51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51

Resubmissions

14-10-2023 09:40

231014-lnbaaabg5w 10

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14-10-2023 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
Size

340KB
MD5

714870c33ba84e744b84b32e6e114ed9
SHA1

840f442d4466713becdf72b88846871330ac38e7
SHA256

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51
SHA512

270c584cc9f696de3421429627a07bfbd7829a033cfdc16280e7e233e8ae09e2f1cd0341537a6b050811683d93a14a1465aa3ab96e9577c98ebea521faae65f2
SSDEEP

6144:PNs9prB0CnszdPZxMzk1ukSXa9bnuDOeFdGpBP7ENf3zcfUE:y9RaPZxMzk1uBXa9bu2JeAfUE

Score

10^/10

evasion persistence ransomware

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\de-DE\HOW_TO_BACK_FILES.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">{{IDENTIFIER}}</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe

description	pid	process	target process
PID 2196 created 1264	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	Explorer.EXE

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2592 bcdedit.exe
2492 bcdedit.exe
Renames multiple (7547) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2748 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1712 wbadmin.exe

pid	process
2592	bcdedit.exe
2492	bcdedit.exe

pid	process
2748	wbadmin.exe

pid	process
1712	wbadmin.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exeNEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe\""	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe\""	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe

description	ioc	process
File opened (read-only)	\??\P:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\T:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\U:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\W:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\Z:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\H:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\I:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\O:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\G:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\L:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\N:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\Q:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\R:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\F:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\B:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\E:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\Y:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\J:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\S:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\X:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\V:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\A:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\K:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened (read-only)	\??\M:	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe

Drops file in Program Files directory 64 IoCs

Processes:

NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CHECKER.POC	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\settings.css	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\HOW_TO_BACK_FILES.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\HOW_TO_BACK_FILES.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File created	C:\Program Files\Java\jre7\lib\jfr\HOW_TO_BACK_FILES.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0235319.WMF	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\HOW_TO_BACK_FILES.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0280468.WMF	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5B.GIF	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46F.GIF	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File created	C:\Program Files\Microsoft Games\Hearts\en-US\HOW_TO_BACK_FILES.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\HOW_TO_BACK_FILES.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0093905.WMF	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\.lastModified	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\HOW_TO_BACK_FILES.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\THANKS.txt	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\HOW_TO_BACK_FILES.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File created	C:\Program Files (x86)\Common Files\System\ado\es-ES\HOW_TO_BACK_FILES.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_bottom.png	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thule	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0287005.WMF	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14982_.GIF	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Atikokan	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\shvlzm.exe.mui	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OUTGOING.ICO	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\HOW_TO_BACK_FILES.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\HOW_TO_BACK_FILES.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLTASKR.FAE	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialMergeLetter.dotx	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\HOW_TO_BACK_FILES.html	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Black Tie.eftx	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_ON.GIF	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ModifiedTelespace.ico	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2512 vssadmin.exe

pid	process
2512	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1720	taskkill.exe
2256	taskkill.exe
2580	taskkill.exe
604	taskkill.exe
2280	taskkill.exe
2896	taskkill.exe
2628	taskkill.exe
1092	taskkill.exe
1376	taskkill.exe
2764	taskkill.exe
2848	taskkill.exe
2748	taskkill.exe
2988	taskkill.exe
2916	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe

pid	process
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2748	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	1092	taskkill.exe
Token: SeDebugPrivilege	604	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1628	WMIC.exe
Token: SeSecurityPrivilege	1628	WMIC.exe
Token: SeTakeOwnershipPrivilege	1628	WMIC.exe
Token: SeLoadDriverPrivilege	1628	WMIC.exe
Token: SeSystemProfilePrivilege	1628	WMIC.exe
Token: SeSystemtimePrivilege	1628	WMIC.exe
Token: SeProfSingleProcessPrivilege	1628	WMIC.exe
Token: SeIncBasePriorityPrivilege	1628	WMIC.exe
Token: SeCreatePagefilePrivilege	1628	WMIC.exe
Token: SeBackupPrivilege	1628	WMIC.exe
Token: SeRestorePrivilege	1628	WMIC.exe
Token: SeShutdownPrivilege	1628	WMIC.exe
Token: SeDebugPrivilege	1628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1628	WMIC.exe
Token: SeRemoteShutdownPrivilege	1628	WMIC.exe
Token: SeUndockPrivilege	1628	WMIC.exe
Token: SeManageVolumePrivilege	1628	WMIC.exe
Token: 33	1628	WMIC.exe
Token: 34	1628	WMIC.exe
Token: 35	1628	WMIC.exe
Token: SeBackupPrivilege	2672	vssvc.exe
Token: SeRestorePrivilege	2672	vssvc.exe
Token: SeAuditPrivilege	2672	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2196 wrote to memory of 2556	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2556	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2556	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2556	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2556 wrote to memory of 2592	2556	cmd.exe	cmd.exe
PID 2556 wrote to memory of 2592	2556	cmd.exe	cmd.exe
PID 2556 wrote to memory of 2592	2556	cmd.exe	cmd.exe
PID 2556 wrote to memory of 2592	2556	cmd.exe	cmd.exe
PID 2196 wrote to memory of 2620	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2620	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2620	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2620	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2620 wrote to memory of 2712	2620	cmd.exe	cmd.exe
PID 2620 wrote to memory of 2712	2620	cmd.exe	cmd.exe
PID 2620 wrote to memory of 2712	2620	cmd.exe	cmd.exe
PID 2620 wrote to memory of 2712	2620	cmd.exe	cmd.exe
PID 2712 wrote to memory of 2748	2712	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 2748	2712	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 2748	2712	cmd.exe	taskkill.exe
PID 2196 wrote to memory of 2596	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2596	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2596	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2596	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2596 wrote to memory of 2824	2596	cmd.exe	cmd.exe
PID 2596 wrote to memory of 2824	2596	cmd.exe	cmd.exe
PID 2596 wrote to memory of 2824	2596	cmd.exe	cmd.exe
PID 2596 wrote to memory of 2824	2596	cmd.exe	cmd.exe
PID 2824 wrote to memory of 2580	2824	cmd.exe	taskkill.exe
PID 2824 wrote to memory of 2580	2824	cmd.exe	taskkill.exe
PID 2824 wrote to memory of 2580	2824	cmd.exe	taskkill.exe
PID 2196 wrote to memory of 2500	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2500	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2500	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2500	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2500 wrote to memory of 2944	2500	cmd.exe	cmd.exe
PID 2500 wrote to memory of 2944	2500	cmd.exe	cmd.exe
PID 2500 wrote to memory of 2944	2500	cmd.exe	cmd.exe
PID 2500 wrote to memory of 2944	2500	cmd.exe	cmd.exe
PID 2944 wrote to memory of 2628	2944	cmd.exe	taskkill.exe
PID 2944 wrote to memory of 2628	2944	cmd.exe	taskkill.exe
PID 2944 wrote to memory of 2628	2944	cmd.exe	taskkill.exe
PID 2196 wrote to memory of 2464	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2464	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2464	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2464	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2464 wrote to memory of 2440	2464	cmd.exe	cmd.exe
PID 2464 wrote to memory of 2440	2464	cmd.exe	cmd.exe
PID 2464 wrote to memory of 2440	2464	cmd.exe	cmd.exe
PID 2464 wrote to memory of 2440	2464	cmd.exe	cmd.exe
PID 2440 wrote to memory of 2988	2440	cmd.exe	taskkill.exe
PID 2440 wrote to memory of 2988	2440	cmd.exe	taskkill.exe
PID 2440 wrote to memory of 2988	2440	cmd.exe	taskkill.exe
PID 2196 wrote to memory of 2420	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2420	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2420	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2196 wrote to memory of 2420	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe
PID 2420 wrote to memory of 1428	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 1428	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 1428	2420	cmd.exe	cmd.exe
PID 2420 wrote to memory of 1428	2420	cmd.exe	cmd.exe
PID 1428 wrote to memory of 2916	1428	cmd.exe	taskkill.exe
PID 1428 wrote to memory of 2916	1428	cmd.exe	taskkill.exe
PID 1428 wrote to memory of 2916	1428	cmd.exe	taskkill.exe
PID 2196 wrote to memory of 1420	2196	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exeNEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2196
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"
      4⤵
      PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlbrowser.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sql writer.exe
        5⤵
        Kills process with taskkill
        
        PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlserv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msmdsrv.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im MsDtsSrvr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
    3⤵
    PID:1420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
      4⤵
      PID:2808
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im sqlceip.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
    3⤵
    PID:2324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
      4⤵
      PID:1984
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdlauncher.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
    3⤵
    PID:2372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
      4⤵
      PID:1916
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im Ssms.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
    3⤵
    PID:772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
      4⤵
      PID:1036
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im SQLAGENT.EXE
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
    3⤵
    PID:2776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
      4⤵
      PID:572
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im fdhost.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
    3⤵
    PID:1744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
      4⤵
      PID:1380
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im ReportingServicesService.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
    3⤵
    PID:1232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
      4⤵
      PID:1964
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im msftesql.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
    3⤵
    PID:2052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
      4⤵
      PID:2856
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -im pg_ctl.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
    3⤵
    PID:3020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
      4⤵
      PID:2992
    - - C:\Windows\system32\taskkill.exe
        
        taskkill -f -impostgres.exe
        5⤵
        Kills process with taskkill
        
        PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
    3⤵
    PID:2096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
      4⤵
      PID:2272
    - - C:\Windows\system32\net.exe
        
        net stop MSSQLServerADHelper100
        5⤵
        
        PID:2092
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQLServerADHelper100
        6⤵
        
        PID:1920
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
    3⤵
    PID:1596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
      4⤵
      PID:1888
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$ISARS
        5⤵
        
        PID:3032
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$ISARS
        6⤵
        
        PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
    3⤵
    PID:3048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
      4⤵
      PID:840
    - - C:\Windows\system32\net.exe
        
        net stop MSSQL$MSFW
        5⤵
        
        PID:1156
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop MSSQL$MSFW
        6⤵
        
        PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
    3⤵
    PID:1752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
      4⤵
      PID:1796
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$ISARS
        5⤵
        
        PID:1560
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$ISARS
        6⤵
        
        PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
    3⤵
    PID:1224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
      4⤵
      PID:108
    - - C:\Windows\system32\net.exe
        
        net stop SQLAgent$MSFW
        5⤵
        
        PID:2276
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLAgent$MSFW
        6⤵
        
        PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
    3⤵
    PID:1340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
      4⤵
      PID:2892
    - - C:\Windows\system32\net.exe
        
        net stop SQLBrowser
        5⤵
        
        PID:544
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLBrowser
        6⤵
        
        PID:820
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
    3⤵
    PID:908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
      4⤵
      PID:3052
    - - C:\Windows\system32\net.exe
        
        net stop REportServer$ISARS
        5⤵
        
        PID:620
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop REportServer$ISARS
        6⤵
        
        PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
    3⤵
    PID:2864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
      4⤵
      PID:1612
    - - C:\Windows\system32\net.exe
        
        net stop SQLWriter
        5⤵
        
        PID:2172
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop SQLWriter
        6⤵
        
        PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:1776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      PID:760
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin.exe Delete Shadows /All /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
    3⤵
    PID:2868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
      4⤵
      PID:1748
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete backup -keepVersion:0 -quiet
        5⤵
        Deletes system backups
        
        PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
    3⤵
    PID:2180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
      4⤵
      PID:2956
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTATEBACKUP
        5⤵
        Deletes System State backups
        Drops file in Windows directory
        
        PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
    3⤵
    PID:2952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
      4⤵
      PID:896
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
        5⤵
        
        PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
    3⤵
    PID:964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
      4⤵
      PID:2388
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} recoverynabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
    3⤵
    PID:1956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
      4⤵
      PID:2124
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic.exe SHADOWCOPY /nointeractive
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      PID:1680
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2492
- C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
  \\?\C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe -network
  2⤵
  - Adds Run key to start application
  - System policy modification
  PID:2008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

Filesize
1KB

MD5
71fd2d73c14ce297df06dae39c6c49d9

SHA1
1433a424a710c1abee3868d0c10c560ded23d407

SHA256
fee68e58227a3da22813c3ab528556c61e39c25330581bac29a1a7ef8ec332ef

SHA512
daab6110b2507f02ed5e369796eb7d670292424501674d8f0c793332a3249aeea0e7ae16c05e143d66ce5d3d0662752f8a42588026a14be08ec54796cc640e74

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

Filesize
1KB

MD5
34d8b3c0f2877c500de2264caea6146c

SHA1
bfb85a1f2c1d7e28719c7fcdf69218b770a94c2e

SHA256
fdb73c4ad0f0aea67c092983ee66f0813c91cb44e8a3854bd27104d21fbede87

SHA512
4a6bdb3236a0d685657b12a5668a40232838632c99ebd110d71e8531184aafa9e7bdf6410fca59f7f867e71935e325220c73d88d6d5ebe633f84e01eed5a475f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
1KB

