951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa

Analysis

max time kernel
159s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
Size

335KB
MD5

971e7aa8b0f947b99c9efaeff6ec6829
SHA1

8736231b49625d21d51e9def26234fd30ec94643
SHA256

951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa
SHA512

4c639ab003b32363bfb8a3d4d25db5bcab535f228267f9d50d80d4c18e8b304ce6266e486bb29f475b994356694dc84bbafc52e06bceeba768411026dd42f4cc
SSDEEP

6144:Ss39QEhvsfBm9LA8CwumYTyBR/APygP9cnPRpjbeVPDGsIFvrMqu:z9dSSA8CwumYTyBJAPyglgq1f2rMqu

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\odt\HOW_TO_BACK_FILES.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">{{IDENTIFIER}}</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a></a><br> <br><br> <br> <br> <br> <a><br> </a> <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html> {{URL}}

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe

description pid process target process

PID 5104 created 3372 5104 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4252 bcdedit.exe
896 bcdedit.exe
Renames multiple (4373) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4388 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1076 wbadmin.exe

description	pid	process	target process
PID 5104 created 3372	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	Explorer.EXE

pid	process
4252	bcdedit.exe
896	bcdedit.exe

pid	process
4388	wbadmin.exe

pid	process
1076	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe\""	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe\""	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe

description	ioc	process
File opened (read-only)	\??\A:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\J:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\N:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\R:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\T:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\Q:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\Y:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\F:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\G:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\K:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\L:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\O:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\P:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\I:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\M:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\S:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\V:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\W:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\X:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\B:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\E:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\H:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\U:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened (read-only)	\??\Z:	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe

Drops file in Program Files directory 64 IoCs

Processes:

951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-96_altform-colorize.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-60.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailSmallTile.scale-125.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-phn.xrm-ms	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\LargeTile.scale-125.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-us\View3d\3DViewerProductDescription-universal.xml	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-24_altform-unplated.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraWideTile.contrast-white_scale-100.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Exchange.scale-200.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\View3d\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteWideTile.scale-200.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ul-oob.xrm-ms	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\CottonCandy.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorWideTile.contrast-white_scale-125.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\hand.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\PackageLogo.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CalibriL.ttf	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-16.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square150x150Logo.scale-200.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files\VideoLAN\VLC\locale\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\styles.css	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-96.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-125_contrast-white.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-100.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1113_20x20x32.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-300.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-48_altform-unplated_contrast-white.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\MoviesAnywhereLogoWithTextLight.scale-200.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files\Java\jdk-1.8\legal\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sq-AL\HOW_TO_BACK_FILES.html	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square150x150\PaintMedTile.scale-200.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-150_contrast-white.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchWideTile.contrast-black_scale-200.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailSmallTile.scale-150.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Trial-ppd.xrm-ms	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeOneNote.nrr	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.targetsize-96_altform-lightunplated.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\AppIcon.targetsize-24_altform-unplated.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockSmallTile.contrast-white_scale-125.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-16.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_Welcome.mp4	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-96_altform-unplated.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-pl.xrm-ms	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare150x150Logo.scale-125_contrast-white.png	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2040 vssadmin.exe

pid	process
2040	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2348	taskkill.exe
4044	taskkill.exe
1396	taskkill.exe
2864	taskkill.exe
1092	taskkill.exe
1396	taskkill.exe
1580	taskkill.exe
4044	taskkill.exe
4896	taskkill.exe
1836	taskkill.exe
4672	taskkill.exe
1096	taskkill.exe
4328	taskkill.exe
3008	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe

