38845f5799881f4f

SHA1
5de351da86926334f31ebe5c18ed488363fecb94

SHA256
9a0a311fbf3b1bcb7d3397b802e90eff09876465266a117095cf87d6d6c7daea

SHA512
3ba5e7f1ef84d1e51c051505af4825ace01716536d63ee9ff0da977b801c0735c9fab196e92ab97f4c828c7a033cf506879bde3c56ecdf04563856980b97a39f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
1KB

MD5
778d5f46783dc08bedbcecf3263d2f4b

SHA1
0e1caf4021ce3214cd768a329e94ea75b9249416

SHA256
4f095a9b43e2f90201b3791b08cf103bf2fb5fcbf714b5c1ae273823907a32e9

SHA512
678394304a1d9cb797b33fd45ba7561904f144602975bf32962640b98ce9aed3580b0c7babe0b4eeddfeba9039f243e989f7a3ac3baf5351243d8ffbaf6a89a1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
2KB

MD5
887349ed45988da529916aa2e84fd828

SHA1
d99e1ae77a874130aff28bebe2286d307dc929fd

SHA256
85d56ec32dcf7309e45ef72e20902b19a0ad48160c743e0aa945a02690bb6433

SHA512
2eb07904d63f956da81bfbb18f66dd458b73e973f24d83eac649cd1aaa20269ea9a591ca14ec29b792c6e7273e4535e85636f6d19539022205580e148765a2a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
2KB

MD5
067bab43f0d25399661f182453e51d96

SHA1
f61ca95e61897dff954e2e51a0db664ac9e315a2

SHA256
2fee5ca67a57e44a5cc36af137a2198116ca5b81173a051a4ec16435a746f2e5

SHA512
2dd899d9535be67fa6fd4155a5218a6661a2a41aa740a60bc17df33190ad09abc1debea2f03489abc0391de3440dd78824b0bc1bf5bf2fd8c101996550f28295

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
2KB

MD5
a3b3f7ef9b102812096f79bf2ff6c355

SHA1
fdce3f19bca7c66f2c58791098c56a05a62eab39

SHA256
c95284fc7c21f13b9a5bb72277d4bebe0977b04f0107a25b8ee8a6c597df0891

SHA512
1aee3bc59c264bdda5634bf1071f45ad451ea2d0d729932b9bc2873c4bafaa74657be56f35b2d7e004184862bc295e76fd489f718a8c82c2e036d9b31a6eb177

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
2KB

MD5
90e40f7482523c8be4775812f20996c1

SHA1
362a98f0c9bacf64c261acde6dcfcef5c6ae111a

SHA256
0c92a8b4cf76a366e15ab5d23397a945c0462326b007af4d3b9f13f01a3369f0

SHA512
8632a09c4e9a230c93d6f5a5730881cbd74b7d327545ca330b8440b2452b9899b0ebe39b95d428972712709137a99237ef0c4c9a524ca80bcc78f7117b8738bf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
2KB

MD5
36fca8204e35db6ebf3231ae8e719222

SHA1
e01c7f0e688ce0e371e2e87d325e3ec241608caa

SHA256
5a4ab9c390a07ef31daa41033bc73aa2c39c8ef6a3ebfe649e41f179c5d25260

SHA512
e824f921020f63c04eb1835e4ed4666c7e3bdb571559c3d0af5a2e392ac123bee0d743b693aa39ec4360fd5cdfbed8c5e6f51d745256eb44476f7c5fc2d1a924

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
2KB

MD5
6bebe077118bd12b6173514107ea9e7b

SHA1
be39f06c29e53211d04cc637ba5bcd047ab9c4a2

SHA256
5a5de16ff363eed6657636ac9029d4028aa4e8374f9ac7b33029d2828ac686a4

SHA512
4bc11cfbdb6d713e3c0b5c14f96ba7cabe545ef2e75408f34c11c1ca2508a622c264cb7dc6916c4eb9277faa979ff1a5ffd2dc7315aa0f606f8dfe22e33ec970

