Analysis
-
max time kernel
151s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-02-2024 17:57
Behavioral task
behavioral1
Sample
cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
Resource
win10v2004-20240226-en
General
-
Target
cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe
-
Size
332KB
-
MD5
10c5fde0d48f9058490705ce7646d73b
-
SHA1
204eaa05dd25c6d71cef19b16c0cd232b05e1ae8
-
SHA256
cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9
-
SHA512
7d37506597ca2e8bf624d0c6fca592e72e436fe4b906ac6334a4ff6b57f363834bf35f1038209e6bf67d43b39f538b7ebdd72a2b268dd1297bf6c99728e48854
-
SSDEEP
6144:Sq9ezqsEC8dS7CCKUf+9xwL1ZTcDCzyrxQX3hVds+tfCOu3miq/RiXq:S4JsE3CKUf+9xwL15cDCzie1ChhXq
Malware Config
Extracted
\Device\HarddiskVolume1\How_to_back_files.html
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1752 created 1208 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 16 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2164 bcdedit.exe 2620 bcdedit.exe -
Renames multiple (7582) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 1540 wbadmin.exe -
pid Process 2532 wbadmin.exe -
Enumerates connected drives 3 TTPs 26 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\H: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\I: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\S: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\V: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\F: cipher.exe File opened (read-only) \??\K: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\W: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\A: cipher.exe File opened (read-only) \??\G: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\L: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\U: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\Z: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\J: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\Q: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\T: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\F: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\P: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\E: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\O: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\X: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\M: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\N: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\R: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\B: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened (read-only) \??\Y: cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MENU98.POC cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_es.jar cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bishkek cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099195.GIF cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate.css cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\How_to_back_files.html cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\Windows Media Player\en-US\wmpnscfg.exe.mui cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\How_to_back_files.html cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Status.accft cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\slideShow.html cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00146_.WMF cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Right.accdt cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Beirut cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange.css cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Garden.jpg cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV.HXS cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\localizedStrings.js cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00602_.WMF cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292286.WMF cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR48F.GIF cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\WARN.WAV cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\nl.pak cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Petersburg cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\drag.png cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\How_to_back_files.html cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\How_to_back_files.html cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File created C:\Program Files\Java\jre7\lib\applet\How_to_back_files.html cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_right.png cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File created C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\How_to_back_files.html cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\settings.html cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgzm.exe.mui cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File created C:\Program Files\Windows Photo Viewer\How_to_back_files.html cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_s.png cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\THMBNAIL.PNG cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\How_to_back_files.html cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\wmplayer.exe.mui cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14581_.GIF cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ENGDIC.DAT cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\How_to_back_files.html cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\vlc.mo cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\How_to_back_files.html cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\THMBNAIL.PNG cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\How_to_back_files.html cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN02559_.WMF cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIF cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_zh_4.4.0.v20140623020002.jar cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\picturePuzzle.js cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\How_to_back_files.html cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.HXS cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_ON.GIF cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\WSS_DocLib.ico cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.TLB cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files\ConvertSelect.aif cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\How_to_back_files.html cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18243_.WMF cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2736 vssadmin.exe -
Kills process with taskkill 14 IoCs
pid Process 1984 taskkill.exe 860 taskkill.exe 1964 taskkill.exe 2804 taskkill.exe 2524 taskkill.exe 2960 taskkill.exe 1592 taskkill.exe 1536 taskkill.exe 2496 taskkill.exe 2260 taskkill.exe 2320 taskkill.exe 2632 taskkill.exe 2724 taskkill.exe 2752 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2752 taskkill.exe Token: SeDebugPrivilege 2632 taskkill.exe Token: SeDebugPrivilege 2524 taskkill.exe Token: SeDebugPrivilege 2960 taskkill.exe Token: SeDebugPrivilege 2804 taskkill.exe Token: SeDebugPrivilege 1592 taskkill.exe Token: SeDebugPrivilege 1984 taskkill.exe Token: SeDebugPrivilege 2724 taskkill.exe Token: SeDebugPrivilege 860 taskkill.exe Token: SeDebugPrivilege 1964 taskkill.exe Token: SeDebugPrivilege 1536 taskkill.exe Token: SeDebugPrivilege 2320 taskkill.exe Token: SeIncreaseQuotaPrivilege 2760 WMIC.exe Token: SeSecurityPrivilege 2760 WMIC.exe Token: SeTakeOwnershipPrivilege 2760 WMIC.exe Token: SeLoadDriverPrivilege 2760 WMIC.exe Token: SeSystemProfilePrivilege 2760 WMIC.exe Token: SeSystemtimePrivilege 2760 WMIC.exe Token: SeProfSingleProcessPrivilege 2760 WMIC.exe Token: SeIncBasePriorityPrivilege 2760 WMIC.exe Token: SeCreatePagefilePrivilege 2760 WMIC.exe Token: SeBackupPrivilege 2760 WMIC.exe Token: SeRestorePrivilege 2760 WMIC.exe Token: SeShutdownPrivilege 2760 WMIC.exe Token: SeDebugPrivilege 2760 WMIC.exe Token: SeSystemEnvironmentPrivilege 2760 WMIC.exe Token: SeRemoteShutdownPrivilege 2760 WMIC.exe Token: SeUndockPrivilege 2760 WMIC.exe Token: SeManageVolumePrivilege 2760 WMIC.exe Token: 33 2760 WMIC.exe Token: 34 2760 WMIC.exe Token: 35 2760 WMIC.exe Token: SeBackupPrivilege 604 vssvc.exe Token: SeRestorePrivilege 604 vssvc.exe Token: SeAuditPrivilege 604 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 3000 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 29 PID 1752 wrote to memory of 3000 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 29 PID 1752 wrote to memory of 3000 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 29 PID 1752 wrote to memory of 3000 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 29 PID 3000 wrote to memory of 1096 3000 cmd.exe 31 PID 3000 wrote to memory of 1096 3000 cmd.exe 31 PID 3000 wrote to memory of 1096 3000 cmd.exe 31 PID 3000 