cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
Size

335KB
MD5

794f3eb31688ca56a4f7ca6f4691d3e3
SHA1

6f6e458805f8da94f820f2aff6a201b70482273d
SHA256

cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30
SHA512

cd7e6feda73af8d569466b9ea5ed46c4784c404afcaec6b1582d1fa8a1c00b18aea8b7851f298e1eb740e328dbd5d5ad932c13036699b05e5807ad85641e0dff
SSDEEP

6144:5Y9zfajnC6iGm15k66Clhdq8yZXlkV68pr2g1PJbmVhMqu:m9WHm15k66ClHq8yZVypIMqu

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">GSl6EDNW42u75LMbipw+bt6GDVQadOOb8MsqhI0xKt3BzDNy5y9+SgUP3YZbi3QsthhrnF99c5qo2T5iIsgE5WXqtZRaPR0DzvhNiM18kj6Y2H5swo5rzjh1OyZ7j0H3dBJ+Gj0Ubv/Ajapc6reKjwhR7EJ2CRptacw3kq3lTOTEnsaYITUAgxuzkPcJq9HDPYak5hOCMqH2EQSnv/0hg8CkUJiylUvQzbRJWIHYI0dei80uLaEwrkkkGPhW79r8NaMHGM0YksaubHLMJSdVR6QAAHEclQSjoSMeS0TJ0gaFch6khGNhtu8zzndNTCbiPfe/DuO75hcXojEvApNK2uFXTCrOuGzkuMy5eQC6NQBwfQMyyDoMCYszM6t321Wq5E3qShJN2kMbVvRzY4uXTUn39H6PzdMkDxya8Au1vTLLIcCC+pKIhXX+hzUQ6aoGKqz+rCIugyLczDCCuUgy4vC6xLu+l3UjEx/O0X/97WQwMoi0odNUD8J+pY8OwzQVf69mQ7jsG4L3a5s2CQA3Mpq5ZMxfoJtrhZkbaySWM+2IzwriSxWh3LJ6bH4qIbsYTATCse0b4yfQgi3BPlUdeTLYKTExg6qcc6tbMsWpqSGm+5gM+AwmVmXNbi3Swdsj/WHEX2+Hw1vvW45b9Qu1o5XCV83LNN8xnY2CIE6pA9KwqKGjSTYlDUtuwsyFbzDu0lBb3JUv+tBQlcANoe+V4FemUE8+fEpKOIPXguw3qUCQDq75SmVkFtM8hFgPAQ4g7oMfyb5mL72syKobCJhfzxjwshw/1WR3CaEHQJBkQNtOm61U8Gz/mt8lAnUEQaYfg/4Xy8IcBbQRAHAQd11P1KAMPySy49HajLzdTXAWMpn37KJY1jxMVqZF360IPRpOeluX/TaucHwAaLRKqM4XA1CPjGPDhvWYDQ9YCynol+RtARUp30y+sBqdx0Sjj3CWjZae0d15mNG2d9qEWlO/Md8Wq58IzU42HV4/XKTC23ORlVJUX3cFf/KzejkU6Wc7qkS8TZlKSPlmdf0oAwUu8KyGbXRfe0ylULY7eOefrZkADC3J++8dpRvGM1d0arGcB5Tl36kDn2cpEXHcH4bLiXzjo8cN/JFjmE2wDZXVEUOQ9MXId+Q+O87pd49hNzn1m607mDiuM+i2SMbpBtMSPZPRwaxLClKE3HpA1pbO6cYmF8oH19ebhwxq3ues2aumYDfe0ZT0MGFAkm8u2kshDWDHE5NM/KuINVEoMUVFJ8uS3oK5vCengtt+ZQjwMUKXUHkITGhwyhzXuxeMAz4r1MFFYYLGiPMEmNDuiRzMla7V0ALwTUcY/8IoR9zPWKbuV6C6WnFoAc5eccOWJqtUAd7IMEPWIvRt86N3kMIEd/dmqwZ7sjV9vhf7TeKSxmhb/VFSL7fK1fc0dg1iNXxYA8lrxAUbU8hyF9APYy7hW8dtHEPB10J5yLJwCDTwDUsqaHQ3L1hcU5fiUoIdlm0UnYsPA+/KWsutcB1/PrAk111Me/b7IoY7YP7u8H3bL6yi7O5V6I9R4ujw0JtgiF0V3lQYi6COMVVqj6FMwR9+co+44q1wZQ+G2ZJIYSeoBUqZ7lLs9uGoO2VbXwkU60Hg6yBGx9L91GI9Xvs6p8uaXBi9pfAd+psmy4cAw0hdQ6yIxneZMjjUqQxLQL7xzP8n1dZR+4Ym2rdGeXY89VTsCYE=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe

description pid process target process

PID 1612 created 1224 1612 cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2752 bcdedit.exe
2756 bcdedit.exe
Renames multiple (7575) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2220 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2916 wbadmin.exe

description	pid	process	target process
PID 1612 created 1224	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	Explorer.EXE

pid	process
2752	bcdedit.exe
2756	bcdedit.exe

pid	process
2220	wbadmin.exe

pid	process
2916	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.execbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe\""	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe\""	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.execipher.execipher.exe

description	ioc	process
File opened (read-only)	\??\W:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\I:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\L:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\Q:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\N:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\O:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\T:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\F:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\G:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\P:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\S:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\K:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\R:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\Z:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\A:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\B:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\E:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\J:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\M:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\U:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\Y:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\H:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\V:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened (read-only)	\??\X:	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe

