b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f

Analysis

max time kernel
164s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
Size

335KB
MD5

a286b1e0dc7e26204e9751423ff1e842
SHA1

394e03d3010222b571d1a70bde0233407435bcf1
SHA256

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f
SHA512

7d6c8f8f829f72b89783598e01baf7b597e459a9c210b6dbd3d8aaaeb3aa93e99e309c9155ef7832bd1ff88d4806448b73744136dc59022fe3ddfaf1d1faa23f
SSDEEP

6144:5Y9zfajnC6iGm15k66Clhdq8yZXlkV68pr2g1PJbmV6Mqu:m9WHm15k66ClHq8yZVypHMqu

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">cRknxJjz/WNuwEZFtFxZJg8o2Xl7rMLz1K0tISYv+63b09uMXDLGGVCZnfBRjPtwajCL/YcIzvzDnzaK7theNQsZCD8QLFE2hSbSOq3wjh5ByWq2r07/h5HuECV+MDxQj+hf0BhKd0ngEPAQlDfp7Ltr6//5vY1hw5dfyjiiPZJ6+YBd5c1+V2/XI0waFLhEwcgKfF4D9FZlhfAQH6Vqo94C479vlwwlI4baD1bD4WUjBeIv1swofKgZtjxNBhWmqA0XvF6jsFknjZ818kGmeOpjcAzdod8hCTT2cZfzJ82sBVsBAErNb+Y5q1WuN5/NCfUB5n1wa9ucCUmmIpJ1Q4uW9aUaPIT17MXYQmTNJfn5AjD6uo3yYfADA4cQfoUfz/ktzm8ctg9gXASaiEVlQ3FwDMNSOTwVkxlfurvfDuEBgF93dHqg6TtnmG1pW38WFbBbSKuAo+4eek9D4xELXjFO63/GPbfDwk6Q9mFNoX4SaLg/lJS8J+XukRXMpvL3Opo483rbCW513DYzQA2S9pnykKfL0Hi/YRg+KSMeZgdJaCDk9Injq68FIigzzRyqZsa+alY37ziYHvW/yFPHSXmd+LGGB58C9kWbwU+i10rkAXZ/eXkbZUG+TEpsERXGQ84V2MoAiirT9NdVFTaW0n++kv9haj8wYFC/vyfqpLakPWNydSRwP8cedI4qDLBylKhmkA67YX4NQFHOH16LWWzMFR8uKnepBealVt17UXIXvRPSaQJ+ht/VYlnH+CyQ2ABNEKrZUsxQXCxVQ0g3v1+7fstmR3EgYuJgHR0q2kdLHOmk7gpL2kv/M1dXqM+TB17ys7+0acQxW1qlQJF+18ZGRL5pjMqIr2E4i6E8dCEReTppBwhtxyxScx+pcradqnuc2IRVuy4f/VqaTtHvune0MvAOykk8qP5jCqz2cU3oFohGns1MzzPfbJiDeKptBMUiCpmqGDD6LYYsl39cB+PHh851S4CWypveQKIXJVKXHAYVD2KyMqxyc34Z8+i+Aqq5peR8wo3VlR2MSZ1WSTW9Bfja96p599P1g/GpcK6xpO61tGS/+wozHu7U02c8VmdYeiMTyoESb4pzWD1zg00f1iK0QKvH8xo8ufSjY/QHbYT0Qc4kUcwMNkbB0KWzAtg0fcEwtDFB9+iu5pAGUd0ycPTWeMq5JuO+mws1Ts9C+P80k8oQvOivgowXLBZFX1Q7AOiTZ2C8FEbX0i6YKGuUHa26Q6a4VxkG7NzFwTlYxYbzfTBkmxerqs6vLQSKizPicjUnRxzIaEg8H+rxxD7eneKY8LNXT08L4o1/WrlzFxo6ylstKus+9WkCuMSwPQ5auR23SVRHvlDcmHamh4Rq+PTw3I+c/gSgHHFvwQ/4of0DyEZBqoR/FI8QIudbEISPO91chFB8QZPgYXxTn6lm/+N+nCXxPTDih0AdJaM7Js9h3wiYI0YCHlnVuv2qWu8ibNUsQOV7eY/Wa8mXi3h2cJ4Ls0keZvkN2mT+svMxM0qtE8t2VeY1zbyPZW8qD47wprpRLqSjUBCMEfAlRcFvcPjX32/KYICLMz95Ii4A1MM4EqmTqVVIgWLVe5pPQd8itQapTLGthERYFeboqGOLV9IoUPwFcQxemSiIuL6y873wktQILK0/EDQNzwsqoZwB8hUN6yO/dql6SfAM2N9SQEq/YDG7Ll/DS3L2POA=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

