Analysis
-
max time kernel
159s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 17:48
Behavioral task
behavioral1
Sample
951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
Resource
win10v2004-20240226-en
General
-
Target
951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
-
Size
335KB
-
MD5
971e7aa8b0f947b99c9efaeff6ec6829
-
SHA1
8736231b49625d21d51e9def26234fd30ec94643
-
SHA256
951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa
-
SHA512
4c639ab003b32363bfb8a3d4d25db5bcab535f228267f9d50d80d4c18e8b304ce6266e486bb29f475b994356694dc84bbafc52e06bceeba768411026dd42f4cc
-
SSDEEP
6144:Ss39QEhvsfBm9LA8CwumYTyBR/APygP9cnPRpjbeVPDGsIFvrMqu:z9dSSA8CwumYTyBJAPyglgq1f2rMqu
Malware Config
Extracted
C:\odt\HOW_TO_BACK_FILES.html
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 5104 created 3372 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 70 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4252 bcdedit.exe 896 bcdedit.exe -
Renames multiple (4373) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 4388 wbadmin.exe -
pid Process 1076 wbadmin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe\"" 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe\"" 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\J: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\N: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\R: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\T: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\Q: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\Y: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\F: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\G: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\K: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\L: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\O: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\P: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\I: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\M: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\S: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\V: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\W: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\X: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\B: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\E: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\H: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\U: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened (read-only) \??\Z: 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\HOW_TO_BACK_FILES.html 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\HOW_TO_BACK_FILES.html 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-colorize.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-60.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-125.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-ms 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\LargeTile.scale-125.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-us\View3d\3DViewerProductDescription-universal.xml 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\HOW_TO_BACK_FILES.html 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-white_scale-100.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-200.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\HOW_TO_BACK_FILES.html 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\View3d\HOW_TO_BACK_FILES.html 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-200.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\CottonCandy.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\HOW_TO_BACK_FILES.html 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\HOW_TO_BACK_FILES.html 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-white_scale-125.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\hand.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\PackageLogo.