wrote to memory of 1096 3000 cmd.exe 31 PID 1752 wrote to memory of 2604 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 32 PID 1752 wrote to memory of 2604 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 32 PID 1752 wrote to memory of 2604 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 32 PID 1752 wrote to memory of 2604 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 32 PID 2604 wrote to memory of 2668 2604 cmd.exe 34 PID 2604 wrote to memory of 2668 2604 cmd.exe 34 PID 2604 wrote to memory of 2668 2604 cmd.exe 34 PID 2604 wrote to memory of 2668 2604 cmd.exe 34 PID 2668 wrote to memory of 2752 2668 cmd.exe 35 PID 2668 wrote to memory of 2752 2668 cmd.exe 35 PID 2668 wrote to memory of 2752 2668 cmd.exe 35 PID 1752 wrote to memory of 2652 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 38 PID 1752 wrote to memory of 2652 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 38 PID 1752 wrote to memory of 2652 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 38 PID 1752 wrote to memory of 2652 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 38 PID 2652 wrote to memory of 2776 2652 cmd.exe 39 PID 2652 wrote to memory of 2776 2652 cmd.exe 39 PID 2652 wrote to memory of 2776 2652 cmd.exe 39 PID 2652 wrote to memory of 2776 2652 cmd.exe 39 PID 2776 wrote to memory of 2496 2776 cmd.exe 40 PID 2776 wrote to memory of 2496 2776 cmd.exe 40 PID 2776 wrote to memory of 2496 2776 cmd.exe 40 PID 1752 wrote to memory of 2812 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 41 PID 1752 wrote to memory of 2812 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 41 PID 1752 wrote to memory of 2812 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 41 PID 1752 wrote to memory of 2812 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 41 PID 2812 wrote to memory of 2232 2812 cmd.exe 43 PID 2812 wrote to memory of 2232 2812 cmd.exe 43 PID 2812 wrote to memory of 2232 2812 cmd.exe 43 PID 2812 wrote to memory of 2232 2812 cmd.exe 43 PID 2232 wrote to memory of 2632 2232 cmd.exe 44 PID 2232 wrote to memory of 2632 2232 cmd.exe 44 PID 2232 wrote to memory of 2632 2232 cmd.exe 44 PID 1752 wrote to memory of 2460 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 45 PID 1752 wrote to memory of 2460 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 45 PID 1752 wrote to memory of 2460 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 45 PID 1752 wrote to memory of 2460 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 45 PID 2460 wrote to memory of 2504 2460 cmd.exe 47 PID 2460 wrote to memory of 2504 2460 cmd.exe 47 PID 2460 wrote to memory of 2504 2460 cmd.exe 47 PID 2460 wrote to memory of 2504 2460 cmd.exe 47 PID 2504 wrote to memory of 2524 2504 cmd.exe 48 PID 2504 wrote to memory of 2524 2504 cmd.exe 48 PID 2504 wrote to memory of 2524 2504 cmd.exe 48 PID 1752 wrote to memory of 2512 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 49 PID 1752 wrote to memory of 2512 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 49 PID 1752 wrote to memory of 2512 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 49 PID 1752 wrote to memory of 2512 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 49 PID 2512 wrote to memory of 2088 2512 cmd.exe 51 PID 2512 wrote to memory of 2088 2512 cmd.exe 51 PID 2512 wrote to memory of 2088 2512 cmd.exe 51 PID 2512 wrote to memory of 2088 2512 cmd.exe 51 PID 2088 wrote to memory of 2960 2088 cmd.exe 52 PID 2088 wrote to memory of 2960 2088 cmd.exe 52 PID 2088 wrote to memory of 2960 2088 cmd.exe 52 PID 1752 wrote to memory of 1796 1752 cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe 53 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe"C:\Users\Admin\AppData\Local\Temp\cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1752 -
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵PID:1096
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\system32\taskkill.exetaskkill -f -im sql writer.exe5⤵
- Kills process with taskkill
PID:2496
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlserv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵PID:1796
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵PID:2640
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵PID:1960
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵PID:1264
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵PID:1036
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵PID:704
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵PID:848
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵PID:2716
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵PID:684
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵PID:792
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:860
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵PID:1484
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵PID:972
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵PID:1644
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵PID:1528
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵PID:2308
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵PID:2556
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2320
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe3⤵PID:2312
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe4⤵PID:2052
-
C:\Windows\system32\taskkill.exetaskkill -f -impostgres.exe5⤵
- Kills process with taskkill
PID:2260
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵PID:3060
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵PID:1848
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵PID:608
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵PID:1872
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵PID:1704
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵PID:1876
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵PID:648
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵PID:960
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵PID:2176
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵PID:2416
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵PID:1788
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵PID:2196
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵PID:2136
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵PID:852
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵PID:408
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵PID:1364
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵PID:1648
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵PID:1568
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵PID:1020
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵PID:768
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵PID:976
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵PID:1884
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵PID:2100
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵PID:1672
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS3⤵PID:1292
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS4⤵PID:1676
-
C:\Windows\system32\net.exenet stop REportServer$ISARS5⤵PID:916
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop REportServer$ISARS6⤵PID:928
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵PID:576
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵PID:1764
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵PID:2396
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵PID:2068
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵PID:1332
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵PID:1820
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:2736
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet3⤵PID:2020
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet4⤵PID:1200
-
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersion:0 -quiet5⤵
- Deletes system backups
PID:2532
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵PID:1664
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵PID:2212
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest3⤵PID:1360
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest4⤵PID:1740
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTABACKUP -deleteOldest5⤵PID:2536
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive3⤵PID:992
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive4⤵PID:2384
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No3⤵PID:2096
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No4⤵PID:896
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoverynabled No5⤵
- Modifies boot configuration data using bcdedit
PID:2164
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵PID:2244
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵PID:2600
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:2620
-
-
-
-
C:\Windows\SysWOW64\cipher.execipher /w:\\?\A:3⤵
