Malware Analysis Report

2024-09-11 01:54

Sample ID 240227-wdsfxsfd78
Target 96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.sample
SHA256 96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a
Tags
medusalocker evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a

Threat Level: Known bad

The file 96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.sample was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion ransomware

Suspicious use of NtCreateUserProcessOtherParentProcess

Medusalocker family

MedusaLocker payload

Renames multiple (1474) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (7585) files with added filename extension

Deletes System State backups

Deletes system backups

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs net.exe

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Kills process with taskkill

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-02-27 17:48

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 17:48

Reported

2024-02-27 17:51

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2256 created 1192 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (7585) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\cipher.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\cipher.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lindeman C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\plugin.jar C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl.css C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-keymap.jar C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15019_.GIF C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Author2XML.XSL C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Rothera C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File created C:\Program Files\Windows Mail\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00433_.WMF C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\resources.jar C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annots.api C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106146.WMF C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_COL.HXC C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\wmplayer.exe.mui C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18237_.WMF C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\COUPLER.WAV C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\settings.css C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Panama C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Ho_Chi_Minh C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Person.gif C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WITHCOMP.DPV C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18238_.WMF C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_COL.HXT C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL107.XML C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORYVERT.XML C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\flyout.html C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdater.cer C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\en-US\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00234_.WMF C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\COPYING.txt C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00775_.WMF C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105846.WMF C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107150.WMF C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTEL.ICO C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uz\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Windows Media Player\de-DE\wmplayer.exe.mui C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00194_.WMF C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WCOMP98.POC C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\fr-FR\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\EVRGREEN.ELM C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2544 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2544 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2544 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2256 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2632 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2632 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2632 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2500 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2500 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2256 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2072 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2072 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2072 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2708 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2708 wrote to memory of 2172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2256 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2560 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2560 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2560 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2508 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2508 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2508 wrote to memory of 2392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2256 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2444 wrote to memory of 2452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2452 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2452 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2452 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2256 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2832 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2832 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2832 wrote to memory of 552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 552 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 552 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 552 wrote to memory of 1764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2256 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

"C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

\\?\C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe -network

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\C:

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\A:

C:\Windows\SysWOW64\cipher.exe

cipher /w:\\?\F:

Network

N/A

Files

C:\MSOCache\All Users\How_to_back_files.html

MD5 65f51150025fa68a4bff11be59e9b5f6
SHA1 3794422a46157099fd8559d4c9091722a26d79a4
SHA256 4ffea8a11f46fa99d6af944d71901c00c18afb408a8c43886e0519cd1db1d7a6
SHA512 ce50997ed5bee18d41a7aa62a8387e456f3639c59ff6fd76f9f7bf40f96bb7b3e41fd7695251eca50a6de64356c9a0bb1d047060b367dc65ec5068930701e4f3

C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

MD5 57b8d3acb65b22557131dd41318426c7
SHA1 cb8e7b1a9216c41ab2f5a7598c1829bb68ece2f4
SHA256 4068d7e03a51520641583c94e106737f61b3ff66f4716fd59370054c8c45af53
SHA512 13aee9f2f154d23200bf68e70e607e4e85d9100fae4987bb05d25ef467d47720d6cc7b489f5e29f4d99596baa32c7821012bd75e9bf263619f11d27a3ce4348c

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 d60a6caa23991bf7ec7ceb88b92d9ac4
SHA1 5f2134e2fd57b4547fa9ab74e1f10881b98e103d
SHA256 dab4ad4613322f3db5c327624fddbe4972d6019d06d680962f5b50da24e8f98b
SHA512 4142ad78443b66b2a642cf59ee7f5fe33e7a5f6d9b62fedec71bd40937e388207dba91bccbfe5454092087e08903bb16952d799f0ef40c4d0cff0513e0486264

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

MD5 3e51bac612f8cd3a34bd585b36b72fab
SHA1 908558ce6dc9a87c56faab01432625b934601e08
SHA256 cbbac87a89b53a8745ec2957e4673e2f42eb5f9dfe6f69f56554ba11a064d203
SHA512 003830a9382e27bf6386630b1db9a7abc74d5f9c47e007bf7afe98935bb0d6249a8bb9f97644e1f6e171d1a1224e5630fb021b62069e98acdac23ed244cd41f5

