846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
Size

333KB
MD5

0fc26e931a324948a7d5e5a0008bf3c7
SHA1

aa6018a65a0ae90d33451dd8f4fc647179ee93e1
SHA256

846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378
SHA512

95dd8fd0973ac6166fda194b90e84f57d637ca3e1954733b19446abcd13ee89c09388bddf626cf9ee4aace8d1097e244865c50738accee3adcf03b3321c6d5d3
SSDEEP

6144:gq9ezqsEC8dS7CCKUf+9xwL1ZTcDCzyrxQX3hVds+tfCOu3miq/8g7iXq:g4JsE3CKUf+9xwL15cDCzie1ChRnXq

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\how_to_back.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">ZkJ9DizwiZSB8pd9Jf4n/nLp3uCn3JO06b5jjYbhO711du7pNj/bvICeQL1NyxOm/bkr9OjTfzix9eUOWTZeyitSJwhJ22zfk9l50FHMisBWWNbeuQtSf2HcH3KtVJVEUFGkW+cIsKxcAO2Z27ys3IMO/JUGKe1rX6bh2EE4Za1fpc2pdBrOdxtIwoGIA2EIPfkiEiLw+k8sIGSu6U6m1AHBkKrGPM/4sVouiDaetx1lDwihs+Ju+FpNhKMMCiG+tEGEBQmHUclkf3sofRO5zSLd+lsG2ggQHPD/pN08hZ1+BsxtGHE30O4LnZrgRNezZJW+gvCwrVuFxAbUyG1qhNRQSfgc/FXevYgX9Lm7SzMEKGqmTlFIbtBnP33XVsBnGTwQ0c6XWwAay45Vi8E5CyMzkVJckMaJV+udB4ShXIjj2KhbBqt9f3wavVd/iyKPHqG2zcl4GkUIA3CkWas6Jhl/E2y+jKPxZR/GfXi62iwoy9+GAbiPhSYtenDncOgto1SbTH1Y/evx9YNNlnYacKRFrvpnpUjypDSjWdSG1r2T8BAawQsJupeSytEgdY8K4gkFvxA8FnptxPBQrc1esE6TVPUAJax8rzaU6qH4GsptuU0zFbdbsjATzCb80P+e8UMLRGv+B9+vTHM6WwKEbWmg5ZC6K6N9kgyMDlgFfVQm/LCorOKxhN9yqfisx/+CKk7W7JulPgNP30P81t2IxmDF2z4tHtY3p39ifokQ73B6J3ZO+zRBpYZIEhYO23kUVLv8Dn8yaV2xWski4BWceFU2/Zj5luYLYZPumI9CdSJATyqYKGXoNu9KdkCVJftKwUXrbtmGOnNbTsxJg9mNrL4VdO9tSpzVLQMJJkx3rjXGCp5t59uFlhiD33Q9R+iLKBqli0sOcAkk/osgR09TaHg4ljPOCUPd2UZ5VB+lhFC39qx2jpezp6HJUlW0M9AzlagkJ62XGdROlOFshu0UEsT6wb3zrcJcIFKce+hJGS8Lk6/fDZuiUVzvC8dBWwOHYX0/catOE9C6FCtKcJqC8SbvlF0PYaLrBEr7XwBGmkrA838gzsqrlPYj1pSUR1Hx6tcJaYA9iyySmvpTaAnz5LuO498lYvNzoIjjG/TDvAnCJaO1Skp++R13uV2eM+8c95tq63dmByNJq8g6ahLB5N/8wHAZbi023Yy6I8HKKMg+wFK9cQ0giR7L5MVlj2kdb+tHkAO8+wniS5y0aNdBZQsi9YKIOoRN4adr+87D8BC3JR6CyJbY8c6/NgXhMnTvy1dlRuG/B7aZjy17bqemj0F4WmRuWwvT9LCLK/dQY9JRCx2EqqnZXzowRcNuW+xwi9zDf+9yLv9XPuKkv3HPYWoRCT87rX5VzQIJ0jqfYNcqrEHGJ2qYvrqOHUMcQjb3rRjsSIjwZeiUH8qVzkgj5sNfI28EDtMxUfOgZFHC9CIhFGk6cWlFCIFkICB4/03LXxMqe43Rn4y85UjnT+1oUoELEDlOMgznFWatYLmvh5JA5pkYn6M/QLmBin7ufnz1wtyM6wp//UKteSkCfJH5uIHRxgpFe6ePMOxD6ibJtwq4zd1TcOZRMWbQUyiUCGEwk3wLzPxk4CeGhcUpSkT3iaRZoAYdNbBr2INwrIc3SVKCdm8o5XOsgMWGmqDB5EkLpZJ0qkypI4gF9GOal/8jqCHD+rI9zyGjsB/IjzlDwQI=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2196 created 1212	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	15