Drops file in Program Files directory 64 IoCs

Processes:

cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\vintage.png	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR32F.GIF	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-background.png	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\How_to_back_files.html	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\mpvis.dll.mui	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14828_.GIF	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECRECS.ICO	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveMergeLetter.dotx	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02278_.WMF	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Xlate_Complete.xsn	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_es.properties	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\slideShow.js	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\HEADER.GIF	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\RSSFeeds.js	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\INDUST.ELM	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152590.WMF	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR7F.GIF	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.DE.XML	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\decorative_rule.png	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Anchorage	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18257_.WMF	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR17F.GIF	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePageBlank.gif	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MpEvMsg.dll.mui	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left_over.gif	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\How_to_back_files.html	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File created	C:\Program Files\Microsoft Games\More Games\en-US\How_to_back_files.html	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\localizedSettings.css	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\settings.js	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Recife	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\vlc.mo	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\How_to_back_files.html	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\MedianFax.Dotx	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\gadget.xml	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePageStyle.css	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\msdasqlr.dll.mui	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\How_to_back_files.html	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dili	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\6.png	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187815.WMF	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_ja.jar	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\How_to_back_files.html	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107744.WMF	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\How_to_back_files.html	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Explorer.zip	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\gadget.xml	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105246.WMF	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSWAVY.WMF	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143748.GIF	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\AUTHORS.txt	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_snow.png	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\JSByteCodeWin.bin	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_s.png	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\tipresx.dll.mui	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_hail.png	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\clock.js	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2636 1612 WerFault.exe cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2540 vssadmin.exe

pid	pid_target	process	target process
2636	1612	WerFault.exe	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe

pid	process
2540	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2876	taskkill.exe
2304	taskkill.exe
2416	taskkill.exe
2528	taskkill.exe
2412	taskkill.exe
1720	taskkill.exe
2548	taskkill.exe
2740	taskkill.exe
1896	taskkill.exe
384	taskkill.exe
3012	taskkill.exe
2612	taskkill.exe
2904	taskkill.exe
1708	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe

pid	process
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	2528	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	2304	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	1708	taskkill.exe
Token: SeDebugPrivilege	384	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2696	WMIC.exe
Token: SeSecurityPrivilege	2696	WMIC.exe
Token: SeTakeOwnershipPrivilege	2696	WMIC.exe
Token: SeLoadDriverPrivilege	2696	WMIC.exe
Token: SeSystemProfilePrivilege	2696	WMIC.exe
Token: SeSystemtimePrivilege	2696	WMIC.exe
Token: SeProfSingleProcessPrivilege	2696	WMIC.exe
Token: SeIncBasePriorityPrivilege	2696	WMIC.exe
Token: SeCreatePagefilePrivilege	2696	WMIC.exe
Token: SeBackupPrivilege	2696	WMIC.exe
Token: SeRestorePrivilege	2696	WMIC.exe
Token: SeShutdownPrivilege	2696	WMIC.exe
Token: SeDebugPrivilege	2696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2696	WMIC.exe
Token: SeRemoteShutdownPrivilege	2696	WMIC.exe
Token: SeUndockPrivilege	2696	WMIC.exe
Token: SeManageVolumePrivilege	2696	WMIC.exe
Token: 33	2696	WMIC.exe
Token: 34	2696	WMIC.exe
Token: 35	2696	WMIC.exe
Token: SeBackupPrivilege	2216	vssvc.exe
Token: SeRestorePrivilege	2216	vssvc.exe
Token: SeAuditPrivilege	2216	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1612 wrote to memory of 836	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 836	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 836	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 836	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 836 wrote to memory of 2644	836	cmd.exe	cmd.exe
PID 836 wrote to memory of 2644	836	cmd.exe	cmd.exe
PID 836 wrote to memory of 2644	836	cmd.exe	cmd.exe
PID 836 wrote to memory of 2644	836	cmd.exe	cmd.exe
PID 1612 wrote to memory of 2716	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 2716	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 2716	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 2716	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 2716 wrote to memory of 2592	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 2592	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 2592	2716	cmd.exe	cmd.exe
PID 2716 wrote to memory of 2592	2716	cmd.exe	cmd.exe
PID 2592 wrote to memory of 2548	2592	cmd.exe	taskkill.exe
PID 2592 wrote to memory of 2548	2592	cmd.exe	taskkill.exe
PID 2592 wrote to memory of 2548	2592	cmd.exe	taskkill.exe
PID 1612 wrote to memory of 1584	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 1584	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 1584	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 1584	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1584 wrote to memory of 2888	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 2888	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 2888	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 2888	1584	cmd.exe	cmd.exe
PID 2888 wrote to memory of 2740	2888	cmd.exe	taskkill.exe
PID 2888 wrote to memory of 2740	2888	cmd.exe	taskkill.exe
PID 2888 wrote to memory of 2740	2888	cmd.exe	taskkill.exe
PID 1612 wrote to memory of 2576	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 2576	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 2576	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 2576	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 2576 wrote to memory of 2348	2576	cmd.exe	cmd.exe
PID 2576 wrote to memory of 2348	2576	cmd.exe	cmd.exe
PID 2576 wrote to memory of 2348	2576	cmd.exe	cmd.exe
PID 2576 wrote to memory of 2348	2576	cmd.exe	cmd.exe
PID 2348 wrote to memory of 2612	2348	cmd.exe	taskkill.exe
PID 2348 wrote to memory of 2612	2348	cmd.exe	taskkill.exe
PID 2348 wrote to memory of 2612	2348	cmd.exe	taskkill.exe
PID 1612 wrote to memory of 2492	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 2492	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 2492	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 2492	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 2492 wrote to memory of 2608	2492	cmd.exe	cmd.exe
PID 2492 wrote to memory of 2608	2492	cmd.exe	cmd.exe
PID 2492 wrote to memory of 2608	2492	cmd.exe	cmd.exe
PID 2492 wrote to memory of 2608	2492	cmd.exe	cmd.exe
PID 2608 wrote to memory of 2904	2608	cmd.exe	taskkill.exe
PID 2608 wrote to memory of 2904	2608	cmd.exe	taskkill.exe
PID 2608 wrote to memory of 2904	2608	cmd.exe	taskkill.exe
PID 1612 wrote to memory of 2916	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 2916	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 2916	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 1612 wrote to memory of 2916	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe
PID 2916 wrote to memory of 1984	2916	cmd.exe	cmd.exe
PID 2916 wrote to memory of 1984	2916	cmd.exe	cmd.exe
PID 2916 wrote to memory of 1984	2916	cmd.exe	cmd.exe
PID 2916 wrote to memory of 1984	2916	cmd.exe	cmd.exe
PID 1984 wrote to memory of 1896	1984	cmd.exe	taskkill.exe
PID 1984 wrote to memory of 1896	1984	cmd.exe	taskkill.exe
PID 1984 wrote to memory of 1896	1984	cmd.exe	taskkill.exe
PID 1612 wrote to memory of 2684	1612	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.execbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
  "C:\Users\Admin\AppData\Local\Temp\cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2348
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1984
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:2684
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      PID:2696
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:2800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:2020
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:2332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      PID:2012
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:2364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:1648
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:1644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:2312
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:1164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:2624
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:1160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:2276
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:804
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:1516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:1500
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:2792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:1772
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:1712
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:412
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:2084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:2236
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:2952
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:2080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:3060
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:844
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:1800
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:2996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1104
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:1960
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:1180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:2100
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:1964
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:1916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:912
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:960
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:1636
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:2280
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:2160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:1776
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:2108
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:3024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:3068
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:1980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:2632
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:2072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:2504
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        
        PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:2004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:2592
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        Drops file in Windows directory
        