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

MD5 66c425a3b6ce5ec46e41923063f92335
SHA1 18be579bef60945c7da6b1eb86dd99a99e1bed12
SHA256 12e3aa055a6ca169d989b8c3e65f0f2b3006c6b257d46cad59c0595314655766
SHA512 673334c5595a9fad6f1450f902f183fd0271d90e0e43f5ff9e3a9759ce198075ad4c365bd6e0c40758c49f80c6cce4c1da70a5c6e0179bee2168683d00e4bcf0

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

MD5 ef10fedaa35816c83043c90ee5489f6b
SHA1 2840d305f68d236688481cc44e1b3d7843b8275d
SHA256 e3acdd9f06dc1e94cc35d7a6bec5b62ccd10c23ffc9cc09ce70c13dda96a05ec
SHA512 d28e64bbc02c5ad18e84967a918f5b9fade8c2ef88e79e264cec00b56293d672eeca3e81c3e1351f031227b336a22efd60255064712e639eb86dae951e1ad44f

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

MD5 60dd6f84c61d16228538b8a4df68759a
SHA1 7dafcaf60f07667d7eff38b4ed15dbf0dc7b7db3
SHA256 172b78b278711da3d20346d5ff795980acb9967e964a3813b61da15111b7425f
SHA512 ed656f57048a7cc9c963f2cdbe09cead013e2b23d536208d5cbb0c47decbb17d2707f4af16b99e144b1552c21e1a059f81b5e12d47a1e8c6272ccde3d9476d04

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 632dcce45f58848ee699d98a3a774472
SHA1 5f4efe847f0f6457d7f4f6c46e14871be7ab2638
SHA256 929b1ad282aff09aace64284224a565a52b95fb19d8cf04178693622636c0d74
SHA512 8e2cf6e03be6613f7f2c4486cba91e8b339f8bdaca8287c1b907f89d4e9f1ec0b82c3985230f56ccb06057d92efb5b769e9fc526085519eeedaff6a474ab0f37

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 eaddc87d2604c352031ca8b6777da638
SHA1 8d7bf1ba71a1b33e247b3373540e906195114584
SHA256 f837fce2b56cb5dff26a7612f149f4579fee497a6dda15c360219ef1e77a49ce
SHA512 4cad0a20ea898b55972efaa01ddec7ad8b8524834040d7bc528e5d234daccfb00f842726786634879817a4fd1c617a7687ddcab7c25f3114187d9ba541436e95

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

MD5 e80d0568effb19a45c8d2febeb901344
SHA1 2f968a2118f3a99d7fa42ae6b90ad7ce312bad17
SHA256 f133fc7174f89f789b5228683ba2e4b0bd7f4f6b1176df8268747a8eda3fd7a7
SHA512 d13349ae07ce4ba9dedc88ebb93bf67f52b921d284a17d4ef69420daaacbf913fbfc8e8124a4fcfe87530e5f9bf305921f0760062767bfd3ce8afde070bbe005

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 79f13c3fbf91603cb451500127e7af27
SHA1 86b3dafd7ba405db7e4ff458d33de8e6ac95640e
SHA256 edd02d47eb375fda9fab0f52e168ff020faa6dafa838940568a6fdf708f7a5ba
SHA512 c1abf808c18ba43a8b31ec0f7c030d62d834057ff9f6d391853e78f1875c6a79c13d4be4ff6c95ebdeff8da3d488b0ba81bb1baa53c382908d096e2ec56795df

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

MD5 c5cfa421ecd11da42b61275a3800c7f1
SHA1 7990fc1c0f025e953dad7da8139ef901c611309a
SHA256 b0c34aa2023244ab95239b5dc85b1f057f33630010b6b5a28615297d4806839c
SHA512 361d9b549697e857ba400bddf2b9f8748b6432cfbe8c0a0a7fa9fce5e5bef3efc3a629af8c5842d216c67c8c5230d1ae253f755f1e544fcc994283cece6b45f9

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

MD5 9945726b9c3a401431c5c80ee9b317c8
SHA1 abeefb5b3cc1a5f8cd1cbc6ef1fc3f26ea307571
SHA256 3dfbd0f82f836bd720298951ee2ccc3012b11d071b21a53b8b575093825d5d8d
SHA512 5893a17c624d595b57f57cb1c37ff22ca6598b3376062a1d7531e1fe3b1b21c9f9ffbc3744bc1377c96f145e7fffe18cf0988fb9f301d8278f7dc062332ac5e0