description pid process target process

PID 2524 created 1192 2524 b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1040 bcdedit.exe
1432 bcdedit.exe
Renames multiple (7279) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2180 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1296 wbadmin.exe

description	pid	process	target process
PID 2524 created 1192	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	Explorer.EXE

pid	process
1040	bcdedit.exe
1432	bcdedit.exe

pid	process
2180	wbadmin.exe

pid	process
1296	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exeb896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe\""	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe\""	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

description	ioc	process
File opened (read-only)	\??\Z:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\Q:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\I:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\J:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\M:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\E:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\K:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\L:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\N:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\O:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\R:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\T:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\U:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\B:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\V:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\A:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\G:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\H:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\P:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\S:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\W:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\X:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\F:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened (read-only)	\??\Y:	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

Drops file in Program Files directory 64 IoCs

Processes:

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\vlc.mo	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\fr-FR\msaddsr.dll.mui	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_K_COL.HXK	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Salta	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\MSB1AR.LEX	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00343_.WMF	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Danmarkshavn	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\WET	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00417_.WMF	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02384_.WMF	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw120.jpg	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\settings.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\de-DE\msader15.dll.mui	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02282_.WMF	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OMSSMS.CFG	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBSBR.XML	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InkWatson.exe.mui	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\vlc.mo	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\mpvis.dll.mui	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\library.js	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ru.pak	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files\Microsoft Games\More Games\de-DE\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01161_.WMF	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300912.WMF	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TITLE.XSL	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-CN.pak	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-io-ui.jar	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\CAPSULES.INF	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00270_.WMF	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0197983.WMF	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03668_.WMF	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21323_.GIF	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\How_to_back_files.html	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL081.XML	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\BUTTON.GIF	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

584 vssadmin.exe

pid	process
584	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
324	taskkill.exe
1500	taskkill.exe
2880	taskkill.exe
2716	taskkill.exe
2460	taskkill.exe
1940	taskkill.exe
2128	taskkill.exe
2112	taskkill.exe
1820	taskkill.exe
2196	taskkill.exe
1964	taskkill.exe
1616	taskkill.exe
1036	taskkill.exe
2100	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

