d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae

Analysis

max time kernel
151s
max time network
135s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
Size

335KB
MD5

c3d5522f176830c4a24223c96439f668
SHA1

46574cd17ee2a1f2084dc83a65df94e13ce25061
SHA256

d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae
SHA512

0ed0510f4bba6280e4319f3742d1775d7d251c35517f74f1e2f7350ac68239879b0171a279aab252947163977f363cf3852d52747b225aa160f882cb82bc532b
SSDEEP

6144:1YS9RhUoKV8TCylQ0MWNns5wiSvypQof+9RpfbMPrac6bhMq:1/9T0ylQ0MWNns5xSvyp7W6MMq

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">bneIvRFVVlxwdk7NseD7FxBL7lrgjVYBwgOgOLW5GNnoO4QeLloC0qn/Fj56p/BCdrvD/IN5H5C0DAypRbs0KytdankXqzMvsClZNHY0/oxKY0eSvfWv92vmYD9omXLJtUw4Zsrenyncd8dgqrapES/LgoDMKe1L/dsf2MjhCUd9O2PnwJGlOJcMk9V3YmPeRvt3SINSwyjq8rwJW09rmQQ2TSlfot56fuGPwObTXOauagXw+t86PydyFUAYAtZl+BWnGewkf9YTjv5XGFlYk6Wp/r27DzkTnvXSCv2zikaOFjDqaPqyAC2m/L5wSci6NK7rwpfyjLC+7LiwoVvXHjIkICFSKzwqs1FeFYrgCDkV35yBeYAmRjS5G5xQ4UOsPIlK7t8XRaEvXfv4MvnJYV0o/IzuMPpkS5qpSi82mtRFR07ZWIvn/Ytzd9qAE6K+UV3pTjMgWiJSnQlFctDcLD3GVR+19GMtrJHc+d3Ib/mYNSWyEaaEXYC+obK6Ig2UMVr9XZgb7U5UHjNHnuYURY0ii50eC2bS2Trbj3Nt1pJ6vYjCXnG9oP+MxmOypiRPoWdA+x2O3heYndaaUBIMb3ycPrC7qmCfw/T+8GzQqK94aiKKJ7Rh/s+8r7VzlkvDFm2JpjBumJv0Rc3VjInGEJnollbpK0Rsv4nVraAtOFlsdnD8XvqOWjYn2UF423sWKbZfZL4cvDriJHAx9QNor65ouOR8PYzT7G1/JNkoWCaMnF9uKGw/h28VVfN9V9W65xTvQRtbSbYKaebE8+phQ2+QUZuo8qLj37zgLlqkQw7lGKn29MCBtDliQA/UUKL8xh6X/jQz7oq8a67cMN/sN3VOjIS/tM2L+gSKsfmSaJZrU606EomcTKyuaD3EpLQvlb7YsAQXWWOC8DIsXUSYuBghlxxnQ7NG12CaLm9mV3Bvp8JekU5svIb5Dr1JYr5cIvGpgIiAq/DXxwN5nJp2WEFsQSce/B3nA8Cg9wf8amg1rjg2Th2SXLaCeIEF8+Y4jgf3DJ6+4XKn9kdqklT+mnTzz6G4Qk63bn7EfacjyTeFlscuyiYKCuKEtU2YKNauhytotySFb7rV6q5+B08k/FpGdq/aSBEWs3FwFkGDD9QbIYEO3bfs7pvv243pK43pVqxigOEeOCaZ1GCq73FuR+Ky1Q78HethyKjdw0UjCxQb1tHjA6nEX/v1C+8RrBGNzx9MMVkDIO4vFjz0x16CNfpaa9ktE3rxNAzyeYaK+DG9COy00NgeG9VwEaZkWmsXnqtNJ+rchjy5UuEH/w3JY45dSHW+yDCPyVoVByzwja9JyG3Gp9GNXfEsNk7At0u7jipvFV+mlkGsFcG9kkIwUu/IrCOUBlZGxAsIbZFsbItwXaxk9DBJ4RUpY/a28URMlWNxyXtDHcbyDM/3Ow+LhuGoYSktFCCa2d0kGhsjDtnKqpBzHmdN1UopMtOIP96xzx0ME3DrElT3PBwvN4+NIdla/jY9Ulprc8IFh7DvQhsFD53XL1+daPzlXRFRRAsCKEMvJe3WVKu5jxJQY2PMtooytV8lqfldZztI07kcMYvn420/ihS7VCllHnO5NiDPXEAFoLD2u4Dn3Fpy6yitEj1yafo6Ip9HTCgcabbHi+THurnPrgX7GEMF2Zhn5yoFtv+3u5EPhE6umWKN1VCw0N5unA9pjknebC+BaMQONY4=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe

description pid process target process

PID 2224 created 1384 2224 d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2772 bcdedit.exe
2780 bcdedit.exe
Renames multiple (5095) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2420 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2488 wbadmin.exe

description	pid	process	target process
PID 2224 created 1384	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	Explorer.EXE

pid	process
2772	bcdedit.exe
2780	bcdedit.exe

pid	process
2420	wbadmin.exe

pid	process
2488	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exed9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe\""	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe\""	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe

description	ioc	process
File opened (read-only)	\??\A:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\E:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\G:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\N:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\Q:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\V:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\W:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\H:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\I:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\J:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\M:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\O:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\R:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\X:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\B:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\K:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\L:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\P:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\S:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\T:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\U:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\Y:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\Z:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened (read-only)	\??\F:	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe

Drops file in Program Files directory 64 IoCs

Processes:

d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Notes_loop_PAL.wmv	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105530.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212953.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01358_.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Matamoros	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216874.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00217_.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_ja.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.GIF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Mexico_City	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Volgograd	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\BOLDSTRI.ELM	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00165_.GIF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EN00006_.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\rt.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-api-caching.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01066_.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152696.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00523_.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.bat	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-output2_ja.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_zh_CN.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\THMBNAIL.PNG	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\REFINED.ELM	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\SONORA.INF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187863.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\GRAY.pf	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jre7\lib\javaws.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Dublin	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\ja-JP\ShvlRes.dll.mui	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\main.css	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\sbdrop.dll.mui	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.IDX	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00152_.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\How_to_back_files.html	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Singapore	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195788.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01152_.WMF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\meta-index	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01745_.GIF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Reykjavik	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\THMBNAIL.PNG	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00004_.GIF	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BABY_01.MID	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2472 vssadmin.exe

pid	process
2472	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2700	taskkill.exe
1084	taskkill.exe
2476	taskkill.exe
2132	taskkill.exe
2396	taskkill.exe
2144	taskkill.exe
2620	taskkill.exe
1184	taskkill.exe
1524	taskkill.exe
2092	taskkill.exe
2412	taskkill.exe
2328	taskkill.exe
1256	taskkill.exe
2316	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe