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

MD5 4b5e339fdcf911f8c2d6c1b94dc1683f
SHA1 568488ef4d76a36b270a45a22fd5475d94c0f1f8
SHA256 9f04c19ee2a2c0388b36ed96f0a3b3d155f1dff092a53ab9e2d8b9eb3e32e3bc
SHA512 4ea65429484e0102db00811af05beb4202cf25148796f5d745c7c37b08f61bab26dc9933f9785af5aa5c55dc8e35e77a204e81374cfee58f0bc83adb6cb258c5

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden

MD5 31aab6beea410defe06e047ba6eb332c
SHA1 20893c3bfdb37baf2266e00c2a9e7d2840479d76
SHA256 2b5f3f4aab27b0a6405a0473f97749ca387781f2ddc58191564ccc37d1ac1a51
SHA512 3e53346485d078c9732971a1fdd7bb6ec7b84f76921d5e2d7e69bd96422dfd06a14af90acf98dafb0cff91ad7ed2d2f2ca659502e1f4d59f030fff74112eb854

C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 6c5ba7f017407ec9598dc0d38468cded
SHA1 f3a04a1e0600c378c6a46b6eaaaeb5f20ee91e76
SHA256 1d38701465e356732d1cc6d928ecba9e254f05083e709a90f38fecb9d145918d
SHA512 8e16b474013d86941e8b0881cb0a3f75b59feb92a381ec566ec6a09b660846b8cc2f1c80449833a6d4919784d86ac588c9aa1f8fa91d99fb60f0775556c81144

C:\Program Files\Java\jre7\lib\zi\Etc\UTC

MD5 ed1307dee94db429e647ba7603f5af09
SHA1 87c1bb021bab2e8c9dd7393b2024aa462923df49
SHA256 7384f56068af7fbf660d04fde7adabbb6d3600b3160acf33d1f04098dfb15d31
SHA512 823f4086c2837b2561ea8a717c7a20fabfa34857f5e10538a4bd462a04497acc5fc50ac6bd88ece24cd6f0f5b6dd30ab648c42b2b3d7df85fda60d9131fd59b3

C:\Program Files\Java\jre7\lib\zi\SystemV\EST5

MD5 b3a0b0abec46271d28934e99d9c1a05a
SHA1 c8d89ceacfc19337d7cee61ca702c76ecee47537
SHA256 794dd151bdf4cc83b85822ca28c3a83566ff4fc8dfbda3e6c84cb16b83180614
SHA512 9c5762406d5649570a2382dbb444d2f7fada4522b773e08d3f24b9e860f8b3d3558527bf887ee0587c8335aba25759dc21b5573e0daec631b1706dd17602095a

C:\Program Files\Java\jre7\lib\zi\SystemV\HST10

MD5 548cf4af5c5627a8f8b601b4e09a1885
SHA1 29a499ecc3df0be74284d8b16dca4d4bc7052947
SHA256 4c32950adc352e94be7270b15eb9199a47d2ea6c16353d9cceb97833cfd256b7
SHA512 3125beb7313ea809bccd5d8dbf40ca27166f3929c12bec43a2f0c9a5a322b2c715f78b03886d74e2c0cb1aaaf46c85bc878c9b614d3814d196545ff36c4629d5

C:\Program Files\Java\jre7\lib\zi\SystemV\MST7

MD5 af3af931b9655d194b7d46f70c1397be
SHA1 1d18f188e8e1ce85fb827fe1273e5efdb314a14a
SHA256 3315ca4db18d188e07157eae756f7133e1f15ec330f0b4304137417d7b99064d
SHA512 5ed7d97b5764573f2f154c824f0e7fc54021c3a7b1ebc475a36a07aad4915b8028b822270e2e8c0b21cdb4fd9e56b0d005d7f0609e3485bb55df3de11b1fd4f9

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

MD5 86b4be3d3653682234fbabefa343aa6a
SHA1 401b0d442607efdb25a3b251aa0a0efd46de5dc5
SHA256 73747ec1498abecf0e765b2ce789dde656b1fbbd630f0bbbdb94b59f7616233a
SHA512 4d7016f413d1f306c043d61d0166d8380b4f5e3ba2866ab2e969ee328493d2a14d987c49f517c74f4483f6625e8232dee07e2f34f02fcb349d9f3f8491037080