- Enumerates connected drives
PID:992
-
-
C:\Windows\SysWOW64\cipher.execipher /w:\\?\C:3⤵PID:860
-
-
C:\Windows\SysWOW64\cipher.execipher /w:\\?\F:3⤵
- Enumerates connected drives
PID:568
-
-
-
C:\Users\Admin\AppData\Local\Temp\cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe\\?\C:\Users\Admin\AppData\Local\Temp\cf3b068448640298738c2a407427335a289832d0c0013fda10e0fceceb208cd9.exe -network2⤵
- System policy modification
PID:1512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵PID:2712
-
-
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP1⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1540
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD530763e3ed8e778ebd7c022a3dba8d572
SHA170fa52cfa6eb75a36cdbf30e7243f358f2d32dd9
SHA2566400ce6cfec403ca60858a36c478e6f7545057b307ead0e36e572d097a156b88
SHA51247491b69721514c57394938679250addd805efa2874c08455b12ac15eb9ab2fab2e997ca3fad13b8e718fb0433933ad977ff13dc98f76342bd1344320adc6e11
-
Filesize
1KB
MD5f2aa84aa1ba18d196188cc8a106fbe59
SHA1da20edd3f98e9959a5e0f6bed7777de7e9475cb1
SHA256e4886a28d975c23cd1ab206ef741a4e243331eb56f3b3240e7854da1fea6af89
SHA5129ce13ccb0aca5fa9f9efcc451899c7d22314cd9fc68605f478badd6c512f3ed1f971fd206d37d1fb9cd821849d35ea6ae8d67120ea1db8cc953d1789b8c2dd0d
-
Filesize
1KB
MD533846bd3c5a0c74f0199b826984f5a02
SHA1aa3af4ba91488c5947971802f324a851e92b912c
SHA2564611182bf7709c7687eb30bd44d1730637434859282cc98d218ac36948cbcea0
SHA512e0d7648b3129f40087de3efc60ad867678b1321879ec9e587ab8f4115934665eeb35a631f5ca8b493724d04dd37069f0deafef293f8834b918f964c7cae37cb1
-
Filesize
1KB
MD50d8779c4e8776a04a14cf7f90eab2f7c
SHA15338499c6c46cf2b3e549e1c6f2fb9a291fdf31e
SHA256ebd247cfae5cf40fbf29f64e20b855c40db1f0382e3d427eda262cb6b15ff3c4
SHA51271589216d0e2539e1534095ff881a8b70bc558880f885f03f035950f6df9456e5e0cf004b7b9f94cabf39f4e6956994192666ee73c278323f5b5799a3a8cee99
-
Filesize
1KB
MD55a649a9ac552a8fe3d14efc1db372b61
SHA1863bcbf8af365c53e4a6744a0b865a06bc96f2b1
SHA25696655ceb27c043547cd864334104bdcd1c999d6f15807ec91e01a482407e2493
SHA512a3135db81786286223ea21b8ec6340dfc3a38a8539b333f30b97e6167539a718aa19345a74fbb8b4e98f88021da4e5da6401dfa5e09c30a404ed234c71b22646
-
Filesize
1KB
MD509acb9d3aa4fff437e36f3152dd3603d
SHA1d30f7b625cdfc94d3e3a5292c8901f370fd23a5f
SHA256d2ce463f79af8217567e3698c29ad41710bd8ab408fa912aa15a87d640bf3434
SHA5120d71234a1dc25a189afbd049ad7e0ba2d0fb47cb1f084b99709678eee16cc15f1fc37a1ecd99ef405dfac6d126bf69303239125653fabcbee31e834410e043c7
-
Filesize
1KB
MD518eef29a402d265cd0db65d96c31a74d
SHA159f7521e0d02aa9a4a8965291227cee9b27778a8
SHA256e8a0eb1b698235875a031ab60d74824267f7c45d8f34470b912b9a9554585730
SHA512a5d7397c0cea53799abece6eae52b13f3714193e6dbbd88d819a66b65dff0b6366b5eb9d758f3d66cce104c451c69e99ffce3b8b1f107bd6c7bf3aff0973046a
-
Filesize
1KB
MD534593c07145a65798b527e8dfdf7c7a4
SHA12b8592e6138bb210b9c92c931275bd6f8f029e28
SHA25652f993c8383e376f1de9716e792774dd196558732c5d9c8023704ed0dbb98546
SHA5126b071e93be03ba490ef89b5920d0977ccb08c9421d546ba23d0d5085d0c08cb247c0474d40dfa768a35ebd8f35ec0f1ab35e1b64b053d07831d1acc089737c2d
-
Filesize
240KB
MD5b7f07c2bd5aac47e4d20b1a46249a9c5
SHA1a7d63cdd0094a2a363728315f74e8606db38107f
SHA256fd07e3c7867c0bcea81a43becef13ec5784238b7ad5539ab0adca4db489daa2f
SHA51224cfd962d2ba73cdeaa71a7a2e2fa02ae793d5d075a60d5aba97b46a06e13b34e80976d6b82aedd2811610a8c3c954d4579685c79647809f461af7c138cb4acc
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF
Filesize1KB
MD50bb52a69cbccdd4bd5ea28958a45cd6c
SHA12ec544e5d91ceb029c3877123863eb5ad3bdcf26
SHA25635c3a8f4d48c644e8bc89e6a04a459df2eeaa5e9742253a550b0b9cffa3e6513
SHA5126120aab38b67be3728d46a98afc8991e60ca09528efa0ed7bef195b9585f6a1c9a5ee7d76a8c731b33589e76fcb9ade66d8823bf4a9de6a5920b634dbd9a4393
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF
Filesize1KB
MD5f9b938b863ee85ca36a5a9365fcd55ed
SHA1621e82969b37315b0bcbbebbfae9410062e177de
SHA25641df67b61991ebb34736f24d60ee2f11b8d882bd780ca86f2b6d3a4b989a1bb1
SHA5126cc54b84696dc3221ee51e38a0291420548cc811b83758ace9d93b1da18edef6ae52afa3f00ef6d78169de097213cf198da6092e8cbf22816196b338813078f3
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_OFF.GIF
Filesize1KB
MD5041dd7787d1ee63feee58830d4f343ef
SHA17a41a5b1adeecf30e581c03f1715d049e8035248
SHA25677fcdff4113e5edb86ed100d0228ab11a114a30db488112b19cbbe6823a6e499
SHA51273ebc3bd13662a4c977cb17ee808d839d835241e97770585d0397be7978e0c00ad69f2b3176697ed2e3e598cdae2ef08ac4fcd30941bc38b5741ab9bff44a4e9