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
2KB

MD5
38009a15ca1efae425931e9ec6976a5c

SHA1
668b5266158eee8236487de97b6e445bc11c8e68

SHA256
0cfbd01c1591367d97fe04f0ba554cc30838f229cb332cd64a51330c10d9c303

SHA512
4bf32336038c0b4e743ede86fd8f68b0f30ac5f8c7602314fd90c0dbded8e8d37ac04905744872a07327b2a7a2a1aa6d2f73efa429380edbaf226fbfab45cd5d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
2KB

MD5
8f544e14e9e954cf9fe180a9c826cd43

SHA1
fa91a96a9bc8676baeaea87e52481783e40ceb82

SHA256
c96ca713f2ae294d91e85b7d42498268d885478e46351e957c07996d6bd3cb38

SHA512
e8d9df4b6e0b9544e4a662a5a55db245275d893086d3a9fac917b6599fcbaaedcff339ff7fb874f6b7562973dddb5e956ab4e4c0512a745f25778020bb088ebb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
2KB

MD5
99aeac1f96d3ee9a7f35c06aef1f66f2

SHA1
b1bcaafdd9b57b07f586f607e7fb0caa491d272f

SHA256
4a602df4fd1bf22a75154ffbbd1f952be2059e086e375135aeb7179233896c6f

SHA512
38f722b6f16860c7e873dfe495756dd8b5f74b252b212f25872b5134a1b40df73fa02c19fffcd0074c48a05175fe375139534f29c17659b645c288e2d49b49ac

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
248KB

MD5
07dcc57792ad88a4cbaed446062d46ac

SHA1
f23d5227f64a8f8afb1d9815c5ef1a56cac5f1d4

SHA256
f61ec2ff87117fd0cb4fa7aa29bd890ce1bcb68b722cfab4361fb2f23534f410

SHA512
b145d41ff207b319d2316b6460c41c16ed2ea5c1e9d9ea5ae5f360714469f0b923811f5ea21b1b3c82d2c45c09758475b1cc86dd9926f6e28f5fdf20b3b359e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
2KB

MD5
00ef43384285dcef2dd8d7f5be979a07

SHA1
fc470c19bcc0f7e469f9c29bd38b769043fd76c2

SHA256
955bc17ab052e4c6ef2e15890054fef69e7b97e020a743f17ddd3fe8b2691df7

SHA512
741202e94a522c9e26d382bd92dbf63a0a68261c81b4a6f5c0a7f03477ae26e69b48904f7664774abb5c153dd1f94804a9d9667b3804519f05a6e59feae77e1c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
2KB

MD5
903d477194abdaaf89f47e0dd3ce95d7

SHA1
bff8dec6c7d8dc51068abb46ffef2a40f12f93ba

SHA256
1069f257b623c44a1a13e12492c5aa3bf38686d033e4f38cae74bb4f3b3cb563

SHA512
a1eeb6a083c4748a72b94dae1f0b2345fc7ab447f7469cffd313df072867df1491d1b3a5e698b4bd204dff17458d8a5581408b55b33b2bcd256a07b5e336a764

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML

Filesize
2KB

MD5
6be4c3dd334d099d3ba7732e73e8111f

SHA1
0b321e1bc936279028ca4c91a3d18c2048119351

SHA256
c5e0eb574f39b29eb6280bf68903ad7f4d61e6a0ff371b65f241de60c30d7f7a

SHA512
6936a2d1618973b12243adda42f0c26a5c7111927f2585d321fb9fe0e46fc3f5fd8fc58b6ab9ec4add551026c4c63d8dd8c197159b9b3c5b5cee608916353a37

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
7KB

MD5
ff9cebec8fcc838c11e5f9f9f5f609bc

SHA1
079bda7d762dd59b41a0635ffe967e8d92e78a1e

SHA256
25b6166cc70ca9570a13e98829001abd319058c01c9fea6ce2a24b36aadc27d5

SHA512
4156ce356b65db7da81df4ac9a8e34e9d55503ed6256f3f7057b3dea6d4d0ee6890cf275db6470399020d60c990f253668147e8b34455bfbe5580688f5f8078e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif

Filesize
1KB

MD5
55b078e406350b602f14dc393516345b

SHA1
5f009f55e70af5a27d0c8c0d10717879e4e577cc

SHA256
111103cd324d614690b267f75a5deb477a281ff9325680b0d99a3dc31f11da38

SHA512
f855176dc9f174425feb5caa1380ffb00d81806aacebe3913fee440bbda42ad3a619ce8de09b868311eb0ab4920224455195a6e090fc0edf0cf2d05d4d55be9c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
1KB

MD5
4205a370d071866be8ba408e2469968d

SHA1
6d29e803e2f6e173242ca0ef84951649ce754b26

SHA256
275d1bf2522990fa57dcd34dc416d05714082875c1077b9995aed58cbdf8e025

SHA512
05b72c249b8fb58e3a4694649d12aeb16519c1c5586d49741d42de7a81f919b5455ed7b11d434fa1fb662850bba32bb7052704f0a5f7c341a55053d690d035db

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
1KB

MD5
1db42ca0a6a37093e5168199e6447fc7

SHA1
e0559d66a286db72fa4b621e69c996afdedb4e0a

SHA256
446361063956698fd70e8b3e8723805899fbe26f1b4520c573aeb6181ef84720

SHA512
2f2b66bf3e02d208e1a55e8220174069dabfd963fbc40bd7802c63aa096064cb6b71075f15c37256efc6c8aa0d0016593765879bf76c86e26cef0fafdf01c907

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
1KB

MD5
604ca0765e81bd862f7a637fc6b0b77e

SHA1
d8c017532b66104ffd52df0a7c81ba6ec4af18a8

SHA256
5be0c142945f07579eae9480def4a20939a816a4733972b5c1666f4adf663d55

SHA512
98d097d9256e015a65f5edf2b06271cdc72e9170539f12f4a6ab1eb8f2020440bf330a36d1a614b7cb03ba7351a99258a274900ca3b43265ea0960d1f7b254ee

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
1KB

MD5
7cdf5b200d94f77ceaa7a43e4343a737

SHA1
0bac71883be7c03058611d807186e9698e293df2

SHA256
b47269091efc870af2e57c51e53d1e8d854209356409d33d31bfa6efb6298489

SHA512
8fc979ea2d0b1e5957c4ca5052bad6631533990898041c9bf19394cdb8a053a2763b854823bef31efd72622ac06fd8239e788f8e1655920ab7ec385b8a7e781b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
88af3aa76200462a8ce0ed215f1338c8

SHA1
236179a90981bbf961dea37beca0f766d0be6a69

SHA256
62fb58adcaf6ae28b0e2b30c64a20776cadbbfee571b0676c5b2d56b439ae535

SHA512
faa0ce4c0b50f4299afaa4b313c294693e5e17393cf427f4d91ac7141fcf9ddf13f7ab5f706a68c3235deb6ac6990b67760b8c6c79fce5e3955d512081c97651

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
e2cf926a383f03065a2c197673eca595

SHA1
733b20116d8bc8a81287f7e692ed59a3c1d0944e

SHA256
27188d8a8596d80a0d8b797d166f189e26d0651a90fc9c27aa106a98ba6d5f00

SHA512
bb3df1528e4c48fddb49183991022dd752ec32ad071beb6e8ac41bbba213f3e6b538da9167f50b99eb0141bfe792d8c357776d3d4ddbe3c1ba55ca2d2b7becd3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
3fd7eab10e4969ba8c1c98de237863cf

SHA1
f005a3ffe7d0b95195a100e785579325426e4618

SHA256
bc26246b4fca4cd14875b9e0cfd033b89f9e73cdead7125063cdff814f191e3b

SHA512
e078a0c4f89e440c65f3e2443ad7b52cecdbb1355f976749a9bc4804e97c17a3abfdbdf954eafd4655baa93f8d8cf655b75850cf4dc9887895f0e9e3b6336a1b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
6e6c3d634f6186de14aa21f9aaa09ef9