        PID:1896
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:2452
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:2284
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:2076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:2244
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\F:
    3⤵
    - Enumerates connected drives
    PID:208
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\C:
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\cipher.exe
    cipher /w:\\?\A:
    3⤵
    - Enumerates connected drives
    PID:2732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 712
    3⤵
    - Program crash
    PID:2636
- C:\Users\Admin\AppData\Local\Temp\cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\cbb697f31d96253054120b5dfa8af4460f2f2a474a94f54835d2b3a39ea69f30.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\How_to_back_files.html

Filesize
4KB

MD5
0f0467a6fa89f789b9c7ee1e81ac9407

SHA1
eb8c6829f8d277d1b007b94acbe6469a78326555

SHA256
1b867cce5424049bdd749737b4662a6e382262956298ce0d8117fb4abfd77ea7

SHA512
3ba949af03c81a00a5e079f41bacf9d14b3c4e859ab0cd8197136962d4ce90ff535dcb4664791e1ba16bd750447030681a5d391d000822f9a8b723ff6c870878

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
1KB

MD5
f897b0341ec8265e3fb131e14b69add4

SHA1
e42d73276077abe0363115dda558fd504c32a3ee

SHA256
27c258a240d65100ca79cff8ab90de346198b9fe26c5daa4bf2f0a2a1b35c8c7

SHA512
085f040a32923e5ffe724f11e6cfe1f5c8eef76f1e7793cc50b59afe4fb603c906a53670cf6a6737a7d74afdd2caebe2d2f7d3450064dbf2aaf01bef13bfb25b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
1KB

MD5
c9e37623ca75d7b4bc7e18b0ad47a909

SHA1
55129112076c5a9e5b290d45d82fb229f9019a0f

SHA256
fbe06004f91180c1885a934a1841160abb0a60f6b41130965f3af4c55261e686

SHA512
9bf2cbb89b5013891b90edecfc59deedd6b6356c78f4b43792e5005b6a07e674bfb283af40820102162504cbc37af9613a8a8d35d18f327a039e0bfe2904642a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
a17b573bc31128b9c8f80299e19693b9

SHA1
0c515d38071535b13639c38501310c9ca6bb52cc

SHA256
ec8f5f11641a23a6994e7b58c9e1468200189ef5f353a9e8ce3020cbb4e241f8

SHA512
e89920fd3e0b98d92f53badb52c1750eb4fd882369bce7508666dfe17ecb7a029c558e4eafbd6530510971d2d1331d83ab8549d3922945944fd2272042f3bb54

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
96184a479124e9d63a58b2324b60e010

SHA1
25a0a454f5f44c458b7054c7a7fd68fc0f381271

SHA256
bf51157f918c0ffee7d504a3c0ec29e7b510790631e97856447f8b456a3adb7f

SHA512
79340a8aebe2dcebf2912f7975c8cddb76f41e132059a0c25aceb56925de6f5ac3e22a7c2be2d68db6882d44d1bba59354b6dc150535d701ceca94d1d75076d4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_OFF.GIF