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2420	bcdedit.exe
2436	bcdedit.exe

Renames multiple (7570) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2600	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1592	wbadmin.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\N:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\Z:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\F:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\A:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\U:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\J:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\V:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\W:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\B:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\E:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\G:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\Q:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\L:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\K:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\M:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\X:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\I:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\P:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\S:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\O:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\R:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\T:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened (read-only)	\??\Y:	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Settings.zip	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_over.png	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\THMBNAIL.PNG	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01743_.GIF	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_2.emf	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\how_to_back.html	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\how_to_back.html	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\bckgzm.exe.mui	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Northwind.accdt	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Yakutsk	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\South_Georgia	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EST5EDT	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\ChkrRes.dll.mui	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-execution.jar	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Danmarkshavn	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\NBMapTIP.dll.mui	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212661.WMF	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Earthy.gif	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\MSPVWCTL.DLL.mui	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_over.png	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\rtscom.dll.mui	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\chkrzm.exe.mui	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Clarity.thmx	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.dub	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\UnpublishRepair.mpeg2	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_snow.png	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18191_.WMF	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\how_to_back.html	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_zh_CN.jar	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\how_to_back.html	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKUPD.CFG	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\how_to_back.html	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_play.png	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipBand.dll.mui	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\how_to_back.html	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File created	C:\Program Files\Microsoft Games\Solitaire\ja-JP\how_to_back.html	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CET	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15034_.GIF	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\settings.js	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToNotesBackground_PAL.wmv	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.DPV	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\how_to_back.html	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04235_.WMF	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200521.WMF	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1836	2196	WerFault.exe	27

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2480	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
1964	taskkill.exe
2092	taskkill.exe
2584	taskkill.exe
2984	taskkill.exe
2664	taskkill.exe
808	taskkill.exe
2152	taskkill.exe
636	taskkill.exe
2820	taskkill.exe
1976	taskkill.exe
1100	taskkill.exe
2540	taskkill.exe
2436	taskkill.exe
2404	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	1100	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	808	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2728	WMIC.exe
Token: SeSecurityPrivilege	2728	WMIC.exe
Token: SeTakeOwnershipPrivilege	2728	WMIC.exe
Token: SeLoadDriverPrivilege	2728	WMIC.exe
Token: SeSystemProfilePrivilege	2728	WMIC.exe
Token: SeSystemtimePrivilege	2728	WMIC.exe
Token: SeProfSingleProcessPrivilege	2728	WMIC.exe
Token: SeIncBasePriorityPrivilege	2728	WMIC.exe
Token: SeCreatePagefilePrivilege	2728	WMIC.exe
Token: SeBackupPrivilege	2728	WMIC.exe
Token: SeRestorePrivilege	2728	WMIC.exe
Token: SeShutdownPrivilege	2728	WMIC.exe
Token: SeDebugPrivilege	2728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2728	WMIC.exe
Token: SeRemoteShutdownPrivilege	2728	WMIC.exe
Token: SeUndockPrivilege	2728	WMIC.exe
Token: SeManageVolumePrivilege	2728	WMIC.exe
Token: 33	2728	WMIC.exe
Token: 34	2728	WMIC.exe
Token: 35	2728	WMIC.exe
Token: SeBackupPrivilege	1968	vssvc.exe
Token: SeRestorePrivilege	1968	vssvc.exe
Token: SeAuditPrivilege	1968	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2292	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	29
PID 2196 wrote to memory of 2292	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	29
PID 2196 wrote to memory of 2292	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	29
PID 2196 wrote to memory of 2292	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	29
PID 2292 wrote to memory of 2696	2292	cmd.exe	31
PID 2292 wrote to memory of 2696	2292	cmd.exe	31
PID 2292 wrote to memory of 2696	2292	cmd.exe	31
PID 2292 wrote to memory of 2696	2292	cmd.exe	31
PID 2196 wrote to memory of 2704	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	32
PID 2196 wrote to memory of 2704	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	32
PID 2196 wrote to memory of 2704	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	32
PID 2196 wrote to memory of 2704	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	32
PID 2704 wrote to memory of 2572	2704	cmd.exe	34
PID 2704 wrote to memory of 2572	2704	cmd.exe	34
PID 2704 wrote to memory of 2572	2704	cmd.exe	34
PID 2704 wrote to memory of 2572	2704	cmd.exe	34
PID 2572 wrote to memory of 2540	2572	cmd.exe	35
PID 2572 wrote to memory of 2540	2572	cmd.exe	35
PID 2572 wrote to memory of 2540	2572	cmd.exe	35
PID 2196 wrote to memory of 2440	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	37
PID 2196 wrote to memory of 2440	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	37
PID 2196 wrote to memory of 2440	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	37
PID 2196 wrote to memory of 2440	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	37
PID 2440 wrote to memory of 2588	2440	cmd.exe	39
PID 2440 wrote to memory of 2588	2440	cmd.exe	39
PID 2440 wrote to memory of 2588	2440	cmd.exe	39
PID 2440 wrote to memory of 2588	2440	cmd.exe	39
PID 2588 wrote to memory of 2584	2588	cmd.exe	40
PID 2588 wrote to memory of 2584	2588	cmd.exe	40
PID 2588 wrote to memory of 2584	2588	cmd.exe	40
PID 2196 wrote to memory of 2472	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	41
PID 2196 wrote to memory of 2472	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	41
PID 2196 wrote to memory of 2472	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	41
PID 2196 wrote to memory of 2472	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	41
PID 2472 wrote to memory of 2428	2472	cmd.exe	43
PID 2472 wrote to memory of 2428	2472	cmd.exe	43
PID 2472 wrote to memory of 2428	2472	cmd.exe	43
PID 2472 wrote to memory of 2428	2472	cmd.exe	43
PID 2428 wrote to memory of 2436	2428	cmd.exe	44
PID 2428 wrote to memory of 2436	2428	cmd.exe	44
PID 2428 wrote to memory of 2436	2428	cmd.exe	44
PID 2196 wrote to memory of 2228	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	45
PID 2196 wrote to memory of 2228	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	45
PID 2196 wrote to memory of 2228	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	45
PID 2196 wrote to memory of 2228	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	45
PID 2228 wrote to memory of 2720	2228	cmd.exe	47
PID 2228 wrote to memory of 2720	2228	cmd.exe	47
PID 2228 wrote to memory of 2720	2228	cmd.exe	47
PID 2228 wrote to memory of 2720	2228	cmd.exe	47
PID 2720 wrote to memory of 2984	2720	cmd.exe	48
PID 2720 wrote to memory of 2984	2720	cmd.exe	48
PID 2720 wrote to memory of 2984	2720	cmd.exe	48
PID 2196 wrote to memory of 1324	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	49
PID 2196 wrote to memory of 1324	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	49
PID 2196 wrote to memory of 1324	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	49
PID 2196 wrote to memory of 1324	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	49
PID 1324 wrote to memory of 2640	1324	cmd.exe	51
PID 1324 wrote to memory of 2640	1324	cmd.exe	51
PID 1324 wrote to memory of 2640	1324	cmd.exe	51
PID 1324 wrote to memory of 2640	1324	cmd.exe	51
PID 2640 wrote to memory of 2664	2640	cmd.exe	52
PID 2640 wrote to memory of 2664	2640	cmd.exe	52
PID 2640 wrote to memory of 2664	2640	cmd.exe	52
PID 2196 wrote to memory of 2780	2196	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe	53