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_ON.GIF
Filesize1KB
MD5a345ce58e14d0247f705562c6db36432
SHA1c66e1bf95bc932f6732f828e0f7caccf85c6b2a7
SHA2569a5e7c00c14575a538112974e2539bfa930a5f5a9f7845aba9745e03d0086eae
SHA5128538d0fa4387f565cfe0a519ae1ead73b27668a86ba23884d821faf234e2ff5ab4ed79844c29017138eedaad46f0ba840b754acc2c0ac562af48d6ed751f5ecb
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_OFF.GIF
Filesize2KB
MD58e5eccb3c79ff9be5d299fd8f9f79d5b
SHA142c663efef473077115aeba33c5c971e785725d2
SHA25639206e942b36eb0d06f8fbf52e364ae4822976d07e07ad0d9f52b22200fb70a9
SHA512bf112794b5750d32efe1472ff63871014067fd49787d98574c97d6d05df09cdd9c9f96225093cdaa6f9ebe9be01412ad92853e413559430660b59d21286c8db2
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\TAB_ON.GIF
Filesize2KB
MD5cd8dfd2f5d7e3dd2f6cf2db16bcab17c
SHA119d3e208980d793a655bca31da1129608a937f2c
SHA25631a1d88109c1525eda12a45c136ea977c6a568d9476d9b5045eb444b4eb4f1d9
SHA51236c31172f745bb909b0da993a71532b150f6ac5d611041f036edd26d680abec743090a0dedaeb7c08e0a6930637542da879fc798b5ba7d693c89211280ee511f
-
Filesize
2KB
MD5d0d0aebe78000c22d2d4a65aa264bd08
SHA1dc9bf2cb81f460c268780464038f6dd67699ecad
SHA256eb78be70d969144c91f71aee382a367211afd370be3026f8114ba2efcc1ed20e
SHA512f60a9523ad49215a4a90851614f305b18e0634c1c1e4e63ca5e32a5754193977b4d98674bc69893eb753795c6cbd329645a6de4f138cf6637cc0b465e96b6931
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif
Filesize2KB
MD5b6634648c7be7c3a401fe4af170131a0
SHA1ae0b2637bee849900eeebbcf419b58ac748d8c95
SHA2565b4674a0adf7e528d8096a2ff79e16646109e31465573c0361476cedfcc562d6
SHA512db4743d4d89ef18d20e9f8445b62041a6e5faef5f5eb8aaa4d756398699d86d34e4a592c6d1c234a43c3c4521efddf4d78e5a5f9b6f421bc60764eb5a896d048
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif
Filesize2KB
MD5a66dc2ef04f975f5012ac5359b9aaef6
SHA1464408b8265aab85e4d1a693ecc4668322dbec53
SHA256fb5d5acab0bf7a1a8ee80f8318177d07ffd25c2de018c76c0c0b0decf11803a4
SHA512729a6c0b45c1461bf26d97be173fa8f4cee1baab5ad46e8a13d687476faaaac7e2166cae7093e2b38f61b32555a1e5d366cdfeeefb0a5661e3359b1566edc79c
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif
Filesize2KB
MD580e316750eaa630ed7bb84b35e43ccbd
SHA11d3cac19039d752d72146971440f804e753c9f2a
SHA2563ab98186cbceabb3c8a4caefb094de3be101c0c4aebd50612eccb67623432828
SHA512c47bf1ce7aea3e07ada1d283d716abd8b3b34afe291ba561bc94804b81eaf9a981a2b1b0a18e8731897ec8abf0ead7f3cf00e416c997677f8c6913a45a748772
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif
Filesize2KB
MD558ef8bebba07f931758dfd81ede5fe5d
SHA1f13f971c6064796215cb19151795d29cfc8eb9db
SHA256fcdc57e72ccf70af986427cb1b9babb1f29814d255614a03fd5c42ea07cb8a67
SHA512a954822862c7b58507394b7234c3be204509ffd03d5e261d53491f4f09ea5afc5c4a96b25c95fe4870c3189ce0f5daa1533054bf2374ffc6748196af6f1ac8ad
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif
Filesize2KB
MD5818125f6e7fe8c95f03a065356f7a819
SHA1b4874f44902a4750e199c55e24c5f60ab1a55124
SHA256fd18f8d3a28673111b83fc027ba80e621ac8aa42eedb3dd1cbccbccde9cd666a
SHA5120b621296ab8f62809539de3383c54aa0d9d0b1b17e839c1d65747a668bea157afcad682b1c8076ac91f387ca03c4522ab5b2641bfff82f4e2c5cdda482d9f497
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif
Filesize2KB
MD592857c23b9abb99575d3afde37791a92
SHA15db4983c41eaf1fc25df56eb99d3ec847eee8d47
SHA256fdc63ad32c261894498db28fce2daa38a01faf483b7588159b10bec90dee56ee
SHA512f83bad7267f9fcb654bec91113873dc17c63a2cc009f18549f4e7d13152ef06deeda5a1bc10d0ae6793ab925e11636d6863a31edf4570dfc871da7cea147c8af
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif
Filesize2KB
MD5af804b8e5dff60247676cd327d1cf6b3
SHA1a58b6f496b0c41fe79143bfe9350f915ce4a6dce
SHA256eb18031c014232bcac2e24e4ced4aaaf9f0fb9609dda07fa88780a6d8800e5bd
SHA5121e891aa7d4d5332fc410f4ad83bbfadc468c4b78d1fc232af95594b676c06a3184c4a06a296a82e1d1e92122ee545ad7e6bf2a6273b97abdf72fd70ec9dda194
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif
Filesize2KB
MD54be4d15829723874d5f5d07659e5794e
SHA109d9c72e9194b4e68c3e1dd224644d371904c894
SHA2562bd3f5767764cda0e89d4c2b281eb8331a4ab626d8b36f483006e1f5b8c2ce3c
SHA512e55c12353e40de2bfd6ce9389eedbb9f5deb959e25fbe559c68fd8ff2d78091ac2415dd6cbf0652bbe597300d80ac61de984423806efc7d2f57328336533075c
-
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml
Filesize248KB
MD5f8aa8977eb47fd5b0bbeb8a347ce45e0
SHA1bba839803fc6eaf7c39b6ff866edc9246738a745
SHA2569a4d1e55e57b37ca88c7b3452cbcb037b9c7049466de247821fa8bc7ef5cb890