C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

MD5 2cff68710220dbd6b8e1c55cf2d9e7b1
SHA1 034d25b3a2df28e93f68d837587b6508682d8c03
SHA256 788e8f2b7214b2718a1b6c0ccc2bd4e5be918e4a13beb1c74d67f6f922d24b77
SHA512 5d633e0136d475eee2d30b55c2e6a7f0f30c8ba09646ee1c09ce608193e1ee80c5293040adae148969c2820107da0255c4c2b1cbd45162198164e091fb13426f

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

MD5 9c93b1b54328625696528c5722561921
SHA1 7fe9711b711411516f1b1866c08fe7b4af20c27d
SHA256 b80ceec8e77f38acece4e1575b772875403eac446b440ef7b52af138c2251e12
SHA512 c348bafd051b33d5379ee044151fc0581b354408c3183076bf92a097d60d32d47ecab12759df4c6cc839da23350c5499f43802502211c178d2e990b8bbaa7a1b

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

MD5 61ea66893cbd44bb025a907ddeceeb97
SHA1 686f47b008de86a61a4a6e1adde8214ce4b1a44a
SHA256 c583524f4f2026e3ee5a6ce43b8cba3e2b348bf30eea0c18768ab2ecce0c25ed
SHA512 881fd2ed795456dc09fa425a5f8db57b9a7b82b92e019611b72e4dee48674eaa278794996823e3b4f16748f7665d859485ab5db2554706b85e0d1471cddaf775

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

MD5 cf67abcbaa594b399b4d1ba4dfbac277
SHA1 c3a2c72e506c944baf9956a4387a5da17a20b139
SHA256 68922aa1346dab3cb50e059351552a2a958da5c7c6bfeac15c058766f508caf4
SHA512 f94abd926eaa58c250a7d6bd0b1d86c93a28679116676475348d12f048299289f7832a545029f917faf6ebc4c2231672478541e59e26f61f32f87a162f853582

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

MD5 5f5975eb8cf3c355cd04be1478e83022
SHA1 16652799f7eade96dc03a27c168611280d099c1d
SHA256 b5d086b60d5d9912b0850470e01e4b88414a6f7c0de27993910036633a890fab
SHA512 5e4bc475ab984b0349d2baba311a2feffc5627d209c458ea4d2986f62ff865f2b95e34212a4a1b53bf6d4313c693fb51bb18ba0788871d0887851c0462d41b9f

C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK

MD5 6bae808ebd6c65a83b9966968cec633f
SHA1 49a2578ffbe1f78f9e7ec9d33db96cd58ac6546d
SHA256 b196605e42211c8885e905dc9816d931601214005eb222dca9928ce1a6c4eeee
SHA512 77c6108803d424d437ebc3a19d782f43dc0c3e5790f7d2a677aff74ccfd5d56a64f69d960397261355ed8b14fce1bcba47a41b2b853b1efc874aa889eaf05751

C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK

MD5 acf32653b9635691bab200ab6e04c2cd
SHA1 0e24cc5d85fdb9c051abaaa403eafcdacfae81f4
SHA256 67a88ad9c1094fc1f9a92dc81b17b9a40c343e1fb7e508a552742442e10c9867
SHA512 e20e144aa1b72c115a4ee571f3f66daed6710c35755ae1b99e7ae1e2b07581d03c0a572c46d4429bb6cdd3a9214522a1e72ea5175af1e71019bf2e9ba6e333f9

C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

MD5 e0e7a8cb0845956b1b9581e11d4f725b
SHA1 54f211ea7cc713f604b69f88e97adb76c8b2bea6
SHA256 9667f81fbf724d8adb32e375f96c73c294473048b0a1c1505c8f6596cd3a3dfd
SHA512 316ea2f0c9b2705103d11d4073d2393a6908434439fddee528a9b16ec62e71a44dfea7a5609a7e11368ca5813e92c23cab27521f65d9bc05b3a3a71c11c14aa1

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF

MD5 6ce8e5881fb5240629903a7739bfc635
SHA1 3ae463d86a9de082f6ccc1021c1d96c10f6e6d95
SHA256 42b56c2ee62b3c9c75ac70033752799303ba0b9242d237b0ead153ac1dff54ab
SHA512 987dbbb9f0af65bcd49665306326000f2a7de388b0245f2baaf915105d1b6cf4f31bf2ff8b376864cb7335531f4a3ec8918ba66b9dac0fe082d923bdb8a30a54