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
  "C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"
      4⤵
      PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2428
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:2780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      PID:2504
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:268
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:1504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      PID:1792
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:1064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:1512
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:2652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:556
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:1264
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:2948
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:2296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:2972
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:2868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:2832
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:3068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:1860
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:636
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:2108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:1536
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:1360
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:3040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:2272
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:2096
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:1112
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:1052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:1936
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:1060
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:1864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:2668
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:864
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:1352
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:1632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:2352
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:2016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:952
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:1488
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:2344
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:1648
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:1408
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:2216
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:2892
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:1412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:2872
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:3000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:1628
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:1816
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        Drops file in Windows directory
        
        PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:2772
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:1564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:2580
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:1400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:2736
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:2556
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        
        PID:2600
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    PID:2788
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    PID:692
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\C:
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 636
    3⤵
    - Program crash
    PID:1836
- C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\846a53042aa2ec1790fec4d1ec40e66b7abe83bab1718f14fefe051744b21378.exe -network
  2⤵
  - System policy modification
  PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:1944

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
1⤵
PID:2988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
1KB

MD5
d9c8492605cb6b592594fa5f0f9806f3

SHA1
10a24fb6f837c9236f2aa4eedb359afcbb2feffd

SHA256
5a8938a039bb6ed2ebbd76dd8107115bda1e2a4ba79b35c8d16f999199c822fd

SHA512
a59bb651a63887b8d25ea64d35f61502b2ff017c7ad5d63945d2ebb4eeebfef8c61900f7193ca8970e111129925c0e713a1026c154b0c405ee15fea620e52ac4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
1KB

MD5
4425d6e1c4ad9defc83e993ae20bfc86

SHA1
e38a4b7daffb2f3d2c39b58e10526c08d68090b1

SHA256
f61568085544ee9c79f49f1730bdca13a0abb50e10beb509a4c27dfd8585b737

SHA512
491c8916e362f61d08280d138b0ddaa2c193347a4a381e8079fcd92ae5107b8cd723f28004a1360be3d3a00b73dcf35b6391c93647e0a9eb3ee0f72650a0ceda