pid	process
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	4328	taskkill.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	4044	taskkill.exe
Token: SeDebugPrivilege	1396	taskkill.exe
Token: SeDebugPrivilege	1580	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	1836	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5016	WMIC.exe
Token: SeSecurityPrivilege	5016	WMIC.exe
Token: SeTakeOwnershipPrivilege	5016	WMIC.exe
Token: SeLoadDriverPrivilege	5016	WMIC.exe
Token: SeSystemProfilePrivilege	5016	WMIC.exe
Token: SeSystemtimePrivilege	5016	WMIC.exe
Token: SeProfSingleProcessPrivilege	5016	WMIC.exe
Token: SeIncBasePriorityPrivilege	5016	WMIC.exe
Token: SeCreatePagefilePrivilege	5016	WMIC.exe
Token: SeBackupPrivilege	5016	WMIC.exe
Token: SeRestorePrivilege	5016	WMIC.exe
Token: SeShutdownPrivilege	5016	WMIC.exe
Token: SeDebugPrivilege	5016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5016	WMIC.exe
Token: SeRemoteShutdownPrivilege	5016	WMIC.exe
Token: SeUndockPrivilege	5016	WMIC.exe
Token: SeManageVolumePrivilege	5016	WMIC.exe
Token: 33	5016	WMIC.exe
Token: 34	5016	WMIC.exe
Token: 35	5016	WMIC.exe
Token: 36	5016	WMIC.exe
Token: SeBackupPrivilege	2740	vssvc.exe
Token: SeRestorePrivilege	2740	vssvc.exe
Token: SeAuditPrivilege	2740	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exenet1.exe

description	pid	process	target process
PID 5104 wrote to memory of 2408	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 2408	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 2408	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 2408 wrote to memory of 3628	2408	cmd.exe	cmd.exe
PID 2408 wrote to memory of 3628	2408	cmd.exe	cmd.exe
PID 5104 wrote to memory of 2956	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 2956	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 2956	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 2956 wrote to memory of 1096	2956	cmd.exe	cmd.exe
PID 2956 wrote to memory of 1096	2956	cmd.exe	cmd.exe
PID 1096 wrote to memory of 1092	1096	cmd.exe	taskkill.exe
PID 1096 wrote to memory of 1092	1096	cmd.exe	taskkill.exe
PID 5104 wrote to memory of 2692	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 2692	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 2692	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 2692 wrote to memory of 920	2692	cmd.exe	cmd.exe
PID 2692 wrote to memory of 920	2692	cmd.exe	cmd.exe
PID 920 wrote to memory of 4044	920	cmd.exe	taskkill.exe
PID 920 wrote to memory of 4044	920	cmd.exe	taskkill.exe
PID 5104 wrote to memory of 4928	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 4928	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 4928	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 4928 wrote to memory of 3580	4928	cmd.exe	cmd.exe
PID 4928 wrote to memory of 3580	4928	cmd.exe	cmd.exe
PID 3580 wrote to memory of 1396	3580	cmd.exe	taskkill.exe
PID 3580 wrote to memory of 1396	3580	cmd.exe	taskkill.exe
PID 5104 wrote to memory of 1580	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 1580	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 1580	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 1580 wrote to memory of 3728	1580	cmd.exe	cmd.exe
PID 1580 wrote to memory of 3728	1580	cmd.exe	cmd.exe
PID 3728 wrote to memory of 4896	3728	cmd.exe	taskkill.exe
PID 3728 wrote to memory of 4896	3728	cmd.exe	taskkill.exe
PID 5104 wrote to memory of 960	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 960	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 960	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 1240 wrote to memory of 2348	1240	cmd.exe	taskkill.exe
PID 1240 wrote to memory of 2348	1240	cmd.exe	taskkill.exe
PID 5104 wrote to memory of 2160	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 2160	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 2160	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 2160 wrote to memory of 3952	2160	cmd.exe	cmd.exe
PID 2160 wrote to memory of 3952	2160	cmd.exe	cmd.exe
PID 3952 wrote to memory of 4328	3952	cmd.exe	taskkill.exe
PID 3952 wrote to memory of 4328	3952	cmd.exe	taskkill.exe
PID 5104 wrote to memory of 3680	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 3680	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 3680	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 3680 wrote to memory of 2596	3680	cmd.exe	cmd.exe
PID 3680 wrote to memory of 2596	3680	cmd.exe	cmd.exe
PID 2596 wrote to memory of 4672	2596	cmd.exe	taskkill.exe
PID 2596 wrote to memory of 4672	2596	cmd.exe	taskkill.exe
PID 5104 wrote to memory of 1728	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 1728	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 5104 wrote to memory of 1728	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	cmd.exe
PID 1728 wrote to memory of 3692	1728	cmd.exe	cmd.exe
PID 1728 wrote to memory of 3692	1728	cmd.exe	cmd.exe
PID 3692 wrote to memory of 1096	3692	cmd.exe	taskkill.exe
PID 3692 wrote to memory of 1096	3692	cmd.exe	taskkill.exe
PID 5104 wrote to memory of 2956	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	net1.exe
PID 5104 wrote to memory of 2956	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	net1.exe
PID 5104 wrote to memory of 2956	5104	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe	net1.exe
PID 2956 wrote to memory of 4596	2956	net1.exe	cmd.exe
PID 2956 wrote to memory of 4596	2956	net1.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3372
- C:\Users\Admin\AppData\Local\Temp\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
  "C:\Users\Admin\AppData\Local\Temp\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"
      4⤵
      PID:3628
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1096
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:920
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3580
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3728
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    PID:960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1240
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:2956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:4596
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4044
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:3460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:3904
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:4888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:2172
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:2212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:4924
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:4872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:1444
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:1576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:2596
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:4420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:2132
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:2856
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:4580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:920
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:4968
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:1088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:4568
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:3988
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:3460
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:3380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1660
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:4684
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:3820
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:2040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:1240
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:2212
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:3836
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:3780
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:3900
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:1804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:1100
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:4728
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:956
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:2856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:2912
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:3500
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:4968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:440
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:4596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:4920
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:2692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:3508
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        Drops file in Windows directory
        