pid	process
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	324	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeDebugPrivilege	1036	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	2100	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1940	WMIC.exe
Token: SeSecurityPrivilege	1940	WMIC.exe
Token: SeTakeOwnershipPrivilege	1940	WMIC.exe
Token: SeLoadDriverPrivilege	1940	WMIC.exe
Token: SeSystemProfilePrivilege	1940	WMIC.exe
Token: SeSystemtimePrivilege	1940	WMIC.exe
Token: SeProfSingleProcessPrivilege	1940	WMIC.exe
Token: SeIncBasePriorityPrivilege	1940	WMIC.exe
Token: SeCreatePagefilePrivilege	1940	WMIC.exe
Token: SeBackupPrivilege	1940	WMIC.exe
Token: SeRestorePrivilege	1940	WMIC.exe
Token: SeShutdownPrivilege	1940	WMIC.exe
Token: SeDebugPrivilege	1940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1940	WMIC.exe
Token: SeRemoteShutdownPrivilege	1940	WMIC.exe
Token: SeUndockPrivilege	1940	WMIC.exe
Token: SeManageVolumePrivilege	1940	WMIC.exe
Token: 33	1940	WMIC.exe
Token: 34	1940	WMIC.exe
Token: 35	1940	WMIC.exe
Token: SeBackupPrivilege	1528	vssvc.exe
Token: SeRestorePrivilege	1528	vssvc.exe
Token: SeAuditPrivilege	1528	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2524 wrote to memory of 2648	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 2648	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 2648	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 2648	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2648 wrote to memory of 2556	2648	cmd.exe	cmd.exe
PID 2648 wrote to memory of 2556	2648	cmd.exe	cmd.exe
PID 2648 wrote to memory of 2556	2648	cmd.exe	cmd.exe
PID 2648 wrote to memory of 2556	2648	cmd.exe	cmd.exe
PID 2524 wrote to memory of 2436	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 2436	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 2436	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 2436	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2436 wrote to memory of 2592	2436	cmd.exe	cmd.exe
PID 2436 wrote to memory of 2592	2436	cmd.exe	cmd.exe
PID 2436 wrote to memory of 2592	2436	cmd.exe	cmd.exe
PID 2436 wrote to memory of 2592	2436	cmd.exe	cmd.exe
PID 2592 wrote to memory of 2716	2592	cmd.exe	taskkill.exe
PID 2592 wrote to memory of 2716	2592	cmd.exe	taskkill.exe
PID 2592 wrote to memory of 2716	2592	cmd.exe	taskkill.exe
PID 2524 wrote to memory of 2228	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 2228	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 2228	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 2228	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2228 wrote to memory of 2444	2228	cmd.exe	cmd.exe
PID 2228 wrote to memory of 2444	2228	cmd.exe	cmd.exe
PID 2228 wrote to memory of 2444	2228	cmd.exe	cmd.exe
PID 2228 wrote to memory of 2444	2228	cmd.exe	cmd.exe
PID 2444 wrote to memory of 2460	2444	cmd.exe	taskkill.exe
PID 2444 wrote to memory of 2460	2444	cmd.exe	taskkill.exe
PID 2444 wrote to memory of 2460	2444	cmd.exe	taskkill.exe
PID 2524 wrote to memory of 2496	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 2496	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 2496	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 2496	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2496 wrote to memory of 2888	2496	cmd.exe	cmd.exe
PID 2496 wrote to memory of 2888	2496	cmd.exe	cmd.exe
PID 2496 wrote to memory of 2888	2496	cmd.exe	cmd.exe
PID 2496 wrote to memory of 2888	2496	cmd.exe	cmd.exe
PID 2888 wrote to memory of 2880	2888	cmd.exe	taskkill.exe
PID 2888 wrote to memory of 2880	2888	cmd.exe	taskkill.exe
PID 2888 wrote to memory of 2880	2888	cmd.exe	taskkill.exe
PID 2524 wrote to memory of 2896	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 2896	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 2896	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 2896	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2896 wrote to memory of 1564	2896	cmd.exe	cmd.exe
PID 2896 wrote to memory of 1564	2896	cmd.exe	cmd.exe
PID 2896 wrote to memory of 1564	2896	cmd.exe	cmd.exe
PID 2896 wrote to memory of 1564	2896	cmd.exe	cmd.exe
PID 1564 wrote to memory of 2196	1564	cmd.exe	taskkill.exe
PID 1564 wrote to memory of 2196	1564	cmd.exe	taskkill.exe
PID 1564 wrote to memory of 2196	1564	cmd.exe	taskkill.exe
PID 2524 wrote to memory of 1432	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 1432	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 1432	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 2524 wrote to memory of 1432	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe
PID 1432 wrote to memory of 2180	1432	cmd.exe	cmd.exe
PID 1432 wrote to memory of 2180	1432	cmd.exe	cmd.exe
PID 1432 wrote to memory of 2180	1432	cmd.exe	cmd.exe
PID 1432 wrote to memory of 2180	1432	cmd.exe	cmd.exe
PID 2180 wrote to memory of 1940	2180	cmd.exe	taskkill.exe
PID 2180 wrote to memory of 1940	2180	cmd.exe	taskkill.exe
PID 2180 wrote to memory of 1940	2180	cmd.exe	taskkill.exe
PID 2524 wrote to memory of 1340	2524	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exeb896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
  "C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2444
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2180
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:1340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      PID:1472
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:1292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:1984
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      PID:1516
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:1676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:2188
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:2240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:2248
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:2080
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:2984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:2172
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:2980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:1740
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:1904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:532
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:1820
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:1184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:3032
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:400
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:2936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:2204
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:1532
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:1528
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:1364
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:3052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1628
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:1088
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:908
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:1056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:1052
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:2840
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:572
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:1412
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:2192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:1524
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:1308
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:784
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:2292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:1572
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:608
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:1512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:800
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:584
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:2900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:864
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:1560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:2296
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:528
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:868
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:884
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:2120
- C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
1⤵
PID:2032
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoverynabled No
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
1⤵
PID:2948
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTATEBACKUP
  2⤵
  - Deletes System State backups
  - Drops file in Windows directory
  PID:2180