SHA1
b33b1bc42fa8c73460b98894e68d99a3c3151534

SHA256
32f09c349a5e0af0506f5100d143569c03365c810de07ca510d0a136b49ff868

SHA512
ea30402539540a2b16091ce297d77bffe55c9986d6df2d6aaa76dc912e887ea9748af895068dfb861183b42fd7caf718d8ac5b26afdca4d83322c18f360283c9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
b23615a602ac7682d165b8388995b917

SHA1
68c699ae0a80b38fac2e6481c642d4c29dc0a8db

SHA256
1782fb9169cd0ca241f1facd679792153bb10943330abae27495259878e5b507

SHA512
c6d4968fbcfe9951702fb8de96352b2ca73540852e663192303ae55c78f5cd99a6e4dc754bd65db06846016a7e11e6b7b5c1e329b930deb3b6f547e65d95dfbf

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
feb477e8ea14e2d3943c1a5c6bee2969

SHA1
35c5cfe83bc4d517bb15c7260387674ab53a39d7

SHA256
54ef537eb03542847e57abfa70ecd05c03985ec2412df89994a2d2962b6cac8e

SHA512
3989210337e618b523b3cdf0953ca1952876aa8f1d1029bbf5fef62a81a8aceb1e9cef78dc61a40f485e7473345c49d291b0ab1eed44b707743ca483591bd879

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.deadnet26

Filesize
1KB

MD5
d0a464152b790f40921370400d83556d

SHA1
45e6f83bcff98b96e67af5d4a1edc77f1d130bd3

SHA256
41e82ed719631abc5851f29b35fc2b04c1d1b0a0737dbc49654f3c4e820d15d2

SHA512
1c9e65e80541ffb8375afef5a4e88440b2d48ae58e5fe4586edbd4c2b44b951dd14bf94ec72f2018f1621f0cd817f006c15db3df3a84c1ff69a1c7fdf5caefee

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden

Filesize
1KB

MD5
adf1b06ecde7dfeb3bc45a9fdd2c7b2d

SHA1
a4c3d669047b2da7cb656d8b85991b62b0f01826

SHA256
1256232810f10071d89020c4c28c15a1b4efb31554df81b7969971bdcbe29893

SHA512
26b8628ed5471caf0f54085d60480f2cd9930f48a613b2dea86d61603c534ac0b4c3e552a19f73d92e81d58a38d071cb4ea747d81142bc9c26d1d2b34ce626ed

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
bc503cd39519f8f1d18fd2718b3019ea

SHA1
652ef8fdac8e1c24438baa51085a1641a16981f8

SHA256
f59b8fb44977ae3af843ddb56de219edd89a7e08928957ecd8704673c4662d35

SHA512
15466dcef187823fb412facc6acec6c9f84897970589c5b487a4eb5afedbd2ca0031f7cfb635a92dcdd1983c8bcd629f34ca0ff4306c1c6c7267805a3539f3e2

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC

Filesize
1KB

MD5
bc667f48fd5dc0ef31c02dc4e984f46a

SHA1
7ae95e354b215b66c21abad80d2eb0c82fcc8bc5

SHA256
816546c02d59b78cf2a7fcb2ec31674620fb5272a2f378ef96c5984ab9af82b0

SHA512
e5c336858feb32b4a6bf8859c7ff5811fc638c8ea38b26ae3b07bea171a314aa8c3720767a5d3c44042fbb0706a981ae3bf5b6251acf8b291941fd2281adbb34

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\EST5

Filesize
1KB

MD5
cb3a09794f2b8453797e93fd0f7d802f

SHA1
1cf0ce003790274c984960152315e6e98c280cf7

SHA256
0fd4e4e9e6bb87111e7df458bcb02bfd3e89759db44380178131c77b5e8ac372

SHA512
bf2a4ecbdcd0177104deecbd64559af4f6d0c183ccca52eb299b8e7d5fe323a92b83344125c239e55643d188196bd2befacabed4b79dd677e4dda79a55fed19d