SHA512e29f4513af96865bce4fad07a716a1455c4253190988d35f36efda9b4a6f9df81c6b937ce6c248e8632b43a4afba6de079112ea1cd183609c2480a0d60a65105
-
Filesize
2KB
MD5038d259bd38aca5f9d44225958859ab9
SHA1b38d477900807a1d666aab35f3c3aa63ffb1c55a
SHA2567ecd2a2c60fa6044cea2a3afb320a775135210f2f003979614bb915f6e3513cd
SHA5121ac5f9ca4d61243011bffb8fab3796bc2a1a65522703b762137a7fd72962829b55c712d537880c1cc52f1a570ace855c3b5a86dadf7759ed3c91717bccd02126
-
Filesize
2KB
MD5af113542df9feba0280a2f0edf8dce56
SHA1c0e464de3ddcbf094fe6e7c71101a555277d5992
SHA2561a09ea46a982007e980c6f58d7413d848dac32ddf525c9014c54c5670480e81b
SHA51223b3b2e7773e9b91367c2446e86f51f6f5564ce8da949c63fa01eaf05b211a1a8a8c6922dbf38bc7b05910a3dd638843b8b8807b4917ed08d40157f47688b635
-
Filesize
7KB
MD5fdf3264373810ddbfef524e9bb9042e9
SHA12568a6c8d78a0ba1e2ec189ae4f960c74e298572
SHA256017408e76d261eed3fd22b5f47c979ad44d6faced3d0580834d772b1341ac70c
SHA512b44472f675e150140b28a8e1650bf0c7a8dccea0c73d287fdfaf8258516861614634a89af1514a335abe9f39c00320fcf057dadb7b88b6ca3bbdddac10a1a4e8
-
Filesize
1KB
MD5661d8c769f01eae988a78bc509440f08
SHA1070ffd082131264bb22032b13e4a6f31e9442aaa
SHA256cb9ed4a2e35a4a471a998628b287dd48bd3219965480ceded9f6c645699915d6
SHA512f81870fd0b1c357cd04858eb6298e2a70433390e4840ac289760e08702319d87af00665bb79e3af86a781d9bc05cd2f08b20a0f4271e9aa5147cb81523144108
-
Filesize
1KB
MD5f47960b543e1b86914ab492dc95d13bc
SHA132b02ac8bca44d6e8e8bd14cc4d08b08034ffbd4
SHA256a4acc08263e4920de9421797e7d54456bf01778c1b1ce64e02ba80b4b80d4ec7
SHA51257a9caecd22d78794b87e2b774b45eb6e848b86d8e66d7afe4e59cdc2414e26ec4ec0d3684c2166e3eaae6c7f11b37a5336a6881ea1efe6b9574c551d9473778
-
Filesize
1KB
MD51a5807d29fc9cb33c3e2923c20e81d67
SHA1fb1d23a53a5cf6a5ec30a7f326318001417752f9
SHA25669cfb8b5f8b17c7428d5b022461c782d9a6eb5d7ed59a77151483267e55c29c4
SHA5129673162a91e9ad7dece589b60d5947ec52289b0546fda87558740e7f480581c7cc077130a7f797197af8bf42b94dfb1fa76a0dc207ee023dc98e0e3e0d3523b2
-
Filesize
1KB
MD52d7b4fdb7f9a7f1214062844cb3b9260
SHA1bb452af009ab7e021feb0591ad9219eef59b6681
SHA25641bce3967aceaaaee1fe3d5f9056db746ccc68cf564378429e0770df2d278b81
SHA5127db326730a421f9149b7deec7087a0cc84f32bc9cfe9927b8e12229082fd82dfbac2e9f9eea2ff5fbf3adf6f3713e86cdc238c3a57b45ab2764e041bcccc1470
-
Filesize
1KB
MD52ca76e7387c477959a3c2729e88d9185
SHA116f6e28576ae5edc49df739c72b4ac30e4e6f01f
SHA256014c67c4b55e59607cba25ab5e235af200e606f2dd33b6677b45838cf5f273a5
SHA512cb85711053ef1c70e38f93531274184d536b3e2331afbc065333fc6513cc6edf763a1b4683059938159ad88f7616ca3b70f974f0845607684c604766cc3d2806
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize13KB
MD5aeab3a9a42bec0f54f71023565b2bcbc
SHA1d4b82782405a9b8642c2dc14e8bd46f2bd3f0b72
SHA25628a746f6ad663749d55e7d6347d8fa1b3b3cc7a4b4fd88b2f0069c337b59ed86
SHA512a1c97da23cf1b0361681b483c38147a728babee5eef47b0f9a0e615c879ed221e7a32e292b61c9278cdaad42ea459b40ae21840416851dcabf75bb17a236324e
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize10KB
MD548fd7314cdb19bd60246d4b86cd0b6b4
SHA1c28fda538fc1d41ad6b0a5263b5a1efe9ebba5fd
SHA256bd7d4eafdfcfed0c052445dfdaa963efde50e9dbd450227e5f26dda0f34e597e
SHA5128f1b6c7e1d9bd08a0c10952f5e62a8e84d712f349ec979ca4646ae16f2d0ac04131246ba8d4ea15d15a85bc96624095cc3947164115feb0e63801d3c66763844
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf
Filesize1KB
MD57839cdc38931f0ca89463dab84453a58
SHA120df8de9d8b7476bfba49f6aec9121c3ec7a2fc3
SHA256bb6adee297ef79d03b9aaec67dc003a9c715c75bac2eb10f772147fca4cb7176
SHA51254cee33a637001bb1689654ac38c6604dce44d01d63fd975e68e6baeff4345c908bbc8555136637f03a31367a2ad75c0e75548254067f93aad717e17086a0096
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA
Filesize9KB
MD5d110b1c25a49d0e81d10f1d9458a2c26
SHA18650fc307242f04bd0c2e527d7aea3ed18f7b292
SHA2562894a8b6550ca96d901224e3ac52ae701b1cf83cda9d3b455c16fda2d38e776a
SHA512fd2c7cd4f740bbd0c4badd86b90fe23eec2f489e5555970481d7c995064868969f38aa43db461b2c65e4e16a866b4124288ac25f226137d4a0fe5cd1f6c7ebf8
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf
Filesize1KB
MD5c43a836cf8e1520ed1d3b60873e3c07a
SHA1783c20413d9e486ce0267d6cea70ee6e28a8df69
SHA25684199417b885edd19dce302acb51e9f2fdff855b51567fa9f476de16b645b07e
SHA512289177ffaeabfbd46e88c8d43189117cf3d5b7a7e461e4fc9faaadd7296f6c3b4a5082b60cf87acf6332cbf78f4843d12b300ff8d82c242352311e26ce56797a
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize10KB
MD51df36d6bc1189ef982df29e8380b4c9b
SHA10ffcf661249651bb731144a3b9f08babb7c19c14