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF

MD5 cbda71c0b4bcca6d714a039a484e7212
SHA1 63cceefc02f158bd9cb194c06e35a2a32b6aa4af
SHA256 f4427c8da6e94dab5b89a0277425d3cb8944ab75a946b5dca59f4712619769cd
SHA512 26d19489fd59aa45869b3d93e8a2397897bf236a41ec7a9f0e428c2bbd698de8915d856016aea32dadaec4b3fc9ec9b6b326ac9f1f181f1aa0ae642c56307a5c

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

MD5 18d8ad0ea48c4b7b0db9b9ff07480f29
SHA1 e304803d8b36330991aa2c9befc4a311551b9101
SHA256 6affbdb1bc5549dbaaa2587bb88634d8559c9575337fdfc6f0ff8e6caa82ec2f
SHA512 ebe979adcc18692b55ef56409603a05ff1dab04f4a0550f16e8c56960dbf63a90e4552377471eaf55d9b1981de17a7b97d8ce49cab5499c745ed5ca1fef1f315

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

MD5 76f7245ca1bf4461fa28e6620b74416f
SHA1 68a43bdd753c80c33b29ecbe2fe6605341304cf1
SHA256 8a59b4fd1a3e6df28b4963137ce3b7749a216e5e4febf1c539a155296c5c1f6d
SHA512 b638e574025c3e6e608b29965153544fb3f2379e43751ba11e953c28cb63c343b4b8e6e4ae64df1ed9b8b3216df017d3bfa90b642d9a83c6af84fdc35e7e9568

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\BG_ADOBE.GIF

MD5 e59d4863176dd48b8fe32b825ddba181
SHA1 f1c69a4f7dca9e46973229f6b344e2266670bbac
SHA256 b07def6bed03a59bfa5052cc37221fb8ed50a2ca89e4e73ad8ee9833a88fed22
SHA512 1aaca9e65760a0e70f1cd16ac1140b973675c0191438cecbdbda9128186a210f054abad007c8e275ea13bd61379ef06f0bad90ef552b8ba45cf516ae1d1b3ce5

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Casual.gif

MD5 e45bff5a8197abcbcd30120c120f9d4c
SHA1 9381d9b09772fc72096c8204868f48856b4d8d0b
SHA256 a7bbe691ec7514a6286dfa06bb68d96e69b88dcfde1bb3b09ea54de27a5404d7
SHA512 345134a97fba53932cf7ef687ded80bd2e9cf310b5cd806e449f096e617c56486ed88dfa08214cf7eace3dfe838c4f9dbfc0fe0f2da44b514747cb4cb4617da3

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif

MD5 55ab536bcc1ef0593a68b0c57252ac60
SHA1 597192fb81552ccac3a3fac4bf3c15130011574c
SHA256 dc193ee4f34cff5c0f48a77c47732cd20e9a88ff80666bd7c1bc86a6fb98fea7
SHA512 b8b80ae1c626a26b96857599622c1bdfa00221b1d1faa08337fd5c888cfc83c3862c1d6e8f6afc251683d1a69d76389877e850bacee61d5d6a3120670ab2ea63

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Earthy.gif

MD5 bae7601f7ad81c5315f3e567b2d63564
SHA1 e67c111b90ce966ee440a41cff6c03ef2c688529
SHA256 0fb2ddc84c86264c5ef4d7ce518f0560b606b979e5b9eac3585e26c305e1e1d5
SHA512 cdb9e16a956ae77592f982c87addde462334f5fd1ebf521fc90ecdbeac3560548e6856e21d10f5ed2260bdaff2d7093e9666cd179bcb896c6def09548fcb90a2

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

MD5 220246850d9cfc29f35b0f099e050672
SHA1 3b7f07072897e3af1999a9cac9b53da7bf182c9d
SHA256 3b67fd2b5895c60437869210479f98ef48667761cd7803f7a46060d78b24758b
SHA512 aa35754249a4c0e1a0c994d3ca3c51fb652489618c5805b343f4018702f1aeefaa5b5b582a0ff379ddf522bbbf6f3934c9b7067f975e4ef61f9cc0dd542c48ae