C:\Windows\system32\wbadmin.exe
wbadmin delete backup -keepVersion:0 -quiet
1⤵
- Deletes system backups
PID:1296

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Modifies boot configuration data using bcdedit
PID:1432

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
1⤵
PID:2636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\How_to_back_files.html

Filesize
4KB

MD5
416031de705f5ee5d35369a99be69a0b

SHA1
a656189f41def5f5f8cbf55a1d378033685e7946

SHA256
5e158d468151bd9789f1e505bad745cbd7face86c876576b4cc4bedcae8a6b60

SHA512
ce27f14c3614d5b0e22a2cc3338d8cc6a28156fc89014d7390fc9c31fc6ef6aaba28177ac99f2928bda8c73c23a2be17d8b8b3421130b1db2c2c5ad513943e9e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
1KB

MD5
6f273f80b9ba9f2bf992f556531299cd

SHA1
d55ee3e09165c04a16ebd86bf89f0921b6939304

SHA256
4e86bcfc6eb7d0464a2432edfdf4b4b75c0b20458815d56f5a8399f67c393f5f

SHA512
4f0eede174cccc230a11060c4a16a946edb3d8f97055a9827bda3809045510b2e7af23088615f9083a181cc6e330fe9b81ff8c66fad24bc33650d2566a07d145

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
1KB

MD5
bffa3d4332dc13c5d5afe0aa5845613f

SHA1
df26307637fc591e4bb019ecef44832a2748de30

SHA256
95694ad785f9fcf3054fd3124a50eebe893d050b38bc284a0a4cde4e3a02fef2

SHA512
c8bc5dcf0ae0de2efaf3dc1e72463b82ff8a669a58e6621fd9d61f7c25a130486a61d80fd93a1e314727bcc893d7e6c7039f7972cc0b0d75bc36c68d304540f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
dc20f151bdda653297f0a4a4faefb863

SHA1
7bbeff5d3a0f23a253a4901c1a49ce6c23547499

SHA256
0832df2ab8cabe33dffca215a76bb6446271112c462867ed10d589789864ece5

SHA512
71bea35d59db46d050808c2ee29860c3443aae520db673fdfb7c7ad0b1f6ca99bc7a2e264592f58886e112908227fdabc3e32b9edcbc886fc5fd7d7842d8c835

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\TAB_ON.GIF

Filesize
1KB

MD5
488352d6641a46c393cd8177513b6e4a

SHA1
938cfe632b2def804349eda7ff297373deb7b166

SHA256
3271d0274f541ddff05c2eada76136aa973a0b9998bd0bf8415beeda574b25b7

SHA512
c7ddd0fc48a22066281d76c950ff3dd69a2506eee5c3fafdd7579df635f2403e4676c83714bfc48ac8f3df27d24ddc4cf5080989dc39543c398a8a5daa9a456b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK