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
59ed3738ccce1886efa2b6cb593753cc

SHA1
7685c534feff19f9ab5a62be517c5f2c9bc831e7

SHA256
cbd677b8563a20c4b2492db3c66af342769eac1675dee959bc0a824bf2b6e0cf

SHA512
6c79852ca4ff300e0827170f6759f3a79538d683d603b98163d4b488036fb52f0c65c8d51f4a4f9a8a803e55fff254dd27dc19cf933e83af8f2eb62778a22209

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF

Filesize
1KB

MD5
cd52cb98191826cd299eb27f68dd77e2

SHA1
877b99adcd595ef0d15e353270183291bd7a00ad

SHA256
d6781ca9d3212ad1cb967bfce3861ccacef2c157ca7d5d787a4b5762f6eb016f

SHA512
30aa54e2ab0cdd90300e7ed49e796d983cede4fb1507aa606835cf2faf20f0a7df77ba703069511916cf241a234a9ca13b2d933dd2fb8366ef4b5fb01ec37236

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_F_COL.HXK

Filesize
1KB

MD5
bf3ece6e1e75dd2065177dbe2870478d

SHA1
f6f5958ecbb49e9021f00e155e3aafa9307c448c

SHA256
e6644a172279c7a44adc4189cdb427510a294669fb3bb4cdad2ad95a9e7814b1

SHA512
32acb09c4a3e651b76294bb25833a6df000c4de20e473f5144ad0dd252b827cfc265d8b7939fdb07e00c9ddb487819369b0939c230f99dc4ff23bb12c84134e2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_K_COL.HXK

Filesize
1KB

MD5
30b0bb3c7c4f9391c20e8086b5f70811

SHA1
8923389fa87f7f17727db5973ed4a04f564cd372

SHA256
84ee11483733ab46b1eda215c4a254bdc04a5fc37d31aebe3ed4f2be40e2c6d3

SHA512
07cf0d7f994b5d554a4947cecd01e20e6b6c9e862b8519f05250ba8482d0027cd0f9529c8976c967e5ad0e4face00d7ab2047bb754a437b3d88fe430c42ffe21

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK

Filesize
1KB

MD5
d9c95110620bb33fb941e300f7fb9074

SHA1
8f4dab339c1d2c522e81ee2578ad93115597f67a

SHA256
1c2d87d7a9907835fc7cd34d2c2fe6a7c1bc1a32a736b02f9016c6cbfe1c9992

SHA512
84f51709bde69e5aaca0c96c96e5f295a52e55f0a701f323a4301925285eefe5787cd4c195ab461a1da9b3b3750312f63198169be0f0069bba402d6ebe8ba6b4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK

Filesize
1KB

MD5
19b7372d12485aaa08fe7c1f637b20a1

SHA1
3e3d59244605b9942e14ca947f01cdde3ada40fa

SHA256
ccfff78cd9784f49640c9d13f9ea83398394f39cd0dde1dec6cfe624bcc51911

SHA512
ed520385064558086f191d0f85d8ef80ebb9e0126b44f5813136aa4ed8d29339fdc01dfd403e2d51e1cdb7df8c91482328319348eb28ccdc9dcf1499c6117190

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
240KB

MD5
29849adec16d46cde2a73c3379a37afa

SHA1
69b06f2681cc8fde91c571cf20de531fb91a57fa

SHA256
b43f7aa44e684b9a6a492ec6e44c6a925426960fb1c2ff504d726e425b97ec45

SHA512
50ca3ca4603871db491d22f08c5930b0a3fa07b9fb6d9d1b684698a4040181dc5e62e54d99291cc2647b1a070cc2e7d7a9b93a93a7ed952591486881695b9964

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
38f06bf6b2cbaa47260ec70f577a8f42

SHA1
61f15f9a7dee369ff3a8622b743550644881fd55

SHA256
f728e4568103786944861b8953f5cbf0b5747cb96497b455ab3fad036cf6a7cc

SHA512
f81877a642fa570f81832b08dee20d68733bafd7bf35d2ae78dc077486746c9149554e89494940b90de0b7497ebbdc13a856add1de7f3ac3751529b944d999a5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
7cf76ab69f7b5d0e77110fa9d260e869

SHA1
aac775eab52a8a504d46e1cc9108029f3e808a1d

SHA256
eb0ddf75b82b3453f19ac188fc9df872d1c8d7cf945ef7a868563e59e208d717

SHA512
2c76e14ececcc29de06690fb98e617029c3ae504481789d61dc7e9049a0cd9def7580092ae29f5928ad632b35f5557b43a419ceb3c99d06b8eefa0d3820f9a5b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
1KB