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CalibriL.ttf 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\HOW_TO_BACK_FILES.html 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-16.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-200.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\7-Zip\Lang\ug.txt 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File created C:\Program Files\VideoLAN\VLC\locale\HOW_TO_BACK_FILES.html 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\styles.css 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-125_contrast-white.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\HOW_TO_BACK_FILES.html 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-100.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1113_20x20x32.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-300.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-48_altform-unplated_contrast-white.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextLight.scale-200.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File created C:\Program Files\Java\jdk-1.8\legal\HOW_TO_BACK_FILES.html 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sq-AL\HOW_TO_BACK_FILES.html 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\PaintMedTile.scale-200.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-150_contrast-white.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-black_scale-200.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-150.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ppd.xrm-ms 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TellMeOneNote.nrr 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-96_altform-lightunplated.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24_altform-unplated.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-white_scale-125.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-16.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_Welcome.mp4 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-96_altform-unplated.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare150x150Logo.scale-125_contrast-white.png 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2040 vssadmin.exe -
Kills process with taskkill 14 IoCs
pid Process 2348 taskkill.exe 4044 taskkill.exe 1396 taskkill.exe 2864 taskkill.exe 1092 taskkill.exe 1396 taskkill.exe 1580 taskkill.exe 4044 taskkill.exe 4896 taskkill.exe 1836 taskkill.exe 4672 taskkill.exe 1096 taskkill.exe 4328 taskkill.exe 3008 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeDebugPrivilege 1092 taskkill.exe Token: SeDebugPrivilege 1396 taskkill.exe Token: SeDebugPrivilege 4896 taskkill.exe Token: SeDebugPrivilege 2348 taskkill.exe Token: SeDebugPrivilege 4328 taskkill.exe Token: SeDebugPrivilege 4672 taskkill.exe Token: SeDebugPrivilege 1096 taskkill.exe Token: SeDebugPrivilege 4044 taskkill.exe Token: SeDebugPrivilege 1396 taskkill.exe Token: SeDebugPrivilege 1580 taskkill.exe Token: SeDebugPrivilege 2864 taskkill.exe Token: SeDebugPrivilege 1836 taskkill.exe Token: SeIncreaseQuotaPrivilege 5016 WMIC.exe Token: SeSecurityPrivilege 5016 WMIC.exe Token: SeTakeOwnershipPrivilege 5016 WMIC.exe Token: SeLoadDriverPrivilege 5016 WMIC.exe Token: SeSystemProfilePrivilege 5016 WMIC.exe Token: SeSystemtimePrivilege 5016 WMIC.exe Token: SeProfSingleProcessPrivilege 5016 WMIC.exe Token: SeIncBasePriorityPrivilege 5016 WMIC.exe Token: SeCreatePagefilePrivilege 5016 WMIC.exe Token: SeBackupPrivilege 5016 WMIC.exe Token: SeRestorePrivilege 5016 WMIC.exe Token: SeShutdownPrivilege 5016 WMIC.exe Token: SeDebugPrivilege 5016 WMIC.exe Token: SeSystemEnvironmentPrivilege 5016 WMIC.exe Token: SeRemoteShutdownPrivilege 5016 WMIC.exe Token: SeUndockPrivilege 5016 WMIC.exe Token: SeManageVolumePrivilege 5016 WMIC.exe Token: 33 5016 WMIC.exe Token: 34 5016 WMIC.exe Token: 35 5016 WMIC.exe Token: 36 5016 WMIC.exe Token: SeBackupPrivilege 2740 vssvc.exe Token: SeRestorePrivilege 2740 vssvc.exe Token: SeAuditPrivilege 2740 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5104 