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_GreenTea.gif

MD5 5565302d1fcd5d91b750d8e0b7b75c97
SHA1 9c721a8dd82ae089fbb5e039183f9463806a64fc
SHA256 f89f926ea868e798a36cab5fa26b927845ab252e545ee425f7c8e833ccc5f2d5
SHA512 95de8ed3dc89d110856c947c74e78f8178c9cde18024240f8fac02ea34b4d01c9b4de802d5867281e36afbbba9240674e64175b8e85a8613f873b2ec37edc480

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif

MD5 8e03a4cf3b215c354ea00e5355013c12
SHA1 21b21840a08964311bcebef1e5ca44e3cf60938f
SHA256 a4e97a1b2ca362afcbe24db0f2577b8828e850343de876913368af788b3488b9
SHA512 33eaf2667e9fffbc65fb7fc4d1b6f76395acbbd8285022305445e15935f4e58e996c7502e3e17ecdc7428d58d96de67d0410e8d66cfa7f694d1d531870161a1a

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_LightSpirit.gif

MD5 ed044cbd995681b93f203056e2549456
SHA1 a02272b2d271f23386c63256fb940c7b2e4ed8c6
SHA256 960a74817b1c9a2b5877f8752d2cfc69ae7c0025f9efd791f5cd48f32c447f65
SHA512 e2b8eab58288f47dffb01341d71ed9afbe05209f6456210103681f48762b13a5c1e518aed2ed7daf2f8f350fd5b370a603a48e16434ba5d7d65611a43e5d73dd

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif

MD5 474837bc7622436077e6434367a4fe03
SHA1 a9f40e555f7ee385d9b3a66e14b4d7e158b3b9f4
SHA256 2024d682e0ea25b84fc8b1a9fa1572ff36ad9ff6cb2b2bc25178752362e4c445
SHA512 12a823aa87ebf902fc0ff27ecdf63951428739f3765f815c705ec4818982687e925428fa62de2d0689bac88bf3326cae6137bfb6c4261505417f55c5699f4231

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Premium.gif

MD5 c8274038ae11379eac31815f8a12719e
SHA1 9e16540004aeff508dc10df833793a8fa5d60866
SHA256 c6098625590a7434c3f0b01400542bd50bff52379edc1ba244b713934f1a4a05
SHA512 a47ac7f9aada1d66c60d7394417ac6dabe01bca906e2e57b6490f2dc51090acacfba6a61be0983ce367af9008740905d616d7798eab951d10efeaf7f655a6cdc

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif

MD5 98273facab870b6a81874511c7566a12
SHA1 0f9d6675edf8a39335ed19ef3159471d441b5736
SHA256 15c91ccce96072f78196eef3631359c9393b39ab4988d5265181fc4032b12936
SHA512 2ee158b04a9c7125bae0e18df642cfec1e5321fad5a0fd6487ddc0256de8630fe7aa36110aff834688d671c3993ad69cdc0f09003224fe53d5c06a0b8e272660

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_TexturedBlue.gif

MD5 0e240fc66a2ed2ed3eb17d5a05e30435
SHA1 1842bc722159b9e8934e5e13976197b7222652c5
SHA256 920d9505f3c4d24a62bb6973fdb404a4f0801ce578e7e4b977fe7246be2266c8
SHA512 592cb24f72946c0332f7fd598088c5818b4ce2d60a1ccb84b3f08871497f825e8c71f72019c9f2a5bda9078b60bd221dbe1bc78f250a9f8ec1924153aa1b0619

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_VelvetRose.gif

MD5 238ae93bd3651f654bfc0adc964c8b75
SHA1 49f93a6e8c97fc1c4a5461ffd63a5f49b07080b6
SHA256 3d9692351e5c388756f3b4e2f7f41bfd9430230fea6b5850d7bb60e5108ebd67
SHA512 6ea1b59a17f784904caf518ff3e56659024b4b7422cf2e0ce3b3b6f43464139218170bb7aa2aa0a878387a30bce7a150e3add3161ff2c5f6e89a7ab4ffb8bcc9