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\HST10

Filesize
1KB

MD5
e0c347a817e838ba500a70089ebf8b8d

SHA1
1de7e76af33f7a8367c3870e4458e2503ca3b8ae

SHA256
39b11a9e19158cb978c3473f6584a55aee733f983eeac96153962121d9b57f8d

SHA512
8769ff8866a1a334df917300e0c56a9dfa36abd3e2acde1e9c71d57c3e735935240173a98c7146b9573d944fe8e4e7bed13ecee01fcd9edb8f7bef6c4f63bf69

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\MST7

Filesize
1KB

MD5
f7868b1a047504bc3a1752b680d11289

SHA1
80bec34d0c95a90e04d1a38b591c06b8927f3f79

SHA256
d6735dff9e4be6947c5c9718a9e282a482fa249db25f3874c19a54f5e3134edb

SHA512
dc2aa2c83b00c0768a4793a8f9f21c5176147aa4f720172d6dc8e22dea5665c13cca8487c03831a6f681cfbe92e59c6899f682ad2f45ef78591c7cc02dcf8e10

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
80db456b1c04211be5d88b4643cd4206

SHA1
9077a0e3a09326edad574bf434d148e84784743a

SHA256
3d043a1bda9f96fa248b2d99da41a2f6d9076749871cbed6cd6db2b0abef2c7d

SHA512
8fe5321095592b0865d2ec131597538e69247da97c25dd17c877cabc1954ef200baf991ed9d5db78a48b90b053c9a962ceb0dfc04d6cdd3b1ee2ceaca645cf10

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
1cc3d75f3216409b3769c97b5e7d2570

SHA1
5da0b9cc8d8e7bed8ffe1827be28e3dd67a9512d

SHA256
96aa4c9e01be4bb8a00e7d10af7c59cd368b3676f36a36c4f2f01a231bcdbc2a

SHA512
69d78c3296aa4eada9807bfc874a47d989fe3b39bd09812d2e7b20484f0c5a4ec3a64a84c6b1d1937b3f57058f2265142c76a6d0b68c0db63a70bf2a9889a307

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

Filesize
1KB

MD5
24f2d64b341536541246c22f35312639

SHA1
6a12447a9b408c0221b39636abe1962b5c238c2d

SHA256
7f6e3991d624d79ef393c958687f356c058c496bf385ddbebd04eddb7eb0f3f3

SHA512
4ed175f8c9aea38a0178d9157d82a177c8fe17fc066dcb4ac50b77da098bd39d8e01c17f01955c018adb43565065f639157ae09dab87ae1b1bcb0c4f947b3602

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
1KB

MD5
dc7677e100119357b6ec29383135c894

SHA1
d784a5ef4b56b5faa43aa03bec53efee8b8afe83

SHA256
57b30bbb5de73ff0b77a137e70d77123a9e1e4431edbc968806fc284991f559c

SHA512
2c78789081b5cc686f217e96c01c74163717cf1eb618d45b7f48b5254c3b2177408cb137a00eff415495d7ac8c22968480d2e2aa012b172f34b120b6e9fe3646

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

Filesize
1KB

MD5
101418945b1e261dde3742ee8982e513

SHA1
ecd50cc9e2e30ba632e65bddf5fd8251332f05f0

SHA256
7937ba37918104ddc9a95ab3e9a656763c182f93d989b2a0082c93cc014cfbe5

SHA512
3f2e878536fc3e20c4b4260099a0d87058aa7dbbba8ce34aad7b7e7d63a9958c26e329ba2c0342b8dafb0579437a8a3e96611299b787644bfe6d5415e7c8c1c4

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
740e8ba6847fbe30c50e23912c4f895f

SHA1
3d1042fb6ec51fb87069be8bc17966b3e6d89c64

SHA256
010c188dc977b7fb403c901ed346cd507b39fc85fa0859cd6ec31db94fc04ab2

SHA512
84ee63ffa2aa0e38a5dd9b712c133b294a9adec45b5b924fbc1925921b94dca9bcf55fe7f57a133ec0a6e91c1b11f29e317a9a9baf3037363a7b85d39ed072db

Download Submit