wrote to memory of 2408 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 98 PID 5104 wrote to memory of 2408 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 98 PID 5104 wrote to memory of 2408 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 98 PID 2408 wrote to memory of 3628 2408 cmd.exe 100 PID 2408 wrote to memory of 3628 2408 cmd.exe 100 PID 5104 wrote to memory of 2956 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 101 PID 5104 wrote to memory of 2956 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 101 PID 5104 wrote to memory of 2956 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 101 PID 2956 wrote to memory of 1096 2956 cmd.exe 103 PID 2956 wrote to memory of 1096 2956 cmd.exe 103 PID 1096 wrote to memory of 1092 1096 cmd.exe 104 PID 1096 wrote to memory of 1092 1096 cmd.exe 104 PID 5104 wrote to memory of 2692 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 106 PID 5104 wrote to memory of 2692 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 106 PID 5104 wrote to memory of 2692 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 106 PID 2692 wrote to memory of 920 2692 cmd.exe 108 PID 2692 wrote to memory of 920 2692 cmd.exe 108 PID 920 wrote to memory of 4044 920 cmd.exe 109 PID 920 wrote to memory of 4044 920 cmd.exe 109 PID 5104 wrote to memory of 4928 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 110 PID 5104 wrote to memory of 4928 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 110 PID 5104 wrote to memory of 4928 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 110 PID 4928 wrote to memory of 3580 4928 cmd.exe 112 PID 4928 wrote to memory of 3580 4928 cmd.exe 112 PID 3580 wrote to memory of 1396 3580 cmd.exe 113 PID 3580 wrote to memory of 1396 3580 cmd.exe 113 PID 5104 wrote to memory of 1580 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 114 PID 5104 wrote to memory of 1580 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 114 PID 5104 wrote to memory of 1580 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 114 PID 1580 wrote to memory of 3728 1580 cmd.exe 116 PID 1580 wrote to memory of 3728 1580 cmd.exe 116 PID 3728 wrote to memory of 4896 3728 cmd.exe 117 PID 3728 wrote to memory of 4896 3728 cmd.exe 117 PID 5104 wrote to memory of 960 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 118 PID 5104 wrote to memory of 960 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 118 PID 5104 wrote to memory of 960 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 118 PID 1240 wrote to memory of 2348 1240 cmd.exe 121 PID 1240 wrote to memory of 2348 1240 cmd.exe 121 PID 5104 wrote to memory of 2160 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 122 PID 5104 wrote to memory of 2160 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 122 PID 5104 wrote to memory of 2160 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 122 PID 2160 wrote to memory of 3952 2160 cmd.exe 125 PID 2160 wrote to memory of 3952 2160 cmd.exe 125 PID 3952 wrote to memory of 4328 3952 cmd.exe 124 PID 3952 wrote to memory of 4328 3952 cmd.exe 124 PID 5104 wrote to memory of 3680 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 126 PID 5104 wrote to memory of 3680 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 126 PID 5104 wrote to memory of 3680 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 126 PID 3680 wrote to memory of 2596 3680 cmd.exe 128 PID 3680 wrote to memory of 2596 3680 cmd.exe 128 PID 2596 wrote to memory of 4672 2596 cmd.exe 129 PID 2596 wrote to memory of 4672 2596 cmd.exe 129 PID 5104 wrote to memory of 1728 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 130 PID 5104 wrote to memory of 1728 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 130 PID 5104 wrote to memory of 1728 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 130 PID 1728 wrote to memory of 3692 1728 cmd.exe 132 PID 1728 wrote to memory of 3692 1728 cmd.exe 132 PID 3692 wrote to memory of 1096 3692 cmd.exe 133 PID 3692 wrote to memory of 1096 3692 cmd.exe 133 PID 5104 wrote to memory of 2956 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 167 PID 5104 wrote to memory of 2956 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 167 PID 5104 wrote to memory of 2956 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe 167 PID 2956 wrote to memory of 4596 2956 net1.exe 136 PID 2956 wrote to memory of 4596 2956 net1.exe 136 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3372