Filesize
1KB

MD5
c03d18c09cf215fcc6c052279af7dbdb

SHA1
919275d91831d921c8d35f807d27ab3bf25daa71

SHA256
d76c220692c31a6005c42153e662d7da016b622f94e9810a465b02fd3b7d8e0d

SHA512
88f2ba82ee2133eb4f4b628202d06712f1ab188ea12b946630deda59307937788cc617ab1b1e30e8d06cbadc8e7c9ff5db35ae9fd9e73b2d8b6ac82aa5fe3367

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\TAB_ON.GIF

Filesize
1KB

MD5
22b63a53764601821e4bbff84beb9eed

SHA1
2d65da48d87391ad3188e2e4e5e80090801b8e2e

SHA256
652e5473e58fcf0321451497a3ba2a4ce0a14299f63d380d9afe478b72a1e275

SHA512
6d83097aecddc8096da603e488116c8c1caa3661654e7e8725a98a1b5ffd6658b84a0b671ad1efbb308e347ecf2163638a0ff18debdb1ac52ac62a0c6bbcc121

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK

Filesize
1KB

MD5
8449295242ec51a4ca780a7d07660b97

SHA1
7c4999b4cdc3682d8434d7ff522bc16ff7993de3

SHA256
b136257b0acf400c5b991b9367f67769bb91a7e05cfed5252f57d6b8f20d5586

SHA512
a10b1be881703f23758b0e0e2f11c5773561492d1f930fc82064c5516711336b0f782890f5320cfa020977781cad0c06cfc0a0b0cf7d9bc33bfcf4fc6a432cb1

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK

Filesize
1KB

MD5
f412079c7e547ac5be1afa52f684e2d0

SHA1
dc46cdcb7eb7a7ddab6a1d129832b24e53f81a78

SHA256
7d313b26b8bdc2eb1996874e1aaaa5d51c25ffe88d258b680f72e5f4bf8d8eb7

SHA512
ffff362018007db1e55e864c060f9d042279e66f00a12142976631de1257488c4582636a8c191f5421983dbaa2a86233adfb571815d36bed537537958a4f7a67

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_ON.GIF

Filesize
1KB

MD5
a9b0076c0f813ec35b487a9ad16e71f6

SHA1
790777bd0c9c402663f48a340c8287970f2244ef

SHA256
a524ff527cc53eb7a96683831c01a1cc73f2a7d22ef9e199da0ec380dae590db

SHA512
881e46adc22cd336e514e2165f4ee1ec46698538a31848208a77e345e3218f45e173bb587b684b83978f0778a3945289074418a9bd51f4552f1eb41429d22d22

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_off.gif

Filesize
1KB

MD5
c9e04be0daea918dbffffc8274ed9015

SHA1
36afd28e86b7dc0e458aa50a5a79edcc97166ff7

SHA256
fbd7bd22cdd828e5b3f6d6b9659e13cd6e0170c5be7e65a5bcc8e1823c6ce407

SHA512
ccbe16408c2fc92b9ce739c6e4b9e1736a70733555ddc64d3ae6bab694f4ab9f4dfd3550930e0a48ce86a3a9663e26f47d61b75940abae4876d12a5a5f1a77f4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
4KB

MD5
9dd073e8fdefb839568a0e9fa7a9f47a

SHA1
d10adecd9122a5f893d06b09023fe27586d92c9a

SHA256
78b1797da2f904279d80ea8f480af4f64bbc2837c40aa68cfd0f08aca4c1a682

SHA512
1e4a3ecd085ef9fc7e1ad5c8f67ead0f43597d991f40fb8e1f483a0973fdeb1a2b4e54adce99182734fc52bf8142e94ea3de6ea90c1e28aa42ba9ea68bd5e13e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\BG_ADOBE.GIF

Filesize
25KB

MD5
d09f5f9b2f914a6621339326615625c7

SHA1
43dae61717889ebffdd6e2805f46c429b4db2674

SHA256
dafe3f5cdee481109b4a2ac521192703975f0ccb40c99526696002d2abb4e809

SHA512
4b3e61fd418721e19a786506162a859b0dc35ffdc46f9105f76a6ad0833eabf729bf7fc8d466fb7d52413b64e8350ef364d45c442908d515680a755a23d5eeb8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FORM.ICO

Filesize
1KB

MD5
aa64565e9338422a47238b943a61c833

SHA1
0b1179f9e7c79d86c288769dca34f2497fd37274

SHA256
76e8ec88771b7da63abf8cd372357e4eb3c96af5ac05eb76609820f51ed3e561

SHA512
9af27f61e355b7b19f00083f691aa7a73b81bb6ad013043eb04c2025152cc4d4def5dfdb06e680f1bd6867be125991ededff94e28a14a25452541c290f10325a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
f017d424563f77a3f3bad84a2b65b022

SHA1
99763fce6b9e04d1462b1fb6c7b993c811bdf0c5

SHA256
8d85cdf6dd08bc0a444b7bcce60490e802f1639f8712855ce13470b0e1bce613

SHA512
43ceaa37132c43d03b45591b290bbbec2d8429194af639be6654c37220b985dd3c3260862ccb5eb6e0c1d38f6b7d68dac080792633b9dc4da1a95011d4fe813a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\TAB_OFF.GIF

Filesize
1KB

MD5
566da7fee15df1426cd9f951476521d2

SHA1
0e426d96e80fa9b0dbecd4a794bbbba1c8fc3a48

SHA256
148057cac6fa642f4b8a21a7ea7d02f69545699dcf5959a946c3fb336a509592

SHA512
711dd72fd7f36c0ff1ef9491025f9427ac053250200eb4e44b3eec8b51962c2b19fef62f1cae1a65e116a8ca2f56b1f0fedb513c853a2db7b6a28e3b908e4709