Filesize
1KB

MD5
60e495826ab10079674c5a953f8e5abc

SHA1
b342ebbe1c775d8876ba78351519a242290f0a66

SHA256
5dc509695b6fa2e2de8bae35dc3f41b3d88f9bf0bc2b90237eac9428b06ed1fc

SHA512
a75cd608b860d4f9002485912bfc50ae0170b967a2c4e9015c21a472755da5bf49c8d07b16c9753b484fc2ec9a875d69b100439ca5a0b70c12680f381c4f000f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK

Filesize
1KB

MD5
f2fda743f55557dc18c0ab863649b90b

SHA1
7fd0c011a048650bf689adb166ee461e5b543661

SHA256
c075f115f8dbdfcca99d150240578d357cd14178f81d465a32bed818b448389b

SHA512
41061fceedc8bea06cb7659dde97fa55c22144cc86efe55cd9d2bd56956667f29fd8a0eb712448e78c38316d7c9d2a4f2f7fdd01a3a97571d73c096b45b2d28f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK

Filesize
1KB

MD5
6e48a8573b8a5202fd31c9732f584ae7

SHA1
1efcaac46fd62e7490d034f384ba6bd183012511

SHA256
55f8877cd235c7f4462feee2dfc60aa106875c387ee40e9e53b9688ca9fbf217

SHA512
b7ebb145a2ef7885d9f3715e62ceb18965e7b478affd3c255c5841e11f0806e1490dd4e3e0674a9738b8c9f21201f135ba25a9b44b4c60b0f407675d86eb348f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK

Filesize
1KB

MD5
9c0eec5bf41c77eecc53d3ed80e1889d

SHA1
782943692e42dbc44c4360f3aaca24666306c0f1

SHA256
271fcc857665323580e02ce6e6e0796290fc50c8ac18929974d4d0505bbfcb53

SHA512
909666916e5e6f72e74e70670ac4e5bd3be160c27f83e8a29d0b37ab85452b4c18348ff0c3f04b00e300d6a64d3a5af12cc820d0013ed5c5447878c5847a77dd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
240KB

MD5
786a9b18ca60c448cd32494342ee379e

SHA1
17a572c523117c5f305b2e178a481b04c7f83c0d

SHA256
7d48ce41b2795f67a0b27a56f9a90c424500a8a17c7f8fc15d8882cb2bf42f53

SHA512
94563d3a69c748c8c3b188ade1fe0b5714423267bbfc0d077d40aa4e07d7ea77b5d63fce81aa2ea758470d8c2d2fee81b317569250ca8f68b1c507cdbb0e527d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_on.gif

Filesize
1KB

MD5
062798fd4f1c935120ebda94a7e23b0f

SHA1
44994d921e4df686578ac3ed4c16c8fa0d293902

SHA256
38f712df83c18d807b844fbda9b05e848eec61eab419d53584fe29ab47e20abe

SHA512
a691456fe5ca37042ae0376f4b91ab6caeedcdd7f2674def2dad50ff5a67c7827ab5b8aff5d9d604f435d640f46b7418d62c53779c34fd7f029c56535560a271

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
1KB

MD5
f279a92dd976612959e29f8860469c02

SHA1
3c74e8960ac21f6a1cca8594abea4551367bd144

SHA256
60785e3c0d4e14490d5a1041cd0f144fe7def3fc62d623d623738e6a97b522b3

SHA512
1e0cdd48e24656b87ada3bc7673f7b25282fb0c9a72c0503cca62ba22fab72c493ad73d936dcbcf9b16462fb775f6ee504309e5416b80ada3514b569a5f6bb01

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
1KB

MD5
1746e1e4ac4068647793d2900ee4160b

SHA1
796dc57030f055745d2f495280243b791f549989

SHA256
c23dae96235a41ca0a8d7cf1d8cd31fd17e206984ce603f5629cfb1bcdbf8b85

SHA512
8d98dad0129f55398c644df14c62849d5a1bbe19d68f49e7af59fb55cf1df93dd36ce1555176698e1bba877974b57db18bf090f389250e498e4cefe440b512f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\TAB_OFF.GIF.busavelock235