MD5
4a3a34ce0f6793b2e765e1f2861016ca

SHA1
9c40bfac8de35fe2fe81e6c3478b2b805a5fa9c9

SHA256
cccaf0a480a098f0684d6af91532f05e931cba16931f0dacfabb3c564da2adf1

SHA512
1701b65a02b12269a9be213b489d458f9ee25f53641c906ac88866fd6c709cdba3eb4fae9886654cce970ca581bfd70bbaa191f6b9f1a1b58ccf22a2e7c37274

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

Filesize
2KB

MD5
7c45993516f5a48564eabea9b7ff48fc

SHA1
c9c2cc46da7edd2b25d179dfa4d9dd42cc3afcb7

SHA256
da4b0b66532c2333dfa88f69082066a78ff462de81adf317149dcd8e6cf38e28

SHA512
11318545d78f432176e52f239b4008f645bd7e5a9d2303735944eb9b8c99b530fca5a40ba2eeec2fddaf433a0d4147c786bf0ff0b22e63a04064e0029afb8fd2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

Filesize
2KB

MD5
d37e732a5f040b151e066ee6eca0d594

SHA1
18388365a3c22332f78742dda777c7ca68302e9e

SHA256
8aef9f0259ab11dddf536ca25251cd5a20dc3f3a5db14fbd3175a62dce88c325

SHA512
23b21ea658140a6d8b8f124306e7fdf0c6df2951315eaf290328df7484cfd8dbaa40f099cfb41b452582fa56b8affa85c43a6d1e9cfe81ab4ef733102696e2fb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
2KB

MD5
7241df7fac29c0122bfb6c545c36fa4b

SHA1
0828a0e22cdf04d87836cd7b6ec8dd1da0628bcd

SHA256
e3efd093de29808e0c2c1ed14f8c850253232bc869cc3f14ba328ecfd0df6832

SHA512
351362fc1fa2c21f4a49eae3dbe81b4cca19b5f27fcb86faf8a525f69fd02b1434c01c5afee3033c642e834af032358c6df65ca9480cee7237b0489fcfcf66b4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
2KB

MD5
56974684e89819b57eb01c79738edeec

SHA1
41c85215ffadfea79abd50ac348419fe96ac1b84

SHA256
ada02d3ecb5240167ad52c1e00e9abfff8d14e4a1eff3fb87a642db723aebbdd

SHA512
49a5785be5f60cde82802c67e568c501517d9131d43e8957c41673c5f96b55bf0c471c189f9eacaaac688263b832fd7ddeb727f42580c28307f522dca8ada6b5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
2KB

MD5
f40ba84c204af10c6f1316647d81480c

SHA1
4bd5afa3666d9926a04ef3266fed4ad342ad87a6

SHA256
27f02b765169b2dae81475e31846cf486ba80d20812532f29cbbebd875103f52

SHA512
456881e8eb820360675b372e843a1b9188f9ca5db35c38f111de9aee347aac62c298e195ef93748a9fc40c62e66e4d6604a5d5bea18d8a00e16c10dad1702ea7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
2KB

MD5
2876be1e48ad0b53f771950c1ed130ae

SHA1
f7a75f362f64bf1a9441286f54ef210e791065ac

SHA256
e4dc322b93a475a4f81563ddc1608db857865574a428bb211d9e3b4f4e5acb41

SHA512
12ae8bba9dfe92e16950433bf1abccba9fb1777cdc790f3389779ad0545ebc40d9866f28931e84b038897e5b7bc0f74f6a5c539dbdce4656285676605fb62ec8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
2KB

MD5
87522f39ee50d988651281bd18c0e149

SHA1
76f4af3981a0bddea1b3f192f3d754e6919bfd94

SHA256
7fb0da772e215e694c897d7fdfd4addefeb4f933b51701880c922d41085a677f

SHA512
b86c6859eba228c6a75632e53d95d2eb0612dfd194c9c3c429bd0afef5ea60055ae575408b3772eb61dc36eb37040cdf31529d1851ebc99e239313c32750b8cf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
2KB

MD5
b0f4ed362c8e85f2e1e9e7258579aff9

SHA1
5e0459b39f13e193ebd25f193883107962adf0ca

SHA256
3c9ebe45b935a5a87e06fa7eaae422933138f89078569fbe451c0b271f2f932d

SHA512
a7f6385aeb2229085cdba7f71732cf88418c1a5c816d4d74f77767c316e1cff9601183d7af0c89d715681d32c8854833f8488e75bd6ef8a2f8ebde5f2c090cc6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
2KB

MD5
56cdc8c45fb5b87f3d8eb927609a04f1

SHA1
e3a7b2354ffbf3a1f488159ff07ce38c31557b77

SHA256
0a9b5d30ded9a357a5d935ae893c5ccb5a88e1cdc0522be765a260f1f7189119

SHA512
50b4f6b3b2a32c7601079d814098e9d1d69a612fbd7f427e82da75aba8ad1d07fbfe63a695f7b77d8fa4a3f1d430687e438a3c3c524229ac0cfc235c4ffe04a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
2KB