        PID:4388
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:2956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:4908
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:3128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:788
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:2476
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:896
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:3732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:2336
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4252
- C:\Users\Admin\AppData\Local\Temp\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:2172

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlceip.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\taskkill.exe
taskkill -f -im fdhost.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 63aft7S5gEy89N64R+gU1A.0.1
1⤵
PID:2956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak

Filesize
1KB

MD5
84bf6c372f5bfeb4b7aa3fbcaad39c9e

SHA1
88926bf509cb1944e49fdee7eaf6673a72f5846f

SHA256
97a5c440cb31fde94c0732d8327f15d14f5f56989759cf0100df532af7da9594

SHA512
7a93865fcaaef4a99ad97648b1e77a8e0a56d2d3fbdf15dcc46b483778d2c6c9ae691bb602b00b35c3cb97cc224718b6715cc84bd40527f1b7c9eb2f709221a4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png

Filesize
5KB

MD5
ea734a564acf820ead97465b7a032def

SHA1
b9a5c428b9d680b11dc021345a62cc81ae99b0c6

SHA256
eebca4b1b4cf68c8fcc626ec06a1a52dd68b69ea43dc69b2a42f4b5b83e8cb1b

SHA512
f62f7b06a27c5a83971a40579208e0a53d88db935a931f9fdbbfd52c38cf9266d6814a73f06d3e447048cb7e99cdcea3cca5f1dc6874e7a163b7e6bb9444529a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\aic_file_icons.png

Filesize
52KB

MD5
94dcf2c78d2d20c46ca99c8987f1bab9

SHA1
b2c7e607396f5e59ae121590e2b209b6ecde4651

SHA256
fe1e63b1ce37ba31bdf5c4aadd740f929266a09a4840916472ed5cb6f7c9ad73

SHA512
33983a8bc5d0acf865a30e4eddb94eb297ebee9878412659ff2a0f1e1c4b57781992b279710235ad6623fe155b197f127cc801e426aba5dd46122fa16682d602

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions.png

Filesize
3KB

MD5
9d425ad69362e9794060e672a5602fff

SHA1
0eafc0a8fd92cf32c49c70e9751eca56b82b5905

SHA256
29bd2918ab92bb4bef00197b17168b6653ab3c6433f6fcf37dcddb0c65132b09

SHA512
d2e57d7d43ac01d132413f46ef3aa72c2747b3dcba469b12fd10c24836f65f74ce6e256a7f7eb6ce4db260dbae1414f4955f27d8c7388bc89405462ffdeb42bf

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reject_18.svg

Filesize
2KB

MD5
3b34ab4ec1eeaa9dd921587cc30c8e20

SHA1
085524e9cc95e17b4a336a8c488f58764bddf80b

SHA256
6eef018e26263fed11f154e7e0c15351b0ff891b12f9f9ef631cd994a01bf3e0

SHA512
d6d6dfd40bee44d919aae8efd71ab379dd62c7b17e935afcc81819cbd810c80dc044a71ff5485e9f5e29642ce858fb5341c52ca6bcba8740f2816f80c3b36094