SHA25660b178635e1a308b42cd7882e7a1833fdd26c821d1db686a5c5e57cb2f5d6d6e
SHA51229482e811e98c930fbf03db2dc14129176974e718d5cdd50d4c7b793ab4cf086b818481ccb464ed51c057e25ad52e3aa26e0d3cd267fd7fd8f297f17a1a0e2dd
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\epl-v10.html
Filesize13KB
MD5d84fb186c38f41bd8a9fbb78b7d3bde5
SHA17d15d48593e809a585990d4b633b0f6db4ff0f6d
SHA256f8362e82638fa6778b9f618d9482b58214a0040775c2c7e8e869c7fc40f1a8b7
SHA5126641d5ccd98312f6e654e8a218863959a44bbf710f1a2b86441c0c16cc8fec5928339af827bc9b59f06bffd1e7af3c23c9087c8322e54b9842671e8dbc84fb87
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden
Filesize1KB
MD54368aaa6515ff8ac97da1b89fea92771
SHA1d484d704220f0e79943071b78250e2ef01f0f694
SHA2566ff3d56109a2901cea504ac9c79ebf05b8cda1a8763d51c803d5064b2c796856
SHA5120c02933627f868a50bcfa5e27bf79d65450600bc9e71423cd50730aac4b8542c9514159ca9e7c9a661dd84e1fde99dc092aa3fbdbf9022fe3aedb8c758efe4a2
-
Filesize
1KB
MD5af15690de69c7a6bcc67a1110558db0a
SHA1ec28c245ade267e37d2e6cda1a2e6d7d88fbdeed
SHA2562959bd6e1c648a6556d07821e6361badf33ee998b4a069319e6c6878c650b40f
SHA512a8bdf66a0ea9cd8f535e892f54d2a301158198df14728fd16bfd9cb8a9d4129f72ce37533d3b100793a282291730b2076049494d0354e0f93338bdc89029beec
-
Filesize
1KB
MD5181f8070f081e01d75f011d53db3457e
SHA1e619d376546ebb771a943aecc22666e44f8b5ff0
SHA25657d887eac038013b13bc35e4ef79da3ffd8194da9e901c22d9eacd038bfd36bf
SHA5125626bc283699e02c0c63b8176ac45a819119bfecf7a7663a636bf0db9159b21931a28b391d5babdd8a216d2c93bc457a0f1d3a4fecdd227081c7152202855b49
-
Filesize
1KB
MD51cf2428e4afd9829dd56b2fe0ba36db7
SHA1da1f71e960c3648bdab8acb2769d775ae5d65441
SHA2562973b6e44413066f51d476495b6420bb64b5440b194f4fb60e1e08419bb33ea6
SHA512229ced7ba060769c2545d01c5fc4a0f870f7eea766fc9c7ac0e8ec2bdc9794445c9a9cde5232b9751be73f51d6f5f2e34353898a43bc8655894ce3950d405fe0
-
Filesize
1KB
MD5508ad69bec051f25c614adf1a0ddd792
SHA1c87993a2974484c838d7f7534c19217cecda3190
SHA256b30c720f71e79048f01765ecb9a8557a5bb063cb0be5e93556e8ea819151793c
SHA51241e5871036939bdb2129b13ceafb75a4cbbac7960bc55786a7f20910fbf3a3f83908ee89c6aa5ce89586a88e33707b70bc7702494095c99f9ef384846d29314a
-
Filesize
1KB
MD5f73a4a1e4a4926064983cd0353c7c239
SHA1b474bd9edc01f02dd2ff32d9a17a73fd0e658541
SHA256bcb1613a23888299c034a9f27a43fa57dffb8adee452de771c51c6e2ef4b3da3
SHA5122ec31fdcb4b14ae3348c91c5c1afe05ef9eac35c96b7f890e77655f0598ba14a8e0fe8717049fdd6d556467b0da23d97cbc4e62a279e3dcc7ff30483d84c38bd
-
Filesize
609KB
MD5fabe466b41ff49cb39eb526eb01d9822
SHA12193551386e27d8c1c461d44af6885e45198d11a
SHA256cd6fc6bc920ed586e20ddea6a5fc9ca8b66eb1c8f123f9287d373dc4ae88666c
SHA51253d2e10270176198712fa53da2d706ace10a2b9ac74a084e6ae67213ba96e7044a4ff336721443c46e2f9dd54cddea68e26e4456cceabf890f693b9957ae2438
-
Filesize
1KB
MD5d907a95eabbf8a0c1c1d01817d00710a
SHA1568fabff72468283b4a17239f0c3c980192483e5
SHA256687aa3c9e72e61cfc03857deaf28db5babe3f4e1fe55d61c85dafa0ce2fc51a9
SHA512c817e43b29a7bea54553a343e36dfb6e9ffd0904b0fd092dac56ef468b1c78c02614e42eddb16cd6cbb7ca5ab4ad4a0d312aaead12679ad2ea37367527d8f5a9
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001
Filesize1KB
MD5e57a47f9969c7b4bbb8005f1e3465cec
SHA18073686d904c946932d8c4d00167f464f25799a1
SHA256765b1345100a6e052b71c26d975fe2aa3df322627084e484b7a4f0e2b0e92e99
SHA5123204a016226d4e6e50e3d90e5b25c5a779ede065cba7d505c3481ced81382f24b111563c92c8032eb1bb2cdb70cebb725e5a90daac924656d7f9ade1df287732
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000
Filesize1KB
MD58b8b1350261a3b7edc1c7039be7f2c21
SHA18c18ac2084f8775c06a85f511b74d6efae5e5cd8
SHA256b7378f2e0a62e1292a4928178e4b0a749becb19d97acb9590d9bd1a1166a8a44
SHA5125858cbb8764bd04acee9ca94d1a4eb3b8dd79481717c55ef87b5fff12c6f458b2c274c9ce2e2772a4238d8dbe7e426d611514a2a25b1be6bf71d821166098fca
-
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi
Filesize181KB
MD54075f6b20cb2cab768d7b2db3406ecce
SHA1f26725234bf920e0ac9a8f822121b42fa4c8cb44
SHA256b9cd35becee1487fd2e0a0a2aeccdc6d6faaa2d8a1b6b42c0cabf0c3045f9b96
SHA5123274e180da42291bcea7808875adf70f178a0c94c8a253122d582fce1b696740a5d172032f325af2ca9d02ae1edc9f709d17078a8548f2bad113f1f0464cb9e5
-
Filesize
5KB
MD588038f0d46469a8cb5486aaeb10d6484
SHA15482e4273a0b51e1bf1b92ea62512f96b665f6a0
SHA25666d47160bc5dfdea756dea92e004d15bb51a96d3244b6a00eb99aaea6722b939
SHA51271c9b086796213eb3e9653d0ac082970a7dbadb9d79b3a9b30e363a558a8c523e6619222d7b6f5f099cd344cac7b800e953786f2d6e560ffbd55f4573696d5e4