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO

MD5 faac2ed42ea2edf38877e481b19cab2f
SHA1 4721177c9951907d54fd820ea433e93885007f14
SHA256 73ab2789fd0ffaac9b33ae500167c6eaf7e559f56ffac4b6450153d3e965fe4b
SHA512 3898585a2b0340d5fca358fec4de07c85aab98d1c6bfeda2f6b7a2a9065b3e67297495766fa7223a3f88d49ed316a24bebd8ac1c077232f97e2b3e962666e811

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\BUTTON.GIF

MD5 426a7047dd17ad624b62c1df831994c8
SHA1 bbbcb6a3b8d80e9ac2478518d56c02df5e690076
SHA256 6e498342d604932ba633f7b668b9b0e9e2212cdea5899609297b5c91577689f5
SHA512 4d5c833e636d4d509c94f0f38a4806d0d2ba774940bc7f41b9135c0d78802391df9d543b3df065cc6a8f7315fc243450951bed16224ad689f99b1f1d8f31ec4b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

MD5 d232a91fd5dba8b45396c13170ef7229
SHA1 5cfd1bb0396c86dbd2726f02555743a85288fbbf
SHA256 0a44fade747e2c2cc4b3dfde033efc4240b2773da96742f67d8535ed74be5953
SHA512 075b9652c91960b6f8f4dc8d9b0d09d7161f63ddc2840bc689816e5233ea72e3c86d9448a658985ff5187d55660a470470ab2aaf83f57663b2241dca1f8b5dcb

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

MD5 be8b33c90945e6c56bec3c7b7cf7c42f
SHA1 8e5420dade5186f29c30ae85e4887839a863a76b
SHA256 6e306906ee833d148e0781455749cd6991fbbb3a926b3afb8e7dbcc0c07ebb73
SHA512 0806ede0163bf5eabfe1472af2c799e0579468854913fa92b62b8b8d9c1e65564c406ebadf5bdb9f1ff528f40ffa5e2c7b2d9dd4532d560aa3588960488ce041

C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

MD5 b74cc7712e716e776d2d559b25f7da42
SHA1 3c31d01c7c5e66b57c9cda2eec6a18f73680c403
SHA256 d2a0212ab8f19e97142bc34b6ca23adba077269449c05149e1fc6be0ce296995
SHA512 9354c780c06ecbe83a552fc15c78e65ec0cd576902eea9f86e03a77bad3dd01838e547729e1123afd32f83d81b2ad40c8e8644f4d3de8a3d77a8ddca56a3b1e5

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

MD5 c3f0e7c186455b8ef53e2bf96c672399
SHA1 1b51243f292047147491256311d271de46400013
SHA256 6fdd2aa63206ce766ff7f6211165ee337c4026a84747c6eebd9ba72a79053fab
SHA512 6ea69fd1513f16770f4cabcdbb284966d7e8b0cc32ae627322bc312db8e3045dfd64cbba31da6c80db32e36fa1e5c2e4735bf0da5db364cc920f642c6bdea9cf

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

MD5 d1ccd047011c18961093321487eaee9e
SHA1 049bcd807225d529d940dc83e52a2218afd6c9b7
SHA256 3aaeb68a3bc7053be04f0136ddb1fd626638f99f441eb12db45ce709ba70a21c
SHA512 f1083c94db3efed0a3878958dc2e58997c605c03061533dc3185ad8a4b8cf40b93fc7e522d18bd7cf50ed948a3a78281f9d52add458019604a5d4e7a61a86257

C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

MD5 5a7f79461c245f0eff8f1e7351cfaaa8
SHA1 acec0c1838c0d2c457246fcdae299a60b4020ff5
SHA256 b57b2cbab788e53d7652c11feae9abe560c31eae85cf91f042317ef2ce42d3a8
SHA512 ba0c8bc07a85e7a0a2db9b70210fb55669465f844edb823627b447d3787baa11191e9c16f271110588d9b21350ce2b45d853c3dbb05f684ba9d12bd823158d76

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

MD5 5b583d1e794a6c2e62e476b3d6868baa
SHA1 d38b4c4cb15d94b5a32e3602b9f6313d5e435395
SHA256 52e55bf62e40cd71f6d8229b94090654f93f8a595f267997a241695393b4208a
SHA512 184fe7ab9bc3f564846fa7daec72c84743aa2f17e78a3e269d99b156120761e7cf788a1da4ca896d5c27f1465cbc8db0883e51105a8e0033c018a9f2df5f99ac