-
C:\Users\Admin\AppData\Local\Temp\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe"C:\Users\Admin\AppData\Local\Temp\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5104 -
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"3⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"4⤵PID:3628
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe4⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\system32\taskkill.exetaskkill -f -im sql writer.exe5⤵
- Kills process with taskkill
PID:4044
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlserv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵PID:960
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3952
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵PID:2956
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵PID:4596
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4044
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵PID:3460
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵PID:3904
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵PID:4888
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵PID:2172
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵PID:2212
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵PID:4924
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵PID:4872
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵PID:1444
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1836
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe3⤵PID:1576
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe4⤵PID:2596
-
C:\Windows\system32\taskkill.exetaskkill -f -impostgres.exe5⤵
- Kills process with taskkill
PID:3008
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵PID:4420
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵PID:2132
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵PID:2856
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵PID:1096
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵PID:4580
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵PID:920
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵PID:4968
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵
- Suspicious use of WriteProcessMemory
PID:2956
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵PID:1088
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵PID:4568
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵PID:3988
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵PID:3460
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵PID:3380
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵PID:1660
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵PID:4684
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵PID:3820
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵PID:2040
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵PID:1240
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵PID:2212
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵PID:5068
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵PID:888
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵PID:3836
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵PID:3780
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵PID:3900
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS3⤵PID:1804
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS4⤵PID:1100
-
C:\Windows\system32\net.exenet stop REportServer$ISARS5⤵PID:4728
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop REportServer$ISARS6⤵PID:956