pid	process
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	2328	taskkill.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	1184	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2128	WMIC.exe
Token: SeSecurityPrivilege	2128	WMIC.exe
Token: SeTakeOwnershipPrivilege	2128	WMIC.exe
Token: SeLoadDriverPrivilege	2128	WMIC.exe
Token: SeSystemProfilePrivilege	2128	WMIC.exe
Token: SeSystemtimePrivilege	2128	WMIC.exe
Token: SeProfSingleProcessPrivilege	2128	WMIC.exe
Token: SeIncBasePriorityPrivilege	2128	WMIC.exe
Token: SeCreatePagefilePrivilege	2128	WMIC.exe
Token: SeBackupPrivilege	2128	WMIC.exe
Token: SeRestorePrivilege	2128	WMIC.exe
Token: SeShutdownPrivilege	2128	WMIC.exe
Token: SeDebugPrivilege	2128	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2128	WMIC.exe
Token: SeRemoteShutdownPrivilege	2128	WMIC.exe
Token: SeUndockPrivilege	2128	WMIC.exe
Token: SeManageVolumePrivilege	2128	WMIC.exe
Token: 33	2128	WMIC.exe
Token: 34	2128	WMIC.exe
Token: 35	2128	WMIC.exe
Token: SeBackupPrivilege	760	vssvc.exe
Token: SeRestorePrivilege	760	vssvc.exe
Token: SeAuditPrivilege	760	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2224 wrote to memory of 2708	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 2708	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 2708	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 2708	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2708 wrote to memory of 2548	2708	cmd.exe	cmd.exe
PID 2708 wrote to memory of 2548	2708	cmd.exe	cmd.exe
PID 2708 wrote to memory of 2548	2708	cmd.exe	cmd.exe
PID 2708 wrote to memory of 2548	2708	cmd.exe	cmd.exe
PID 2224 wrote to memory of 2424	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 2424	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 2424	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 2424	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2424 wrote to memory of 2576	2424	cmd.exe	cmd.exe
PID 2424 wrote to memory of 2576	2424	cmd.exe	cmd.exe
PID 2424 wrote to memory of 2576	2424	cmd.exe	cmd.exe
PID 2424 wrote to memory of 2576	2424	cmd.exe	cmd.exe
PID 2576 wrote to memory of 2700	2576	cmd.exe	taskkill.exe
PID 2576 wrote to memory of 2700	2576	cmd.exe	taskkill.exe
PID 2576 wrote to memory of 2700	2576	cmd.exe	taskkill.exe
PID 2224 wrote to memory of 2584	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 2584	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 2584	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 2584	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2584 wrote to memory of 2416	2584	cmd.exe	cmd.exe
PID 2584 wrote to memory of 2416	2584	cmd.exe	cmd.exe
PID 2584 wrote to memory of 2416	2584	cmd.exe	cmd.exe
PID 2584 wrote to memory of 2416	2584	cmd.exe	cmd.exe
PID 2416 wrote to memory of 2412	2416	cmd.exe	taskkill.exe
PID 2416 wrote to memory of 2412	2416	cmd.exe	taskkill.exe
PID 2416 wrote to memory of 2412	2416	cmd.exe	taskkill.exe
PID 2224 wrote to memory of 2436	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 2436	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 2436	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 2436	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2436 wrote to memory of 2492	2436	cmd.exe	cmd.exe
PID 2436 wrote to memory of 2492	2436	cmd.exe	cmd.exe
PID 2436 wrote to memory of 2492	2436	cmd.exe	cmd.exe
PID 2436 wrote to memory of 2492	2436	cmd.exe	cmd.exe
PID 2492 wrote to memory of 2328	2492	cmd.exe	taskkill.exe
PID 2492 wrote to memory of 2328	2492	cmd.exe	taskkill.exe
PID 2492 wrote to memory of 2328	2492	cmd.exe	taskkill.exe
PID 2224 wrote to memory of 2720	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 2720	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 2720	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 2720	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2720 wrote to memory of 2368	2720	cmd.exe	cmd.exe
PID 2720 wrote to memory of 2368	2720	cmd.exe	cmd.exe
PID 2720 wrote to memory of 2368	2720	cmd.exe	cmd.exe
PID 2720 wrote to memory of 2368	2720	cmd.exe	cmd.exe
PID 2368 wrote to memory of 2396	2368	cmd.exe	taskkill.exe
PID 2368 wrote to memory of 2396	2368	cmd.exe	taskkill.exe
PID 2368 wrote to memory of 2396	2368	cmd.exe	taskkill.exe
PID 2224 wrote to memory of 524	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 524	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 524	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 2224 wrote to memory of 524	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe
PID 524 wrote to memory of 776	524	cmd.exe	cmd.exe
PID 524 wrote to memory of 776	524	cmd.exe	cmd.exe
PID 524 wrote to memory of 776	524	cmd.exe	cmd.exe
PID 524 wrote to memory of 776	524	cmd.exe	cmd.exe
PID 776 wrote to memory of 1084	776	cmd.exe	taskkill.exe
PID 776 wrote to memory of 1084	776	cmd.exe	taskkill.exe
PID 776 wrote to memory of 1084	776	cmd.exe	taskkill.exe
PID 2224 wrote to memory of 1416	2224	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exed9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1384
- C:\Users\Admin\AppData\Local\Temp\d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
  "C:\Users\Admin\AppData\Local\Temp\d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2368
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:776
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:1416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      PID:564
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:2784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:2592
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:1652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      PID:1204
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:2668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:312
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:1644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:1528
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:3068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:1212
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:2972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:2808
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:1832
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:3036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:2968
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:1020
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:1704
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:840
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:1808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:984
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:1180
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:1840
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:2340
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:1940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:3016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:2232
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:828
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:752
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:2932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:1772
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:2372
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:2352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:1412
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:2304
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:1188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:892
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:2208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:2540
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:2960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:2996
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:1728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:1600
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:2728
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:1612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:2532
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:1708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:2568
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:1800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:2748
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        Drops file in Windows directory
        