MD5
9d5ff0dacf9e499c6f3ca37825abc50e

SHA1
2254fe277bbc0f7afd652937cb8110ea8f262972

SHA256
6d80881bf278aef9ddaeb04b3a5016103ad71b7425f1710c26e11154f69b707c

SHA512
358b35687a0f91fce00953de0adfe57107968c4b8e36a3cf597e56340c85936a1bcb8b84f12ab03cb2e80cf408ab9b5edcb702df20d8392fd4169e45d0c39db6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
2KB

MD5
345419c07f7a5d379ce92cde7836dbb9

SHA1
89d8bd4c797d7c6626e468297a2722592a4cffe3

SHA256
6b379eb417ef5919bdd1a5ece7454e9dbc8ac443fde1530f17ffa6d5cbdc0eb7

SHA512
9626691cc813fa3cd114838f1021acacd1bc041e022df889120a4a478a07f7713a80c59e94a210eb889b6cbbfabde2b03d7a2968b535085bd5547cae45315378

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
2KB

MD5
e3da8bd8354eeffa26a2436289497608

SHA1
73a5a4aa0f1ce4fb030daa425a2f0d488f74050b

SHA256
e3ddc05b5b2edb85320c013e06905c9f70aa7182d22b027c00d100810a1e1b83

SHA512
59234835c7a632be8c691a17a369b8974cf1a0683a6a4d81fc438f61528eb90f00c9add55f65d13f9b9204c0f4a0e1d6b72a1256e89b3bac52a61dee8846e40f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
2KB

MD5
ab68b577f749c9a65d1c45ca7e5196b1

SHA1
3c563f035ef5dbfdd188b3e62255f09c85ed7f40

SHA256
6ad75a66e3048b86b22df029b687f795ed8a29c2f680ef26e1edf0b426bf3588

SHA512
9b5d006e92d6411aaf8cbc271d752899fba418e45f08f1268353c6f77226ab9af1b60c8c1386f8cb157225cf451d6146dab67f555ab5c5b2c38236d93f915ab1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
2KB

MD5
450244434fa47bec561545040a65e297

SHA1
304eefe0ae9ee5e29d4843d6705849671f2d6c7e

SHA256
41fcc6e78ac7a77b9bdc9d7eaacfd0a356d48534411d743bd66e72c114a57a1c

SHA512
67961f5be18d92fe3c87ee3827603e23ec12669e8527bc0af32c56f99847cb60ebc941a65fd3e1b6ab405c4a8ba6b938b137919fb00fd90628ee665f8319b69b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
248KB

MD5
162410be3ccd158a3275cf186c6b1fb2

SHA1
5714e754e46d10c90073f028d78894ffef39c06e

SHA256
0b8bb7200f7ae9fe9523879a3828842dc2575e2f0c0608ade90ebe18c01a8681

SHA512
3084b58b668219cdd3dc2542195c378343fea1d5c5d0e3dd98fa656145e042f00a068d8d79ed7544565a327f5f1ed81b6abe66623f0efc48af4e3e49ae1bc35d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
2KB

MD5
ccbef2fc15b82fb956417bcdc0903317

SHA1
924776f66ca79986d2868823fd9a7e0a99341725

SHA256
e4e99c0aebd91f5f3205b0b641d0d8b49338c6e0d631be1f53a419d08b2d064e

SHA512
e97fd85c8cc2727c0bd43e7a76070a9cf59255e987562e330aa54811ac8de5191936a3c1c3a76eb8b11f9d7c9fce2b5dc209572d672ccce631e4691d4f2989fe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
2KB

MD5
27761cd7c76738d02cf59cf46b7c0a1a

SHA1
7fbe6a12c6c8fc116bf049337fc9c6d22d64cec7

SHA256
b7644a8dfe86c0bbf32146c8060d71375400d881669aff7a1089ada575098cc8

SHA512
a4586b376450da4286966bc80bec6cb21cb1118daf7525d8aa6e0fa8364482dea93005e16fd6dc660074cf40c2809dff782eff7b97db0e60034361c65d14413a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
7KB

MD5
1ec7994a093a46565240989f757d6f88

SHA1
5d2e4acf9037d3ce97b6660f052df9c60f1d3844

SHA256
ba7bae29525cc508119da933e3f5c62a941659d8ba588e3b1eb97493ccc78e1e

SHA512
4676dd5b9f8dfc72b72bcec5f6bdb07d2edd34300b71ad1b459225cdd5b03dca5d7527cabfb6fd8c8e8cd9381e0e82cccbec96bd60b3a73d81b179ad92e4c2ea

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
3fa60490c306b472ec431f18948d618b