Filesize
1KB

MD5
cb0687cbae4ce3493e4e29014ae510fd

SHA1
4aae2889f766e0ee5e0b89be132db32a48ed2b89

SHA256
f58549322073d6e28333734d17930e0f9c5e03f73b9717b74c486d4c26736f2d

SHA512
710eb270df69f701ae0e60483c19d3b1f198c690d10335a760dd7ee217104babd408c6c7c8694846755fd3ea899fe0a7301767bf7a400b892bcb0163babaf0ee

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
b91717d87d1750873b40cb3010b9e0af

SHA1
a3ceefd88f33098fc0cb112bf5d9cbcba792858c

SHA256
127468af2f52ec3c1efd26817473e4b5be7ae08a24c2abf40a40cc7d9a697b39

SHA512
2916dadc4bd8a75094bac36a3a3ad3e0b3dd445b8c6572559a258f6957973eb83e0d736ab8204453c4b5dbdf3606227ee8d2c05ebaf3dbfe9ea58ab09a555fe9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
248KB

MD5
c2c803f8840cef49039d4311b3bb3806

SHA1
3972fd340645f65b8cd9902992151fc9972ff295

SHA256
139e929564241fe5f2d4c3d3036b3a12719435fa4df435c190088a1761804390

SHA512
a47605cf58d4a9ab12a94e780b201535b8e25d40d8c2c4e307f4a4942b61c18a02011e4b8e9151e7d4faaf280201ef44de5698e7c89db45759d622ec565d9b98

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
2KB

MD5
23d3e912d441a18d1cd440a1a98efc63

SHA1
4ffc009bd049313f368c0e990452feb5a063bdc5

SHA256
702e3b2ab1b4e63eaa0a414018a4621c29ab6b6dd74ad8d0cd87675175632c43

SHA512
305f6b080652cb69db5770d7c28f1986989d46a7018a4520c17bb72fd8e455e9510c391c6f97dccc4ea482a493f59bd3c9bc62256c0d2c25db434979f6d0fbdb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
2KB

MD5
5f02e4a1295de9f66e9b3794ebe9ace8

SHA1
90ae1bb5605ebba0c777fb40500cceaeca7d97b3

SHA256
2042680fa9326e88f0f5e868a9ec6194247dccf8c844069445bb8b5b45f388ff

SHA512
cbe1115d3b10c56ca5cda4f8f9685c79cf47cc7448b6536cf72a45b8be473f15dba65d57d410092400aed8f666e4e9fc277af88ed9edc3a4b20f018dcbfc82c1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.busavelock235

Filesize
7KB

MD5
ab0f5954f3140ecfbc36cdc617f9c6c7

SHA1
5de1c1449e7b19c0b552623374c100a01c09c0ae

SHA256
db3dbb902687d731628eabb8d5f7985b13bff8a304ff503ed15707e9483b1281

SHA512
ac6ec37cb1d8d4549e71be49fd060ac129d375130b921090d82b02c2036ea145a79a8ac967c6c72e2519716f71e02714aa77769f845135171b75635c8249ce5a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif

Filesize
1KB

MD5
76d220c388379732f6f3dc419e703fc1

SHA1
6f12008e8c92b93b997135c9fdd33ad2b43b9d9a

SHA256
1b58bd744ef2cb5824ede70973b93075e5ef279858f28c9e3fdb03359d5842ea

SHA512
10da4524431edd16eee6b6a7318425bdb63f1a0274544e58f86e83ec356eaebb6a0ada97dc4d9d65163606989bc0d412f0b74cbb8961a42fce08a15429d2bf51