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵PID:2856
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵PID:2912
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵PID:3500
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵PID:4876
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵PID:4968
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵PID:440
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:2040
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet3⤵PID:4596
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet4⤵PID:4920
-
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersion:0 -quiet5⤵
- Deletes system backups
PID:1076
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵PID:2692
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵PID:3508
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP5⤵
- Deletes System State backups
- Drops file in Windows directory
PID:4388
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest3⤵PID:2956
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest4⤵PID:4908
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTABACKUP -deleteOldest5⤵PID:4424
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive3⤵PID:3128
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive4⤵PID:788
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5016
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵PID:2960
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵PID:2476
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:896
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No3⤵PID:3732
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No4⤵PID:2336
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoverynabled No5⤵
- Modifies boot configuration data using bcdedit
PID:4252
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe\\?\C:\Users\Admin\AppData\Local\Temp\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe -network2⤵
- Adds Run key to start application
- System policy modification
PID:264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵PID:2172
-
-
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:4872
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv 63aft7S5gEy89N64R+gU1A.0.11⤵PID:2956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:81⤵PID:3592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD584bf6c372f5bfeb4b7aa3fbcaad39c9e
SHA188926bf509cb1944e49fdee7eaf6673a72f5846f
SHA25697a5c440cb31fde94c0732d8327f15d14f5f56989759cf0100df532af7da9594
SHA5127a93865fcaaef4a99ad97648b1e77a8e0a56d2d3fbdf15dcc46b483778d2c6c9ae691bb602b00b35c3cb97cc224718b6715cc84bd40527f1b7c9eb2f709221a4
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png
Filesize5KB
MD5ea734a564acf820ead97465b7a032def
SHA1b9a5c428b9d680b11dc021345a62cc81ae99b0c6
SHA256eebca4b1b4cf68c8fcc626ec06a1a52dd68b69ea43dc69b2a42f4b5b83e8cb1b
SHA512f62f7b06a27c5a83971a40579208e0a53d88db935a931f9fdbbfd52c38cf9266d6814a73f06d3e447048cb7e99cdcea3cca5f1dc6874e7a163b7e6bb9444529a
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png
Filesize52KB
MD594dcf2c78d2d20c46ca99c8987f1bab9
SHA1b2c7e607396f5e59ae121590e2b209b6ecde4651
SHA256fe1e63b1ce37ba31bdf5c4aadd740f929266a09a4840916472ed5cb6f7c9ad73
SHA51233983a8bc5d0acf865a30e4eddb94eb297ebee9878412659ff2a0f1e1c4b57781992b279710235ad6623fe155b197f127cc801e426aba5dd46122fa16682d602
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png
Filesize3KB
MD59d425ad69362e9794060e672a5602fff
SHA10eafc0a8fd92cf32c49c70e9751eca56b82b5905
SHA25629bd2918ab92bb4bef00197b17168b6653ab3c6433f6fcf37dcddb0c65132b09
SHA512d2e57d7d43ac01d132413f46ef3aa72c2747b3dcba469b12fd10c24836f65f74ce6e256a7f7eb6ce4db260dbae1414f4955f27d8c7388bc89405462ffdeb42bf
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reject_18.svg
Filesize2KB
MD53b34ab4ec1eeaa9dd921587cc30c8e20
SHA1085524e9cc95e17b4a336a8c488f58764bddf80b
SHA2566eef018e26263fed11f154e7e0c15351b0ff891b12f9f9ef631cd994a01bf3e0