SHA1
9ce169f365841f3fcabe571a9d9d009d4b3db5aa

SHA256
47992317e0751f064ec527a7a893d2eb5ec4cb84cb9860a8391fff5bf469674a

SHA512
5e551f81d32b72e1088669dec9e98bb92f1b29729c9c46810dc4a8dc8e2f615b65d86025cc641662c3c6239062f8456cfbb5e199693f6f612b9e7bcb9ca88c80

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
3544c7af92a43cba043f2ed63060c630

SHA1
88dd7858b0b218ff898b4488e9c94683425685dd

SHA256
807a58ace4073057c26ea7ea584f75752674a8a0558559cc1b2204719354b7ae

SHA512
a968ba368c5ce8f6b3e7c93c95b4a424dde9cb91297091f48fda773f7469e573cb8ce5f1b444e84f3fbda1822152516cc3acee748c5ba1c8b16acdc5d4789775

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
d7d781360f6313bf63e12381c56945e1

SHA1
634cccb47af0d9851db4c0b2e7ddd438d13ba3c4

SHA256
28432e89f6784006301fbced909724d3f5597cfddb5b6759ea7678a258fca5b4

SHA512
454cf6686368046baafc4153b42268e9886ffe6f550f6e4e127a69bd9bd13dc9d7cd8b711bb55bdcbd92b1477eb2e6057654fe80458e5e875b86fd0b4476630e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
3f01e4afaabd91150aa74c2ec967c03e

SHA1
bc17af04f8fa9637e245924c37c5930843cec6a9

SHA256
3c1a71c2ee5734ca392b7be9f5c8c0ea72357eb60c3789092ce82037016424c8

SHA512
a47e681d79df21e6b3f3f99f6c84cab0b129e6fe1aa4c46f2fefea3fc9868451d7421ad4bc9d7a4c338792a4f19e3c279e2f2ba1ad2986037cea5750d1343bd6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
fcb8cefe489cb1279baa694186c17f6d

SHA1
12e936f18a97c369bb0db4b23f00f5f2f7692b1a

SHA256
a3b327e4db5f84ca16d42762d55684cf77b940861c675467124b66f9a3410bef

SHA512
d8cf8a7dbe55a51cb9d6abd53a3bad3029ebe48ea87ad27dc72875f4ea7c643283c281943ae9322516555e57e0d090e9542a1bc690c1e84ed62af68b0eab23e0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
25a214763cd8880a74f0d81690cd514a

SHA1
b964f127cc46f514a60dbe066b58d11ceb6f4c5c

SHA256
be4df458bf77b9496fd2b434d1dca6d22303a3cff8da38f043c083e569818548

SHA512
15c9f62d642f288522f0c0278ef926367a5429b63e504cbcfb7ed23ced5881c886d60a427dced62099a8ba3277993a648042acaa9a70131ffdc50d2b357bb42c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html

Filesize
13KB

MD5
0b26384f9535b2e566edc8cc918b2908

SHA1
82c8e19106639eb18dcc806984ecd9bd1374b447

SHA256
26fb5ff851dbce8e3df8dc0d61e7f6ffeafebccf49e6d0dbc7c4cc76e078f3bc

SHA512
8c4c9e805daec25cae3e4dd3d9c497ca82d08c6abcac055c22ca7182c6d2c0079a54c7db2a8957998f68649a2307b69d9fd20734f58e57d962a6b4d33ea70d35

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html

Filesize
10KB

MD5
194ebab2c4193ff919362c082555dddc

SHA1
a9789ac6c74fc27d38107d9dfacec673fd64367e

SHA256
c8da1593198234a3b8c664e004a350fd9e4008f2f0f8951187efa50e535790f1

SHA512
bd301b569f0f6e720c797bb3f0ec75e0b8ad8c53a73346b31486b350cdf9920089f5211b10436cadce3ddc9b24c516c1c0bb6e6ddb1cb89b93c2f4bef3b2e552

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden

Filesize
1KB

MD5
dd13d2a68d8ae9d9c8808474318ca5ab

SHA1
f5e617390554af1e36d5d7bf1fcff5f6ab8904f6

SHA256
92429d64ff2dc2b36dcb358a6ebf707ade95025341c1c1f62f7332260739ab65

SHA512
0fead7f56c6a170e5d14496ffb318d7ca2a9c9bf60dc05913262aa45c30edacffaea69189eace2365c056746f43c00ffa26126da07c8209788e104871fe8c323

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
d57bf96645c7d3f7576dd3390fbe6e7f

SHA1
1065b8fd96a6f89b90b5abe6aa8669eebc3cea5a

SHA256
c3a9d056bf6157f8969b885de0c84223459d03989ab52dbddf6deebfeb333f84

SHA512
a1ba00efaed769f79c2566a8edd3eecb4d5f94bfe3cd7ec472ab84ec4ad4c12a8311c0fa5cbf87f66fd5dc85f0e34f24c6c7a0d0638d2d17d59cff9ac2cfb2eb