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
1KB

MD5
24bf5e4806994d09a1be6ccf54513c5c

SHA1
ec6ecaf584322e22dc60861aca5234b902039eb1

SHA256
13c070390de3d9eabb9caeb1c287329340f47a95b965eb309af4bb3cd4fd3c30

SHA512
e288497e74b586f5db1d0bb70ba7fb1202319903a70f97a95d535eca3af1a03bfcbe310d90d6bf0edafa31908cfb8c9411debd56d4390f854a0f6ef8997bab74

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
1KB

MD5
84b8c71730f60e964290d7e1c6814162

SHA1
a942f6e079d80694187c317dace665cbccd763b9

SHA256
41e9f2c6d619e141784cb556ed527b88b31b30f60ac464bf86f62fdcee1d241b

SHA512
293116a30aa49738be11a28abcb22d06e40497edbde4411fb80227961f0026657a12eeabf45541574603f3c3336e85c42f3d5a7f86031024c9fce134546f404d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
1KB

MD5
00f696f9daf92790122ea01256fbf17c

SHA1
2df112d7d130e8448832864b6f869a3cc7d0970b

SHA256
2c23f7d67d3f01ad0b2d8fc989b2d2c244554cb62b48ed50e89cfe49a6670490

SHA512
0832e2ecf76cddd92fad05d7bc06ab9d0015fbb51e9f901780f80b80568488dff0611e19cfdba3515da7d5602d8c9259b0b111273be66b69ea633cd433a8b755

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
1a6e8d2c3c01fa56a14a4e6d2b800c63

SHA1
8fb14e078b20a454f7a7bd5a2b8a3e27976e2bf3

SHA256
587cadd3158a9b4c08e113ff6503de81a7b6b185a1a7d32669d7c48f0ed755e5

SHA512
40617285fdc197a76c29f30b815e3c97a0e9b0985403d65441eb5c97458607a27721fd732e025e5437be5d72986261f57f45efd1bec5b918cd903c223fe8edbc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
ea1984d74b309f9521c407dc5d9e8f0b

SHA1
ae59277b8a2c708b8768f4c6bc2af12ae1e83843

SHA256
b38c6eeb4a5cb03999de11787c41ee30c12cc005565f4e13808c66ae92db1733

SHA512
e7309914277e04cb829c6c6b656a98ab3a0942a7db6d235c8f0114f8e3164679d0737a3ba9394df99399de3b71ef9eaa598c6482dc5bce540d1d425eda4a6d95

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
417cdbf0d2d199e287fa7beb61d772dc

SHA1
b039558d8984030105035677c71323687ba3368e

SHA256
32e1f7e22147f3752ec75ffcaf0b65e2fd368286175ef794b97751bbaeb6cdc8

SHA512
58045423bf36c99bf3bc7ce676f25c9820bfc2b2838d1f6b1a36f60cb71b7babdba9dfb2e26b4c99cb358589cfdac9ffc6cebdebc6e45fe90597e88e7c7caf68

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
d5a4a45015a1546def8f74881325e2fd

SHA1
5f70b619f731bd28b328d0df29cf334ca2b73ef8

SHA256
e210b37edac4ec1ad13e4d9722dd44ccba85dc724ab5b1a4610449d3701cfcb6

SHA512
dee5f49a024cf2d18fbfab22e38c232fb2671e2b503576bf39343460b8faa020c349166884afcfef3cbd8b01db133c6a46f0aaebe9f54cc6e5067fbd342f030e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
5b80d87110775db910a75fc9f8a5c1b2

SHA1
af44efaea66c6390da91c532a280783015a6506a

SHA256
e09b37d7b23cf2d962d81c0c22632e356c1fc58f23d4f749a0965dd6626f5c9b

SHA512
f11e2495244d14cf44a402f767a8409dfbbeb911b150b27bb06f7a690eb46ba61c414daab3d929ed6722a728c802627cf883e70dafb6962afe98d87d93a7c166