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
4KB

MD5
bad82d1a14de90e7a59d0a6bda88b5e2

SHA1
3fb7611123fe9c2ee365718e20a718f0d109bb18

SHA256
6e7b67aadee79022808288e5f318dbee645a5a51ae414a754f98e6000a97b32a

SHA512
9235189681c2f6e2496d587e1c2412403c92f252f8a1218be89bc368beb7aac91ee3a9460f27e631fd6fe5010ec10fef8b1ee2af421475f42a5b0278e4495c68

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Casual.gif

Filesize
7KB

MD5
4c882ee09dc6e7bebdf072c19a3261d7

SHA1
7e69cbd0175b294f9e96deeeac92c79e075a94fb

SHA256
d0d6b777c3dcef5abea90f4422660e0972def7e89f7a81c5159c23d633be95d9

SHA512
864368adb8b63cd1185594158d87ebf4c29b8296fcbd1c4c24f8b50ccb9a3a3ecb3eca3f1814a593468e2eadb285944c02130dc98fb4a743e1353d15c650a75a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif

Filesize
32KB

MD5
5ac75db8074a7bf81f1335e448425f18

SHA1
db827139998477602bcdfee4f242cd13d40d3833

SHA256
22eed99e4f3b9886daaea0ed1df3d9b5cf80eea794da94e77de638473b7373a3

SHA512
49da47de9bcacc94325f880214a9f728707b489797f56518ae13ad5edcbfb5b9cbac34e0d60fa817efda5f7a04eca0f381f8d1eeb5715ed42ccb39d8a8dcd9ac

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Earthy.gif

Filesize
6KB

MD5
93df8f055f347bdfc606819eb0d4aa78

SHA1
3fa4417ad5442579c8389673ed797664e198ef64

SHA256
7c41b1ca48dec8395d558586f429a72278b22ea32869672ffa8d294cc7ac3a1e

SHA512
edcce68e39fdb0aa4ed59ca1863df030223f8711e54d28d823bf921be4710f641204532b9c381b582fdb28995085c8dbd4f10303ed7a05a2c2f867509917020b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
21KB

MD5
e940a6cb427fee332ce12d6a8caf3e67

SHA1
26c0200d6e937fd542fda5379da4c58750421d9b

SHA256
9594318fb916d7b3a14619a38b35961d51ac1c9fbb84d93fc4ace4cb4bc795be

SHA512
2ee0762be1a5db223cef573417eabe5c5a727931d646d2d549b846f7629b46d6fc5222295b5e985e0466d7feee9c7e74431a2506f7f0a73bc725d519257d945b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_GreenTea.gif

Filesize
23KB

MD5
4430af420471900f9b49dc7b254b34bc

SHA1
5424ffda25e864d9b0a3b72144d2f35ab7e03d8b

SHA256
23d8db321ac3bdcce18344e3cae4f7adb4e05452a6c1ccd1e05576064413eaa2

SHA512
9c8aa2758502ee91148b1084701821fcfaba6d4e25386a94ee3a4ea931a9e3e537ff67881b6a304d83a51f7dd19e337225b9cb44bf3c1a75c434058fabfc86a0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif

Filesize
1KB

MD5
ce75c93021068d0f2cbb7dccfc27122c

SHA1
3f788cd26653dc9f9d0063fbcaddc862d22f8a95

SHA256
c624d765e225f6063c467ca102b81d91e3d1e0ca2b90d35f3fb0fddb65f2cc51

SHA512
e959a3a79bfa17f99411d1dd48934963f3ab26ff8c91a4ce0b308769808466dfe7a88a9820c75c9aaf14347a09c8969ab71f3fc39fc309a2e064f06af9e2d577

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_LightSpirit.gif

Filesize
9KB

MD5
c6f1651296708dd472176dbd1a24e389

SHA1
c71b94e2c744df5bb95a48546a915a83ed5a5dda

SHA256
14b5f67681a4979b82d6fc351a15072ca7eae2bd1fd1766fa9cc49c5c4ed78fb

SHA512
91ae16f2ee63063daf92a4081ac14bc4b7a9a9ed9501f953a494cbec005600839223998b6947777efebbd32715b8cb00704aa893ced2bd474d8618fe0aef9166

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif

Filesize
16KB

MD5
7aeb07694ee0e9f0b62d6688ee54cf42

SHA1
065dc03026c5c46a9736fb013d49229d4e04e027

SHA256
a48c0d5812c4faa853042253083869312d7bbc23f40f1f809a0b2dcf854bd2fb

SHA512
14bc9c5be50a6a0352e46b45f38e2e542c26bf8fa48978acb401f66b2401c2234d1eefa61eae3c3c1540e328845ad3b4832a42cd411265d704d4556f9b3c5757

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Premium.gif

Filesize
7KB

MD5
3aebc69d76a729f939271d936e7380be

SHA1
296cc6d194c8e03e8a0eeb28cddb133a2c32d66b

SHA256
284f7322e76063a7725ad72462cae337185a6cbda0033be36e236d562b7ee102

SHA512
01986f89e151913f7c4f2bff383c3a21041b1a2b0cd1fe9281d349f103490ad554332597cc3ef3919f2a8189cf2c0ccd2bc56e0d02557a686cf5d53242848a94