SHA512d6d6dfd40bee44d919aae8efd71ab379dd62c7b17e935afcc81819cbd810c80dc044a71ff5485e9f5e29642ce858fb5341c52ca6bcba8740f2816f80c3b36094
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js
Filesize5KB
MD57cbfad364a4a3fd66b8801f73cc2991c
SHA1f6a9916bb94b3d69fd2322144b498eb57f36cb6e
SHA2567c87665ae1003774ea3b8264f583d182cccbd6c7e35b36a8beb31c6925c6b705
SHA5128cfb857603625e39d82f63e506aaacf1019bf67b60bad02aed4bbd7afd25e66de2f3f741a6ad7e096dfad3c41a78ca8bf9980400010debbd2914714d824eeafb
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js
Filesize9KB
MD5387f62e298e7e3a0d7918a27f9e8a34e
SHA184b20fabb0260c3542ca0463bbb9b9f47318ae4c
SHA2561f1231d64d3837d36d2b21e2a799e7de494202a6a5315f217c6ec6d8fe134b4a
SHA512f1db345204609d39e9be71a128a806142433493f7c83c36fbe321d12685889233e964f4203de18ca69fea98bde507361cc4e050c7406088742d96f4052c11de7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js
Filesize2KB
MD55b0c36bd85368e1c8a1189ef05642622
SHA17bc81ad9dafca72afdb13d80cb3760fa98df7ebf
SHA2563af22f2b484246df816c8a0e9d5678258534913b3fda81feee9e082e4eaa35a7
SHA512181433bb8142bf70552012623de9d1f292f1f07356a5bd626b6a89784e55cfae7f96628f403520101e8c619f324c0f4fed29bce6ab2b0b0051df5d48b9746b42
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js
Filesize3KB
MD5dc89e6f408d7a77a08734ea0e1b494c2
SHA1031002742307f5766605128349035d26bd0323b1
SHA25631ae0f8ddc341b0507e3e382ccc825461ea1a3fd8e0a624f795196ada1866a8b
SHA5120d795707a438fe92516b0657f91953c44311f7a3bf0e58057c4e632e0fd39e339a9d9dc5318045ae4caa6f6009d9c9d622e442666e71e9388bad6963894259d4
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js.locknet
Filesize377KB
MD54ac7bd723de787eac5d0d07dfff28c15
SHA1566ac124126c6ec7aad76485437256c6e2ef00c8
SHA256145a6ba07e91fc9e196170d478f99f2092b529627952d8d6e576a9a1dce2e8d8
SHA51221c291146d3f8e7934687e788657a93e8fcbfa34ca7ab503175533dae227936ea07e7f2cee541439db6cb4ef6b9394df6748cc7a44a94ac4ad2146d9761b6194
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js
Filesize176KB
MD5d9ed1af3fbb0cdc10245a52617a9aa38
SHA1ab1eea57367b1aba75e3d33a64babd418a079fdd
SHA2565296245319d8be0109d267fbca3712d1d76bb77ae4b67ec6803c9e93cfd0b64f
SHA512f4c0cacb8bebb00f64a1c817244cdd68c0af1c15b5a09e0e927d5cf5dbfb2dc3cd64f1d4453164e4d359a2863cf2b5dc023c4149058a67b1b7d95bbb8dd5ce51
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js
Filesize2KB
MD57ba37a97b65ef185a61191baf7cb5631
SHA1c1c4906073ad3754fb262f159e37ad21b14d59bc
SHA2569fe61368fc5956803589b28194ad0464d85c31f5e19011bd0eb9c0c3a6d6a0d5
SHA51269e8e6bedcd78a21d1a7d6f0008f73fe02ebcac1217ab6caad3bcf5ab2499b2807095424206680395b6dcccef2b92c9b571f18e9603b75a34120be6c248d5601
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png
Filesize2KB
MD597539327533404a55cc9f2f5e4b98c21
SHA154e8b8de22e2d7b5d477bf65237b704c4af1114f
SHA256ca333fcde20ac1b5ffa36d3eaaea5e371f1d1ada87150ceb2529606b08d7ca43
SHA512452dfe1f59db9a77e57dc1ab82f78b32155ae083b92291c14cc97b8cd70f33ce7196a406226753f73914a225e9bd92b5b517b24d2d6dd2226ed9157bd0b95c62
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png
Filesize2KB
MD5145f077cbbe8cd523a205d8ca5195281
SHA10786310d456e133b05194b28ca24ff5e4c1c772a
SHA256c276fa7f3cf3687cfae14e76d25df5d579fe5411067ec46a205e34a8bc012455
SHA512318125dce4a36889c055beabaa1fe1d449a9bae482a749dfe1b57f28515c849e69b86fc3568ed4b4478158e82325a7bd9792ce7457bedab96f98d5a7a1b99fd7
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js
Filesize2KB
MD54fb8384a58d283ce1965d5b953c03343
SHA15c000526f858830c2417d0da78a7974139462288
SHA25649c3fd1465f1b9d779b3d7f097e50d7ce92d4f5c85500d8bb2d6e501aa009331
SHA5125a2468d9e0e04d5eec81abb097a3f9ac84558a5e5d3dcdac98e8dafba44b4bf9b9588e707d082bef1372b138462300b16a8c975da0054cdca707789370292cdf
-
Filesize
1KB
MD58f9ad7006348369e95d55c2a8f03ac47
SHA14d97c3c6fa0943e18ef83bd0194a3c44e083ceb4
SHA256afd543099991bd573b4f7b1aad2a369bc3888b81c615da8f962130b2c73092d7
SHA512dcfeac172fc7337335bd9f093e0ca31ad37ca310162bf089c4bc8133cb9bc6391926add06c2c3e94cd9ab1546b95f383946c04a5830e2775f1bc5bcc34d3e22c
-
Filesize
1KB
MD592dac97e0d4c9d1369bb05834ff4409d