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

MD5 fe9214764d6c480e459ddc83decf61db
SHA1 33baac2e957325b270a45d116e31bc98981debdc
SHA256 b080b84bf1c25b52718aa6fde55c8058e48478a15272fbca4267802020e8448c
SHA512 f6c4d3a7fcf9d32628dbf4ccd6124d5cf946e3fea759adfdf53fd45673b816fa7275a974b09e7f51861125bad148e1645ab48c494c54897a190cf7b74925c19b

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

MD5 7155c4cced4e15025282fccc30418b02
SHA1 14b13e05509a30949e98a15638f8484fc101960f
SHA256 7fe50cd56baa30a5e6a4ff9bc2261fa04a98c9c03ba3b17d21af6c8393ff8eb2
SHA512 13b5f10ba03dffd804b6ad2994ccf856c813c8c196990ad7c59c692f07bc30c565a787d4addac096e9ceba2da5b927e574f3b7f05a37fd4a0df243e8e59830bb

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 17:48

Reported

2024-02-27 17:51

Platform

win10v2004-20240226-en

Max time kernel

157s

Max time network

166s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4568 created 3364 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (1474) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\vstoee90.tlb C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\trusted.libraries C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription2-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial4-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\zipfs.jar C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ba.txt C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 8.0.0 (x64).swidtag C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Office Theme.thmx C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\icu.md C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\server\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_MAK-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\en-GB\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail2-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\mesa3d.md C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ga.txt C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\policy\How_to_back_files.html C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\unicode.md C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_zh_HK.properties C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_OEM_Perp-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\fy.txt C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\.version C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\release C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\TipTsf.dll.mui C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessDemoR_BypassTrial365-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\net.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\net1.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4568 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4336 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4336 wrote to memory of 4680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4568 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2808 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2808 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2760 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2760 wrote to memory of 4744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4568 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 400 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 400 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4608 wrote to memory of 4380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4608 wrote to memory of 4380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4568 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4428 wrote to memory of 676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 676 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 676 wrote to memory of 3404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4568 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2928 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2928 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2244 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2244 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4568 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2692 wrote to memory of 1228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1228 wrote to memory of 3112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1228 wrote to memory of 3112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4568 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 4220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 4220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4220 wrote to memory of 4284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4220 wrote to memory of 4284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4568 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1380 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4312 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4312 wrote to memory of 3552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4568 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 3900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2372 wrote to memory of 3900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3900 wrote to memory of 1568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3900 wrote to memory of 1568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4568 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

"C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe

\\?\C:\Users\Admin\AppData\Local\Temp\96a1e457593890cfc5535daa37eac9aef9f18442608ee7c14fb2f1ba472b626a.exe -network

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c pause

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:80 www.microsoft.com tcp
US 8.8.8.8:53 133.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
IE 209.85.203.95:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 95.203.85.209.in-addr.arpa udp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

C:\odt\How_to_back_files.html

MD5 99cfe652fdc08b0d5eca680122ad019a
SHA1 707e6d14af957212d3d0ef3c2173fa0cfca6f0b1
SHA256 0de3f72964b33f343894fc6086508b83da40cdc36ae7990193bf8b492c57fa2d
SHA512 97695be02db54aa1835da863bd596e6209208abf295ee336b06abc7781a37fda804983bbf55de4ac44396ed41db544449b951bc42c019b3c0673fa520709d439

C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 c8a36a9d1a8b89f5508a10ace4446eed
SHA1 ad48930ea5f0be2f4206e79ea5bd54cb053ab677
SHA256 bda6a7ced31b628dea9717aac6ced7746d76421ccaecd37b327503da6367a74f
SHA512 3b87eaba95dfa2ae5127ce71720f45beb8aa99b2dedeb469735f42a3b23171d6455d8bd5e91345e40847980ffaee9888678a3dd2cd78e76393d4b8769d4ed875

C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 cd2fdd5398a38c636255025943a69083
SHA1 93c5dfaa2ff36eb7711c8f751df53598a3f9dc0f
SHA256 811cbde7d609e187d3bbabca2d81aaeeae5adc7c1928db0afad86324dfbc3ae8
SHA512 967c1c8cc12e5df5f43b39921b63278df8b43f2bd69c5a339422ef1a03d6e40f0c73c02d34c2a77cf9e833ce20be8b0029ae3b5ccf9a82f8dd65b7e84c75c73f