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC

Filesize
1KB

MD5
fc1c3f197be72b083c7ebdd1b57bd136

SHA1
3ea4f9f837b5926cfa8ad0ced38e60d1c3590cd8

SHA256
cd713efacb49d1650f197ccfd08a191bf21becb15522699b38d742caa10bcd6a

SHA512
0aad7a3c2fff99f1a687b6ea8a6d06cd0441ebe1237ddcf13450929596958d3cb9ed18ce62ab2f2b8341c7a2762ab3f8cce9bb7fa8399fffd1a63fda7a8ada24

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
6ade6ff4d187bc2ac873e9b0f76b417e

SHA1
8b533644c7a13943dd936c5b30d6a8804899cf0b

SHA256
00e93af0ba53ad537c15fdfc6acec0927b4ca6597ebac80b8bad87fe080312ec

SHA512
d5f8f5ec423b1265a69328e3539cc700ba28c345bd573c82d1e04ac9dcd2ab49b2b6a5c99add62d657349ab80bc0c6a88de279e048bc78f0596a4b0d3868623b

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
4162c65ce170f244f12d16b604549226

SHA1
1a9cee7dfcef51dc6167ae719c8e16c7876ea566

SHA256
f3991472ee4325a4b73704c9393364f924786908452451947d8bd10afb99d2d6

SHA512
62c26999e7c965337bc80e34d05bf99ac6104976c84a5973610ed529f67d500f133241788a9a331af013c8bc3174cf1d6bc00852298750230676239cf91b14e2

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

Filesize
1KB

MD5
3080836f94921ddeb3860123d15c9266

SHA1
3b8f2fb94390683f58b3a445380cd4235b03c4a4

SHA256
b34631b568fd08f8c44e61684032d898e599a561989e9f4586521cde9c569f7e

SHA512
79cd78bdf3c47100542d8c2e414f0eef1c154c499c65ffa4fa3b7e533deadf5bed924133a02db14bf209c056629bfd1b0b0169b4605962015dfc4ff2a15397d8

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.002

Filesize
1KB

MD5
38a971689a2c68553a370d338b8eaadd

SHA1
87246e7a16bdb25cd0819d0a5e10729e84474dfd

SHA256
a08a2e089d112abee20dfd183b7dbd50a1866e7d149041d63a78bb4536bb832b

SHA512
15bab55c895c65a1366eb51710e526ca475e386e80eb683fc8a655e21a4eb173c63c80ea6233b5f4ae42f93c04faef2e7e94bf744a87b70bee0236073efd7c5d

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

Filesize
1KB

MD5
b9c71e6ea36d7851fae7953fcf1076ff

SHA1
7597a08d879e8019c1ff1741f755cbe7576af757

SHA256
f5fd915fe5e252c1bfff8eecfd29d6240d13b5fa531b13a8a0df4b63cb57b75a

SHA512
201b0abac2e53aaa3993cacaf9de8ddae89a8782143d415c4a567634797e998843db945b37590c22a929384686e98c592bfc074d27e24b414c8589883f319ae0

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
a6235bef7124fbcf593cd7020bb59498

SHA1
2bcf68f77856d3361b531bedb562a8177db34868

SHA256
ac86416f13cedd5b8849290158099a7802576663d4b7fe10c522a4121e6a81b9

SHA512
c49434cd045f19f2669695bce0f2b089f0a4c283e908f109f91f067afa8ded7e90f190468bca752cc2c173a7e45852f57b518ca7aa581f04b520a83da276606e

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi

Filesize
149KB

MD5
a111657be1055640f59f80d8d2c70d63

SHA1
0f8ee6ed657b83d4216f137eeba72fc7fc220242

SHA256
9d5a89d99baf380cdf1cd3687f6fd3a95a3aece04e0204201caa2628ac83adb3

SHA512
63bfc0a48441608d3da6b8137169facefdad1177497790a4498d661758539ca2e15bdb748bbd0e4833df1a233859cc18e5fe8e634fbefb501857064f260f99b6

Download Submit
\Device\HarddiskVolume1\Boot\how_to_back.html

Filesize
5KB

MD5
b84e9868b00f7fc179bbc1c4b041e08b

SHA1
e00fef9e07e60bac2d2c9fbec2092bfced121393

SHA256
66d864c626476d04321912ca739c2b15519b7bed2143c2ddfd8c9f4ebb01e460

SHA512
3d45fc27ef1ad52f21d54de138748db53d099f89c5d1440ea68ccdfd57b0b5a86364802bce3840224122649b69848c641018d06f622dbf5b7f66229d33a1b8ba

Download Submit