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\ui-strings.js

Filesize
5KB

MD5
7cbfad364a4a3fd66b8801f73cc2991c

SHA1
f6a9916bb94b3d69fd2322144b498eb57f36cb6e

SHA256
7c87665ae1003774ea3b8264f583d182cccbd6c7e35b36a8beb31c6925c6b705

SHA512
8cfb857603625e39d82f63e506aaacf1019bf67b60bad02aed4bbd7afd25e66de2f3f741a6ad7e096dfad3c41a78ca8bf9980400010debbd2914714d824eeafb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\ui-strings.js

Filesize
9KB

MD5
387f62e298e7e3a0d7918a27f9e8a34e

SHA1
84b20fabb0260c3542ca0463bbb9b9f47318ae4c

SHA256
1f1231d64d3837d36d2b21e2a799e7de494202a6a5315f217c6ec6d8fe134b4a

SHA512
f1db345204609d39e9be71a128a806142433493f7c83c36fbe321d12685889233e964f4203de18ca69fea98bde507361cc4e050c7406088742d96f4052c11de7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\ui-strings.js

Filesize
2KB

MD5
5b0c36bd85368e1c8a1189ef05642622

SHA1
7bc81ad9dafca72afdb13d80cb3760fa98df7ebf

SHA256
3af22f2b484246df816c8a0e9d5678258534913b3fda81feee9e082e4eaa35a7

SHA512
181433bb8142bf70552012623de9d1f292f1f07356a5bd626b6a89784e55cfae7f96628f403520101e8c619f324c0f4fed29bce6ab2b0b0051df5d48b9746b42

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\ui-strings.js

Filesize
3KB

MD5
dc89e6f408d7a77a08734ea0e1b494c2

SHA1
031002742307f5766605128349035d26bd0323b1

SHA256
31ae0f8ddc341b0507e3e382ccc825461ea1a3fd8e0a624f795196ada1866a8b

SHA512
0d795707a438fe92516b0657f91953c44311f7a3bf0e58057c4e632e0fd39e339a9d9dc5318045ae4caa6f6009d9c9d622e442666e71e9388bad6963894259d4

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js.locknet

Filesize
377KB

MD5
4ac7bd723de787eac5d0d07dfff28c15

SHA1
566ac124126c6ec7aad76485437256c6e2ef00c8

SHA256
145a6ba07e91fc9e196170d478f99f2092b529627952d8d6e576a9a1dce2e8d8

SHA512
21c291146d3f8e7934687e788657a93e8fcbfa34ca7ab503175533dae227936ea07e7f2cee541439db6cb4ef6b9394df6748cc7a44a94ac4ad2146d9761b6194

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js

Filesize
176KB

MD5
d9ed1af3fbb0cdc10245a52617a9aa38

SHA1
ab1eea57367b1aba75e3d33a64babd418a079fdd

SHA256
5296245319d8be0109d267fbca3712d1d76bb77ae4b67ec6803c9e93cfd0b64f

SHA512
f4c0cacb8bebb00f64a1c817244cdd68c0af1c15b5a09e0e927d5cf5dbfb2dc3cd64f1d4453164e4d359a2863cf2b5dc023c4149058a67b1b7d95bbb8dd5ce51

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\ui-strings.js

Filesize
2KB

MD5
7ba37a97b65ef185a61191baf7cb5631

SHA1
c1c4906073ad3754fb262f159e37ad21b14d59bc

SHA256
9fe61368fc5956803589b28194ad0464d85c31f5e19011bd0eb9c0c3a6d6a0d5

SHA512
69e8e6bedcd78a21d1a7d6f0008f73fe02ebcac1217ab6caad3bcf5ab2499b2807095424206680395b6dcccef2b92c9b571f18e9603b75a34120be6c248d5601

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons.png

Filesize
2KB

MD5
97539327533404a55cc9f2f5e4b98c21

SHA1
54e8b8de22e2d7b5d477bf65237b704c4af1114f

SHA256
ca333fcde20ac1b5ffa36d3eaaea5e371f1d1ada87150ceb2529606b08d7ca43

SHA512
452dfe1f59db9a77e57dc1ab82f78b32155ae083b92291c14cc97b8cd70f33ce7196a406226753f73914a225e9bd92b5b517b24d2d6dd2226ed9157bd0b95c62