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif

Filesize
21KB

MD5
7d6a7216dc0185e34df6bee9b694bcf9

SHA1
c55b4ff1a76d6b52f8aea4f0ae4df553d0a88df4

SHA256
8284e73d1dd3e022ff9343c657f13b7783daf02373598c85fd8fd96ddd6bd0f8

SHA512
4148188ddc95e99323d6a51df9be9afc9420589c97af4d877d5baa3aa6f0d4dd00d5648c99a28b9ed1e16881351ac74b50e37fb47f9172ea8e8999f583452d61

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_TexturedBlue.gif

Filesize
7KB

MD5
14cae39c3630dcc386fec6bea0655b23

SHA1
265cd9c1ba03748b82351b2b18375ec265d7930c

SHA256
8159ee2da32d1a013bb0a15f86766fea506773a3a2a63a36d1e7508951ad7570

SHA512
12d18ca07d08596928e30d1e32519b4d46d5fa932d7104d73f57ae79860f607a7868ed4cdf4f509460045a97d37e830209c4d3b4a0426fd8a241bbf5d70d3f1f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_VelvetRose.gif

Filesize
16KB

MD5
adf4a65858f6a79029e0236314012568

SHA1
5c3ce40e3c8ebb0cec3a1a83f277ca924bca80e4

SHA256
f7d2599201cb382890a9bcde82af3d722a7f4f959158759163d0f73bef385bfe

SHA512
b7f91d295139f5261a9deb2a5e787bc100191d75415bb000b930bb3acc8365ea23357ecf37f3bb11df782360f6ad24336f36ec27bb52b09adb2e8c740bf25d90

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
248KB

MD5
a1c01bd629bd095513011b6dc97ecbe2

SHA1
c59172022d3a62392afba5b75ca04edbb13ecaf7

SHA256
3af3ea744150d3ccf5e595ba2943cdb6a98a10a5f419bde854dc2b044881bd58

SHA512
d634148f156057645fe10c0ef5e59f9485f29a1391e0d7ed5931f8268fab97864d75cd1f2d3d61f8881deb6626820558c3a84d5cc8f924c814401a4d76bf43f4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
2KB

MD5
650bf8ceab56eea475801ca409942254

SHA1
4e9ebba59d06299dd119743ee28337225a5e1f4f

SHA256
a4bdd0d776c71395f5ea3692c409941256183e559617bcfd46f9dde34511cca5

SHA512
4d4a09f2d001b5b2f716766c32c7e10d3d02976baea5de1de04e87c94740fc3e56c43d8549dfe40e9c73eb5532a8538e565c2cfabf383a27f9dcbbdae9c3c511

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
2KB

MD5
5d581b95b446baa6229db2e61e1c23ce

SHA1
ce924fa605c0da0c2c486e8bd7071109620354db

SHA256
a73a08551b3f35d2fdef20a04df35c729647f839e4accd01edf1cf9959db071c

SHA512
bcf747eea18f28df1edf0328934daf4b908059e5f2709f720a8c377b2d345ae9a90b778648177cabf824ddac8066706638c2daf9135c53e0f731c373596d7bcd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
7KB

MD5
377bb138ace611425fd495537ff8e075

SHA1
8369d30dde2eb6ee2db2eb683113543d17e20983

SHA256
d5d25371ccbbfdde4daecf0cc77abbe42e6ff2dd85ff9120f83a7079570e124b

SHA512
1631d7a33c73c1ab358395bd6062294e163af9b1a97061c0bde4696bd62f17ad161bccd30e2f12eb66342f0152bb129569d7a9ecf040f9cf15920de08ae13099

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif.busavelock218

Filesize
1KB

MD5
82a438eb90d0b5e49f497d92fa5141f0

SHA1
a7ad3bed05c9f7bd460c61c4e0cdf041ce883dea

SHA256
fd3428355b6a5311455a98762e9138cc212e8f1288a6b410cb7566c8b4bb1bee

SHA512
c7b2fd21181516069a1e6138d9a898c8fc2062b302d8743d2266bb0d3d552eaa0815c6727b452b0bd00dea3a23b5cda5e4dc5065fb2d013a1382dd49137013fc

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
1KB

MD5
03fd84f18a1fb4620000dc67cb63435c

SHA1
7605c1f1e62a46e2e1192b62c8f123b24e233546

SHA256
72a4ffa76acdf95ddcaa7c85a87ffd099fa0ec5e69b722f0c1c91c3ec58b44e7

SHA512
6488e231390e1d9da8a195d85a6b0d9f0fde996efc7b060fe78d8333dc1f5731f11cf9661ff6f0957239e8a8aaf1796c5854a57cc0392f21ab975735738fcf9c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
1KB

MD5
144d04ecbeb7eadbe93463f904e3a923

SHA1
6643e64b3e7a7f96fddf73ee33fe666fcab84396

SHA256
1531026fb348ba48b933b7c6ecaff5dd70758d296492c7bf1061a9534b7ec8ed

SHA512
b71a77a3266e2387764e7355e25f93e55378faca5c86f60c51f686769a7c492dcf60a4d1d016f44f856e7a237fb6b897388be8e9adf3b260a344643525db012b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
1KB

MD5
3ce6e846d7b8f9f16b52c24ed4577b6e

SHA1
213972be47cdd8e2a090cd9d97d4ec19d9ac6449

SHA256
e047bc10dc4bfabf534054241cd54d3623dd68f30d43eaac5dc9edf6a410c303

SHA512
07c7c08c600762949c958c0ac67185eced3d79e6f03e92219635a959db81790960869ac1f90c4c77433659459c7519d55e58e8ac53874e1358c0451218f9f928