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html

Filesize
10KB

MD5
8340631f493653a0121d348912be8731

SHA1
efaa234e2b0f9ee425f7bd7d30d43d1b5b973c21

SHA256
d2f6f25d3ea3b40d4575aace9276ae3eb32efb091edbb57dc8c9939c9ac8bc69

SHA512
11065a148320b9fb10a12bf1580a47020b72d80bd063c31ca39d0912d4c3658ccd1e7f58d7833924ee9bd3566884700acd63700ed25ef068ebdde3155727d389

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html

Filesize
13KB

MD5
b2ff6fdce42cea80c2fcdce1913a0358

SHA1
e7f141d329d7a45bb16e0c74e6d364ae18d6b26e

SHA256
b0d1a7a64a0a62833893e4f9e82acaed2d8c08145da124ec81c2a8d1ab7aa08b

SHA512
812f36c67b845d02393f5c3dcde14807bb9d4fd8af607deace9a011d5e0c77d219bb32ca7aa7ae7d5a89a76ad85b3def5aaecfc293a2a02ac39d87041bd5c9ac

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden

Filesize
1KB

MD5
4d2f69e1b5acd796dd3a7784ae80816c

SHA1
6740d24cbac9addfd7c79732c8ad7e38b6a665ca

SHA256
4bf80c3e5bb9a143fc639a6ee3d2c660effc508832ffe5647bd6e3e54e3e99fc

SHA512
5a97d9597ea9aa17f67e0e85bc25e2a3292f231a79318534e518ccc3d98104691574e1711774b43a888dc0c684ce87c7c748c9e40e3d50f020439c36223fbb01

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
3ff4f71cbf4e747e3b824b82ae5c7589

SHA1
b8e2cc3db9af5df8c05275f385e830ab8f2d7831

SHA256
4ee2f9c078ecd3d5b65af3a82b9d61587e3dda4b79c32d3d752c45e368636885

SHA512
7c1c370d043cdccd07b6d23fc805a2302445f97805bb4e61e22e420ddbb798a1dcdb3cfdd9172efb13bb03e2caff5635a461b3d3ca68f724cd186ab0f3950568

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC

Filesize
1KB

MD5
9cc59bea76696043e3beefcbdd8e89b7

SHA1
e4ff87aa4d30f30e10b92bc7e9048db7cf74248b

SHA256
008b9b71fc5a5e98dbbc085df8b940d5630607c53dd3e730eeb1393bd7477ef2

SHA512
9af5a8c83f4c6a17e0cf0fa25d93b0c9129e272c312bf30ab7812c42198f1caa71b24c951662e4ef05a821805ba3970093100d72264bb590b355978150824134

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo

Filesize
604KB

MD5
814d7d7fbb94619ea9f4921e8678947b

SHA1
5ecc00de868ecdddcb7c1d19583f51e19438de1a

SHA256
b2e17be684b430a0693a694ee61d27ebe00be493c8f60f3a0129daff3a82bb53

SHA512
95b555244534de017dcb9d6930da58ef5cef66e912212a7644e1c2a3b59caebdace3d97acabf00b5e92fc79929d8e6f0b04c095d1885c5673bf3d6475fd9a70a

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
785KB

MD5
6543c5fd72e12e6b145c906dccb04329

SHA1
5ff0bc2475e2d929604bdbe78f4f7a3b3edc5b58

SHA256
590638f758accb91838ba74ab84b71bbe97d6dc5d2ddc3541d31c08189c27836

SHA512
b2b928d1c9cd2d8758699267e48d64b7c671577124f74dec5fd83fee4588d1809ea3be9f9205d330ce9c661a8fccc56bd9b7e85136816f81ab457bd857347332

Download Submit
C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
694ccef20e547a6b158b28f20688d84f

SHA1
e8398610a41ca1bc581364577db780ffaee00ac3

SHA256
2a7f39e803a275a1eee7e057669d18830a1a78ece91caee1d79055c600400233

SHA512
ed00fb67cb55507823019d6f69e9a44cce106954edb7801baf310e93a88eca64a3d0a6bcca67439d45bc1a5fa01a8e8c0083b33666a00ae1a7016556109bb940

Download Submit