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\example_icons2x.png

Filesize
2KB

MD5
145f077cbbe8cd523a205d8ca5195281

SHA1
0786310d456e133b05194b28ca24ff5e4c1c772a

SHA256
c276fa7f3cf3687cfae14e76d25df5d579fe5411067ec46a205e34a8bc012455

SHA512
318125dce4a36889c055beabaa1fe1d449a9bae482a749dfe1b57f28515c849e69b86fc3568ed4b4478158e82325a7bd9792ce7457bedab96f98d5a7a1b99fd7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
4fb8384a58d283ce1965d5b953c03343

SHA1
5c000526f858830c2417d0da78a7974139462288

SHA256
49c3fd1465f1b9d779b3d7f097e50d7ce92d4f5c85500d8bb2d6e501aa009331

SHA512
5a2468d9e0e04d5eec81abb097a3f9ac84558a5e5d3dcdac98e8dafba44b4bf9b9588e707d082bef1372b138462300b16a8c975da0054cdca707789370292cdf

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif

Filesize
1KB

MD5
8f9ad7006348369e95d55c2a8f03ac47

SHA1
4d97c3c6fa0943e18ef83bd0194a3c44e083ceb4

SHA256
afd543099991bd573b4f7b1aad2a369bc3888b81c615da8f962130b2c73092d7

SHA512
dcfeac172fc7337335bd9f093e0ca31ad37ca310162bf089c4bc8133cb9bc6391926add06c2c3e94cd9ab1546b95f383946c04a5830e2775f1bc5bcc34d3e22c

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
1KB

MD5
92dac97e0d4c9d1369bb05834ff4409d

SHA1
46b4dcf958b0183b9a1345c0964963a1ee6c19a1

SHA256
1610674be115620361691999d9838950b1e539e81a686311ab73dca407cffd34

SHA512
e1cc6a6e9cab76e6e2923668adcccab00486801881136dafa8450826d0d291790c550223ab4c121e1d4f9244897c843534d45579a125e5d53b92600f64eee4d6

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
1KB

MD5
b40771faa6c1cfefac6448d97d61a5d1

SHA1
f5b3be7bde83813b665996b582f8e57ba651c390

SHA256
193cf608ae87b32c01d6070dfea5f4b2a6fefa984b9c0e8c040f5407858896cd

SHA512
3a7b178323674b766a2e9fcadb532d142e1d82953d3222e4770ded7466b0af5ef0f87667f69e7429e4ea3d1d7fa9a5b36f6b24330955fa5db317720a44b9366a

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_K_COL.HXK

Filesize
1KB

MD5
391f64a7373cf779c11ac2c976e045a1

SHA1
a220791fdba7f855d86e0210a620c5a3cfd27aaf

SHA256
a050fc97ab449c60ef7403a0ee2a9b323eb925c8062e3d49480c23216ed09e1d

SHA512
656d137b0027f27ea7b7f7f1923b2c8be2c168cfa3e640a0638e96e0fbfc55ad179a5877a2d569fdc3eec04d583d0d8f2eda0bcd48abb6f63ed1c6c182e7166a

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK

Filesize
1KB

MD5
27afd7e45fda2b16eb067c2577885eee

SHA1
0f3a8fd5d5db3ed4a6fbd1695273f63c4c69063d

SHA256
fff064e5a1a0337d61634c780334a560da313c1c07dcad0161fd2f75a14ceeb0

SHA512
2c6378387e2bf82871411dff747e0c741a07d10ea08d83e8ccac8d9ede9f1d0666acaf769116e75b196d438df8c3180c6dc5cb84db7d72e422efb77e694bf0ad

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_F_COL.HXK

Filesize
1KB

MD5
e8f499a9baac810df03c3ea61c718c5b

SHA1
adb9bdb3a4d503e232b3c840fb3dee2615dfe8d1

SHA256
832ea6c00a381442f71589011c7fed5e7116ba2c4677d14f56a93348f1f7278c

SHA512
9aa5e3c6acca8e50996217105970bb90b6011bdddc0bee1f02d955beee9876eac71e68c96a0cc142c16eb4c03497b653d1e63f020b9c45a30ca5ecdb47bdf3fc