        PID:2420
- C:\Users\Admin\AppData\Local\Temp\d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:2708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:3048

C:\Windows\system32\net.exe
net stop SQLAgent$ISARS
1⤵
PID:960
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop SQLAgent$ISARS
  2⤵
  PID:2044

C:\Windows\system32\net.exe
net stop SQLWriter
1⤵
PID:1452
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop SQLWriter
  2⤵
  PID:1904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\How_to_back_files.html

Filesize
5KB

MD5
54f660bcc5f320a797ea1083a986bb3d

SHA1
95819a4065ea6f0fbecd4dc45ee580c6337d704c

SHA256
1b6e158b6e6c9785de1a9377170e43eee6e26f36a54a1128addd70f5edb9dacf

SHA512
3a554a19a0c799444a49f6ae04d4f4d2383f924c2f2ed4f95c4b8122b15d1dc0484e82315799277b578777b0738dc0a4731813d9d1986cdda9cb9469495e2dd4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\ij

Filesize
7KB

MD5
ebe28cdce9332a7cfc4cd6373c67302d

SHA1
c95e119ceb43c52d58545163ab2081d7e4fb039b

SHA256
2073aff72b956593ac1e0f496f8d8d63c6584c6e79c6a074543b17e8dbce32f3

SHA512
413d11b8c8aea623d207532e85ac358111503a5cf38b739d1c0cf4da50cf5e6aa5375b48830db50f34ce86c94589c9d054351b4cf60a10e86dbd40f6131e3319

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
f4f5380e3364d441ccbb3a8c59ced2a5

SHA1
816e682e9bfc722aabc35fd4c82261cc366e790c

SHA256
dfc1728378bfa2ab0b6b5bf7584f2d534187dc03abd9fd61dd59b19d70b9a187

SHA512
c2add2e19abb723c179fb94ab526cb5f0bb5a05d40362be749c0b416fb77c80da868b21f4bb72217a11bfe8a51efc7895d37e1f509d9b23343e4fba8b77f4941

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
1KB

MD5
517e2a53339de2c685d6bc1dad2f170f

SHA1
6315747a0a2e64b5a5f4b2849b31353e422b1e2d

SHA256
457d284516838a5d1ca5c8ffd6ec1399935ce1e0e6678e9cb5b85f7efa298cae

SHA512
9bb615ed24efa1ce68dead5673d3b002b05f81a988171c5066ccc3bb9f5aa462796aa50f579067817ebb4ddce7c61b96d8a4aff145163ee537e023e007e5d933

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
390347e3bd72544d55be66c9af6038a1

SHA1
ed96dcdb76cbaff11390fc189074dd75c27061ba

SHA256
41668b2ab3c311f200c22d70f3fcad3281eb81b52d87e51f05463249b652f16e

SHA512
bbd19b77c0cca4b59cc5755bb2f47ca300f5945c74e54f4d057d58267cf08f06ba9b3e1aa4f56b092da25536ae5592796f1861689e26674b87acfa65c52478d7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
77692dc749e2c0d5f32d5b671456b8ab

SHA1
e836b260f3b6db5ea98007a6768460d586f59e2f

SHA256
2f7f241d42f6589625ada3bee5cbede2caca906c4f5355a5824c47621a240977

SHA512
8bccfe664084224407370663b5b1e725519ca279f2357dd79fecf50de23e5c8cd007a0bd70c3bd2f1a2f5e6e86558d22be50bc26b5c76b4324e425871312ba32

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
ab1241256a5ac47829b2d64e23245a97

SHA1
43661f335e1e82795164f3b7aba27c072e93b1f0

SHA256
bf2e42ec4f258d472126c415f956bb97e8aa504653c19aea631cd3bc74b4816d

SHA512
46c41ef761a074f1cae95a74a7d414b5f55d5a8d9441c16df7693da6f95ee361384415e9f15d063f9ca06ae3a6b004896263492db847aba1deb8846658a3ace6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
feacc681cdd08031bfce69546d43c2a7