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
1KB

MD5
f89300e70aea7d3cd7e28520429bfc7d

SHA1
178fc8776fae0ebabf344d72a223a105e3cdb15f

SHA256
dc19e31b1f9a4ec9fa8a8f999294dc72081401790e8350c23828ca00508ea7ae

SHA512
6397c8d2e455dcec055e018095f243425d2d6d14b42ade1945a9e6dc7ede1852f9ff4701b2caf005a88ed22225f9e11c884821d2320b97134fa0d56a0fbddb22

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
8de93e33e10e2b88942a7743b961e973

SHA1
37ff7b0c554617c87953a2117dbc341b743dc658

SHA256
be3a4a7736468fe31f5efc13732075c902da4d127c4f2c94d3c488870f41d77e

SHA512
87b8d13f98cdcac35bb4f668a1aa327ea20607bfff339fd2b66fc860bb7a5b4237612875881b3b1a9fdceefa5f6ad6a4d9ae827da3273135cf0224b6f55fad24

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
137f9f9df6c5a382a103bd3502d0ecb7

SHA1
485f9b724d8fedff6d8ff3c23af84cdd0f6772ea

SHA256
4778667a2f42fc810e6e5ae2ecdec0395defa2c1923e315e30a2c8edba41e797

SHA512
5dcab595af59df17102de4f0888bc56b3409496ac1a367e71f50ab5bcec3e0a30dd7bf70fabb82cf7dc0685bd5005d0e6379d1017f87fbe25ea619084ca831b7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf.busavelock218

Filesize
1KB

MD5
e46d92eca9f6a43feb547683349af6a0

SHA1
8f5659d12d8f1a3aca5620f47ecd235c4e28635e

SHA256
40f6a5edcb2e6fa89a1c0d3c33163c44d1d1b65d2fb84e4a3200403dd9ca845e

SHA512
516fd45ce09611e2a2b57ac45bd1b938ad6d3e5a6eb7fa6ce992b04fb0c773ed87092c0cf44489b76728a1809021e6e60c1aa07e89a68f1c18ebe8dafb5b5c8c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
81bb3ce17535eeced239d1c5f5c4d9b3

SHA1
56d3d5a8aeab0b09f0904253fd8c8fb84c206cf2

SHA256
45b0d442a6552fb22f82f0602d730484d04cc0d39b6ea894f5df07affda25cd0

SHA512
d7629094bad014f596f1061e4319496f80af266ff6f8cfcb7421cd6b20c61538dd3ce13b558785647911e7cb95cb222ea86f3166b408af68dfdeaf376d191f3e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
a2e1e70b9a3be7c1d3c4e4ddc5bc5e2b

SHA1
a986bba92dd8db7446948784cbf60df3830f8e81

SHA256
e4d20e783a2c49cf9c2de4bedecc852cf62c1787964df26cb95b3d11e182f832

SHA512
14d6bda3643f08dd9181702e7780e17cb790ae6df9134d763a1e9b601a5f95fe3ed313fe7a7a61401a3c8f73df1375351f8aa39f90216393fdc216760e24eeb1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
a3542771bc8fa76d266bd0f3b93331c2

SHA1
9361f554d67e561a9ba47be8706c112bc811ccdd

SHA256
72cc8fb9901399ac3ca862d6ee53dcff405a11014fba37561f10044f33317bf6

SHA512
1ecc23e1c03a61e9326c6ee0d9905a1121066ba3ca37a01561f4a765ac646df83dc7f14eac413efb497861a38c0e9a877a7a0961d2a62cc6ea420ac7bf023bc4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
1KB

MD5
75f560b27f168752475501b707f60435

SHA1
625447e41919dfe0b892a1368a1f10085aed0c3b

SHA256
3ab7f4409d2744030cabde8f2d3371b0d9f8ad1bc8ccb7ec3ef7a8024b361526

SHA512
57779e66cbf93ded2a9eb486e3de78355d47723a34ce65f2204a88451430f2add1234f0236fac36c0fc980198abce373f8a7cc91285617445fcac81cd8723d67

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden

Filesize
1KB

MD5
67e4269cb1c02a3913804d243e5925b4

SHA1
2cbd780b61eab4d7001f18ec8769116e825de82b

SHA256
532953ebaf82feac83c4bda0ffafd1d4f29c99600fd18d53b24f6e4527b66906

SHA512
d4edbd54a004e59cd53cbc1f51291600c2248eb97ab8ef5760c6feb293b60d0943c079332a73503658fbe6579b7c01f2f6a93904db6e8105a3f3760bb6208863

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
36b3916c7143f05e8a2e50026a0a55de

SHA1
1f58ab8432bc7543903656902991022289a77602

SHA256
1e9e40870fc29a1b1d438eb48f4414d377c95edd04ce6d4418df20f755b8d938

SHA512
6d7c49b811e8d365529bef04fc31cd62a0c05137589453ceac00183d0959ae1594b27e0a523577551e4d005d4aaaa57c805992aa1f88de386e14b4720680cf97

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC

Filesize
1KB

MD5
27882f3f4803ff6585991e5a26769764

SHA1
9c4cc9526d155a2ee9786cfc6e4b674dc4b9dfe1

SHA256
c1dbd4f7412efcce6c3cff12158c3162572acb4bd438ac16a9e3bea8b6d3214f

SHA512
381b3745ca9714fdbe68291b8a545eed6299b8a83f22e818f3d4f17d8fca8caf0c5ac56c55285193b9fcd926668d540c4f4c7b69448b252621e8e0e76abe416a