Download Submit
C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.config

Filesize
1KB

MD5
aab8c424760ca61d8ca396303f6447c5

SHA1
8471e3ba6e0c75d5f9613f36ce8f8e28acad9496

SHA256
15d1f372e186559cc938c703a6147edd6e7b16072951242806675709f1ac972e

SHA512
9f1bc5104d863128ea61e1ed76d15884e34c71718326717fd8c6136df5f45dae0ff1d1aeacce15b8f2a42afb4a424d65e1abbf9c5f225826cf1c3618a8381f87

Download Submit
C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL

Filesize
263KB

MD5
57ea12e4e164ee4cbc1232fc0e1cb6e1

SHA1
fcb6d4b52da98ac3b49287131392b4d7b67b6e75

SHA256
b5371e07b92f2cf0f0eb5a615485d97a68c5ed8b7eb2ea74ed69c3edb7268607

SHA512
e280d7449b6ea4400641dab25e377a3570c99b4a8837ce2dbbd2ce95a9c48111308e415c1734fca375f083ac96c796d6ca70bf04104e80f98cddec958a840afc

Download Submit
C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub.locknet

Filesize
1KB

MD5
ce6f7a2c963d93f6cf284ef5621d5905

SHA1
8ca5325fdfdaad178151f72f8a7921337cc9e4c6

SHA256
5df7c593b2a2ba515132d709dca53545e35b6e04032acb53304625a4d8402de2

SHA512
b9fff636dd9601457b8a5fea8722d07be5e2b78b9ade9695a16bbfa2047f82b72ed5c2a243a4dc206aae74bfc3b9eb30230eac8edd95559d7b4ed45e19cccf18

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi

Filesize
64KB

MD5
32f1c9cf35d1dac1de56a21cff0a4bcb

SHA1
ad6850eacb713bfda0c5e335701136ad1370e7c9

SHA256
7f75717884396ce60b1c1f03fdd2354c2d0538a9f3f414467b65c3bba14d4390

SHA512
6528f169473b43119aff879457c32abc539dc4eef3c511274be92b907793cc0bdd37197bc25444f13596288a0bc9e27f0ff02d580a6a5231ccc5fc1774e57a91

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo

Filesize
448KB

MD5
68cb5bef2cd98cb640761e99225609ac

SHA1
9bfac83d0b4fba29f23bd552bb62d4d21c4415d5

SHA256
a3322c53a145519d0c8104d370fa6dd1d563c3c9ae4a44085af94a5b51107da9

SHA512
b655882ee595a564ed866631422a2c39064ad9115fb15295f4cbea86d8de723588233dc122d283011c544d22de4f60b537afc7d21e5f8b294ae3287fd89e4513

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
785KB

MD5
6ce94193e594c328c7bcd2a2e27e0335

SHA1
86fa6f79e8d914cdc0474f8955b1870796882651

SHA256
5369f6488a527aa7bf2d12a448956687bfce8d4243eb54adcfee4003e6a682cc

SHA512
72aff872ff36ebbc1a06996812567cfb269a8ec5107b50ce8566c29457aa28a64da53a28c0b38907bc4584b0ad5b1b1ae798db50e1a74c599bc61b7a492ed5c4

Download Submit
C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo

Filesize
599KB

MD5
665829a15c1545b6d53e609b8ef2437c

SHA1
aa365f292ec4fa9c8444ef7880b98b777101c474

SHA256
f630de8d6fd564e0158baef925405e8921caf4e835407135d54aa46c98b76229

SHA512
384cf9988ca1dd2b3a6c21519f32f1dd15cca59e857881e59415e0163ca87e7491b8b6a33bd331ee55e56bddc2ba095d335b1e4c4023f654727c73fed29de262

Download Submit
C:\odt\HOW_TO_BACK_FILES.html

Filesize
3KB

MD5
25bd57fa32c3a840896114bfa114ff28

SHA1
537335ee01b89cc6230e6390b1e9991c1ac8e687

SHA256
67b77daba2e55b7d2aab5462f73e50e9a7c9adba1cc83e35bc19cb064f09818a

SHA512
7f3cce56d33e1ac0d4aa67f2caf910e8956aec61674dcde07bb593e9250b3ba1d646093c5fbd955ba23e4bcbf5fa1a0bd4d901e77aef446f7175d16170fc4df3

Download Submit