SHA1
e800e3840f49b46e0f0437529e66f4f8660f6200

SHA256
ccf52fe9a7debb9b1168891a7a134fb32614e35d9c6bd69304f11e15c5ad9793

SHA512
c0b9ac87a2d3deb63d48bb3f457ce00166d0f50e05a7a8827874a90950f94d0b9c8c848a9c01d325671c618cc69cd2cebc15c59eacdd9184376b4bce3e6944b6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
4d427054df5b9e9ed97f86ff78a77a6d

SHA1
7881485e63e1305d2a382d17ab6aa58029cd1968

SHA256
bea35f1ca59551b05d689b8dabba90bdb07d7b4226f29148d8dd673b4675769b

SHA512
ed0fae4aebda5f01174ee7c3aa757c5fd5ba3701791d77b1a803f3ad7b166fde0c1ae03c226c597e021a0fa8699454f75040a03d99a40f9c1d3721a344e20c8b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
8d8e53d28ca27595f4579c8f517142bd

SHA1
97a20449c6caa3e750504b4b86c64301cca02ab4

SHA256
f3f37aa2c6dc864d82814d414753424671922321c6b884d2a02c0e214421417b

SHA512
e913351f14c67feb43ad5d31aef325a166452bc459f70dad38c15ccf17f58d0a646e64ab7af1bd3f515a9f65c50451cbb78b0bc44161f8d57d2a54997977d448

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html

Filesize
13KB

MD5
b4b02d363bafe8f1c0220703ab05671f

SHA1
e7d68a609a5cac05700e9f7366b4068bdeb18de4

SHA256
dd7671e5e760a94e5c189996e39b3ae65f9f9de8fccc260a72a0d861636a9d1d

SHA512
747977d4f45a2d9ed9e8ff3465df9e187c671a7a4311eb886c6e0201fc25decfca8b047e1bf9bf18bff324b46d0cce2538f485b24253b9b5aca60e9c4832999d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html

Filesize
10KB

MD5
3540997d2246b1b1f50742215f7c4676

SHA1
94fd06df7328fb330851921f64fbc396327daea5

SHA256
104aaf0cae574b3c0ffce6e7fe4d24149988690e4b92e3392b07c12304379996

SHA512
102318ec880ef42dc6084869b0c19b4558323676e965d55a9a7baa376a99e435a9864784523491d68153c2c1a5420dc24d5024af8033b5401901d9891847ac1a

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-api-visual.xml_hidden

Filesize
1KB

MD5
d896b6f76716aea451b24c9fd819a0d0

SHA1
f7c93f4444a478eb0292158547b96c10c134c80e

SHA256
045f20119eaf5f6413264b069156de8ecbc44b1b6de2b12513f8b64ce240a384

SHA512
25cda3b7c7d984b87016b318f39d1e0a121165cada1d9e16ddf20fb3d775db1afe1f8805c568515c1b7834b8fa1c676bdf21b807805e8db53dcfb5f2bc71f5bd

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
1KB

MD5
f2cf86c07b4fa5d0ad0e57d02d2f4444

SHA1
e4eb22487810ceea725ad44c0d95c7bd2fda9211

SHA256
a42ba7d773df0be8345333bdd803ead1fc7acc8e926e4850d955d90dc1eaad6d

SHA512
c8b0609cdc4704fcfe29d4a02ab52defe1119c9ec37833393ee4595c3fc3f058628654a89fc59965a35308187c4131d4bbd7bd2972970842ca4561675534c89f

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UCT

Filesize
1KB

MD5
28c541590c9ceed8b0ff140cf36411b1

SHA1
7fa5eaebb0db1f0a2132b3289737309abefb1c1b

SHA256
098e7855a7884c470ecb3660e4dea1343f852509734f3367e07af2ad9658666b

SHA512
3602583810a9056f90dcca0b014a10c0fdf3d795bd19777fab09a5dc23b80a81bf4b3be9e32482fb20516781ff69d5b27841ce5dd24240e8ea8475ad4adeaeea

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
52c232520dfd56a735a214dcd265e1eb

SHA1
b079350bb278c4b70ae1c788d961d5370bce06ab

SHA256
f5d08686c75b5de010f67da39a26b1f3a48f4e93de57d73f854f692eea416301

SHA512
c21d21fef4481e13e24bac44bea76f592a4236f3e3ab166021992225fe07697cc2f79651aa8b3667eab68c401ec280862b30a317e9c659916206f6f54de861ce

Download Submit