SHA146b4dcf958b0183b9a1345c0964963a1ee6c19a1
SHA2561610674be115620361691999d9838950b1e539e81a686311ab73dca407cffd34
SHA512e1cc6a6e9cab76e6e2923668adcccab00486801881136dafa8450826d0d291790c550223ab4c121e1d4f9244897c843534d45579a125e5d53b92600f64eee4d6
-
Filesize
1KB
MD5b40771faa6c1cfefac6448d97d61a5d1
SHA1f5b3be7bde83813b665996b582f8e57ba651c390
SHA256193cf608ae87b32c01d6070dfea5f4b2a6fefa984b9c0e8c040f5407858896cd
SHA5123a7b178323674b766a2e9fcadb532d142e1d82953d3222e4770ded7466b0af5ef0f87667f69e7429e4ea3d1d7fa9a5b36f6b24330955fa5db317720a44b9366a
-
Filesize
1KB
MD5391f64a7373cf779c11ac2c976e045a1
SHA1a220791fdba7f855d86e0210a620c5a3cfd27aaf
SHA256a050fc97ab449c60ef7403a0ee2a9b323eb925c8062e3d49480c23216ed09e1d
SHA512656d137b0027f27ea7b7f7f1923b2c8be2c168cfa3e640a0638e96e0fbfc55ad179a5877a2d569fdc3eec04d583d0d8f2eda0bcd48abb6f63ed1c6c182e7166a
-
Filesize
1KB
MD527afd7e45fda2b16eb067c2577885eee
SHA10f3a8fd5d5db3ed4a6fbd1695273f63c4c69063d
SHA256fff064e5a1a0337d61634c780334a560da313c1c07dcad0161fd2f75a14ceeb0
SHA5122c6378387e2bf82871411dff747e0c741a07d10ea08d83e8ccac8d9ede9f1d0666acaf769116e75b196d438df8c3180c6dc5cb84db7d72e422efb77e694bf0ad
-
Filesize
1KB
MD5e8f499a9baac810df03c3ea61c718c5b
SHA1adb9bdb3a4d503e232b3c840fb3dee2615dfe8d1
SHA256832ea6c00a381442f71589011c7fed5e7116ba2c4677d14f56a93348f1f7278c
SHA5129aa5e3c6acca8e50996217105970bb90b6011bdddc0bee1f02d955beee9876eac71e68c96a0cc142c16eb4c03497b653d1e63f020b9c45a30ca5ecdb47bdf3fc
-
C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config
Filesize1KB
MD5aab8c424760ca61d8ca396303f6447c5
SHA18471e3ba6e0c75d5f9613f36ce8f8e28acad9496
SHA25615d1f372e186559cc938c703a6147edd6e7b16072951242806675709f1ac972e
SHA5129f1bc5104d863128ea61e1ed76d15884e34c71718326717fd8c6136df5f45dae0ff1d1aeacce15b8f2a42afb4a424d65e1abbf9c5f225826cf1c3618a8381f87
-
Filesize
263KB
MD557ea12e4e164ee4cbc1232fc0e1cb6e1
SHA1fcb6d4b52da98ac3b49287131392b4d7b67b6e75
SHA256b5371e07b92f2cf0f0eb5a615485d97a68c5ed8b7eb2ea74ed69c3edb7268607
SHA512e280d7449b6ea4400641dab25e377a3570c99b4a8837ce2dbbd2ce95a9c48111308e415c1734fca375f083ac96c796d6ca70bf04104e80f98cddec958a840afc
-
Filesize
1KB
MD5ce6f7a2c963d93f6cf284ef5621d5905
SHA18ca5325fdfdaad178151f72f8a7921337cc9e4c6
SHA2565df7c593b2a2ba515132d709dca53545e35b6e04032acb53304625a4d8402de2
SHA512b9fff636dd9601457b8a5fea8722d07be5e2b78b9ade9695a16bbfa2047f82b72ed5c2a243a4dc206aae74bfc3b9eb30230eac8edd95559d7b4ed45e19cccf18
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi
Filesize64KB
MD532f1c9cf35d1dac1de56a21cff0a4bcb
SHA1ad6850eacb713bfda0c5e335701136ad1370e7c9
SHA2567f75717884396ce60b1c1f03fdd2354c2d0538a9f3f414467b65c3bba14d4390
SHA5126528f169473b43119aff879457c32abc539dc4eef3c511274be92b907793cc0bdd37197bc25444f13596288a0bc9e27f0ff02d580a6a5231ccc5fc1774e57a91
-
Filesize
448KB
MD568cb5bef2cd98cb640761e99225609ac
SHA19bfac83d0b4fba29f23bd552bb62d4d21c4415d5
SHA256a3322c53a145519d0c8104d370fa6dd1d563c3c9ae4a44085af94a5b51107da9
SHA512b655882ee595a564ed866631422a2c39064ad9115fb15295f4cbea86d8de723588233dc122d283011c544d22de4f60b537afc7d21e5f8b294ae3287fd89e4513
-
Filesize
785KB
MD56ce94193e594c328c7bcd2a2e27e0335
SHA186fa6f79e8d914cdc0474f8955b1870796882651
SHA2565369f6488a527aa7bf2d12a448956687bfce8d4243eb54adcfee4003e6a682cc
SHA51272aff872ff36ebbc1a06996812567cfb269a8ec5107b50ce8566c29457aa28a64da53a28c0b38907bc4584b0ad5b1b1ae798db50e1a74c599bc61b7a492ed5c4
-
Filesize
599KB
MD5665829a15c1545b6d53e609b8ef2437c
SHA1aa365f292ec4fa9c8444ef7880b98b777101c474
SHA256f630de8d6fd564e0158baef925405e8921caf4e835407135d54aa46c98b76229
SHA512384cf9988ca1dd2b3a6c21519f32f1dd15cca59e857881e59415e0163ca87e7491b8b6a33bd331ee55e56bddc2ba095d335b1e4c4023f654727c73fed29de262
-
Filesize
3KB
MD525bd57fa32c3a840896114bfa114ff28
SHA1537335ee01b89cc6230e6390b1e9991c1ac8e687
SHA25667b77daba2e55b7d2aab5462f73e50e9a7c9adba1cc83e35bc19cb064f09818a
SHA5127f3cce56d33e1ac0d4aa67f2caf910e8956aec61674dcde07bb593e9250b3ba1d646093c5fbd955ba23e4bcbf5fa1a0bd4d901e77aef446f7175d16170fc4df3