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\EST5

Filesize
1KB

MD5
9233ab2aaf6a2dd710569560e8f3499d

SHA1
669fbe88c45b1cae1f761752643c598d5d76095f

SHA256
7302bf06455cd3ef74b9d01af0a2ca1558b84184488761cdc2dd07fa62fb2e0c

SHA512
bee4447297333d47b4e9bd0a8f2ad848c898aa687555c8a6c0a0e467c45455e1caaae2335885b131ae0d5c9795281f53d92aa7aae9a3241a0e52075eaae9a059

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\HST10

Filesize
1KB

MD5
d9bee920135c9efdf27f3fd85797d935

SHA1
6b6ea08ae1fa5fae1c06ecef9d053006d69beead

SHA256
719bcadd1604af0a56fae1ee995c56832cc19608165fdd4ee790e1ef36ca5b6b

SHA512
2f471b0e074cfaa422872c5b0bb49915b7e685573e6d23e94db67e23c67f5b59095c787a84b24c01e4b46b806d313d78c73082d03ccbbbde831f93e64db0969e

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\MST7

Filesize
1KB

MD5
eeae65a0fd3bef4c190654ca451dab50

SHA1
5ebda0c2212f6baaf422c6707be399405b037ceb

SHA256
ad326dffd7df5df12d856afb3e9f78cbb853d2af6a0d9f804ee34f96f4c93bb2

SHA512
e075c0bfad3507048dca70ed8f5875eb29a29bc3c8d4eac61592ced149c9a5cdbcaa09d9f87f6a660105c6ee02d78cdf4eb71d362f283660cc6bc0fed82c6c14

Download Submit
C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\vlc.mo

Filesize
605KB

MD5
7bd8a11b221408de67239b93dc6bb517

SHA1
c6c1d9ca061724e743e4ff62b9ab2ba9f34a4b78

SHA256
cff19543f1de22fec34462e446639c60eef46ac7cc8471dbcc4963b9555ce6ec

SHA512
028344e4332c8b7c2160b1939e1c7f6df6344dddbeccb6104f438f74262276ccdbd94407beee7397f229faad7dc2f11d26e2a0ecccd158498435ea8f5ccbac36

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo

Filesize
785KB

MD5
5978f28dd8382f78b3507cd11ece69e8

SHA1
76773da2bb9fdc3a31d5bd5ae25567e0304e52c9

SHA256
8c7bc3e8db3536a4b1b9331d70f5896dfbc08f5cf57db0bba17a8dd4f66a3922

SHA512
a35abee431b41a1a237bd8fab4e5ef368f311c237bb66a5e00292e5c4d531dc2119fec60799827c4c4698a57460e624938121142e3e686dc8be0be3b6535f1cd

Download Submit
C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
4048f90c68d8b5b84f93f2e5acee4752

SHA1
f7d0347d8169beac395a0ccf554277e3520e9d07

SHA256
6c2ec31a76aece006155605917e59571fa29050bc2cb6dc4f604aeb8e0daa2ce

SHA512
9021fa3fe3242ee410224ed03857a5f4d59640722e2268f5719f4cad0aa22460aed1c1a7e684d9401de73c80d0f027f939d47bd888ec1b0c72192e7b7d0d4607

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MValidator.Lck

Filesize
1KB

MD5
e22f2a85184e6c843e2b7117dded66f7

SHA1
0890f41fb10a23761dbf92adb62c51c68922a00c

SHA256
15005b099e7d47a997cabcc8a6a7f62431dfe301cfd594681e2a2127ad89f5c2

SHA512
d538fb016bc0e1149ce71f70466627fd8d79fdf3b359c1adaa994c733b7247043411ff9ffff77af5606d46add2b4d4d53da0ab7e36e33c524486713963898c82

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
1KB

MD5
db52d1b2d9089ed367cbfed40e6ad247

SHA1
dc45a234d7a0e7d489b60b03fec6366c00039f39

SHA256
384484d380246a8021b050874b4d4910de7153336f2b3f49c1eef476c5f2b9c4

SHA512
50619f23368d5ca86f498ab674c30fc24c3dbb032818f842561af70605b242fe652b7f7eb2941b68fd2d23fcf383d5e560fcc5e16d748f4c8a4146672b5253e7

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

Filesize
1KB

MD5
3529b4f3af5c794021f1707206bcd9fa

SHA1
ef8eb739670c74b172a86b941ecaa5884619caa8

SHA256
8524144b83fe2b5e915a8ad786edfe2bc86943719b6433ba6b695005714cba6f

SHA512
c6f5392f32084c21098c3b4c9bd13eb7edfe5ddf3fff58d7736550e33c7a86f9783dcf373d445377e75a218be0694aa399a73e3f6ca589d68ce576ff2f68a505

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
181KB

MD5
8570c9d5a1a7e714af449cd8d52eaa1f

SHA1
02e071cd15f7a0a8ed2a47aeb334a762f11e00d1

SHA256
017d5fb1e0a8860b0534ff235f9d2f96ab2fb6198ab5219e8299e8aaf8191e60

SHA512
4af6e058bdccd29754faf766f211c773f2fd8e1df817b1177986efa747758712871fbb332f9488b3e490ac233c7e8fac0096715f59b64696e9f738a9a276846e

Download Submit