MD5
37dc99e83256116c5c965b40f99c1c53

SHA1
cddf70ba1f6ca9666e1f6ec9e07f564feb1fe549

SHA256
67a49044671f13919a6355c41afbcc03ec24ee40bcdaa2d97611632a59cb4cca

SHA512
e4a6553df16439aa8b3a75c008ef4535fc4127f1307a954438e33a98713fb975916a26ccaf534cba35ab3b910b0436f3dd3cd39eb7b60a958e7e1d2324669909

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
1KB

MD5
e6110efbbc0d98604e13a4fe95746ef6

SHA1
e411fcb7af19a1444bc7fb41d8ac6b7976f3861b

SHA256
a077112b95507d9f3c1354c7dde0cb27f2048b33f4132cdf19887496c84d6b09

SHA512
c711a9860841bdd89c7c0e5d9c9d134fdc8e6038d3edbda42f98c8a7c955f3b2a0460f80193f786697b9e5716e592343536422c4c5b6f23d5119931f5d898630

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_K_COL.HXK.infected

Filesize
1KB

MD5
b1ad98b216f6eb0b416f2dad72481242

SHA1
ded296e07a2bef360ad3a5b6a7227808db9518de

SHA256
b30d9ffe461f209bc0b47edd1db84df075aa54766309f178d1dbc7fbbe7f99b4

SHA512
e89f9df4c02bad0776731a0a929f1ae283f44145d366295fee1baa0f923220f59573d544c3ae1b697273e4c735d6856b386dfd745fd3c9c580a6059d086d1dcc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK

Filesize
1KB

MD5
e6e96853eff2de7e7277406450163832

SHA1
ad30990a1bd8223b04d6dbb05eaa466043b04dad

SHA256
aad01d899f9374c30f42aa049438098ab85333ebb5d8dff9c0674ab48208d747

SHA512
6ad959624ba11c363fee071de168a8ea4c892956cc7c2bdcfcc15364b2cf5864ac266ff92eb6ca7c757e7fe37d5807982f811cb6526d55e4a9e115ec7b74af7f

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF.infected

Filesize
1KB

MD5
43df997dc3bd96e2156c52f2791753a7

SHA1
f141f04ca45eeb5043000aec6470b192421c215d

SHA256
2fdffda46c9951da22f40abc6d1339586c4328eb4bf8d1f5be16951d5b21287d

SHA512
b892daeb22035f760e5b173d1c85458fea312627eca4e3f5524c4b739c6729cfa090a75c05fb46a7b9812bed29d668a6c34fd243c33414d97b94ea00dae62685

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_ON.GIF.infected

Filesize
1KB

MD5
0082c0bba1302891ef66f66d3f2b7840

SHA1
702a50376461f47fb70d172089ada43101f5bfbc

SHA256
d79030f0505cedcd7a4dd85da7caaa4481c6b7957c8352834b49b97086e56a1f

SHA512
791f1e369f955e667b5b17f6d7d7383b1f0becf7c8fe44f72ee2d32ccc253b55ff2d91efa97fe388d877c24aaa11ae55b23f28cc3b30c9276ec6a8c79f90ad96

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_OFF.GIF

Filesize
1KB

MD5
09895c51f4e430b7d18110790c696437

SHA1
ae02a8a3cc1703f944252d79870d566ebd51acf0

SHA256
3e804cb1c90e1f64952158f38e8e7627060ee8fb87649ee83c43156b40676fb6

SHA512
9b3b5c0841070c24411138382b5411194d9e1d45b978ae0b77eb8ebd327b2c06ea608b99395a0384d18fd633850879ed80eec36c220830c80422041b813aeb28

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_ON.GIF

Filesize
1KB

MD5
63b5d814ad7f5013fb160f5db125068e

SHA1
5b9552bab627c2e2d5e5a3ac2763e46fec1dcb4a

SHA256
1a7a24b8ed1cbffe5630e8212804dd5edc34a0753881610e69a8ceea10f71f30

SHA512
53d21f8bccee754301b9cdcf5a285581023e1c4a0f244ea8c453222b9b88e134ed698dd88e535f1d797028be9fce991fd34efeff23bc0cce4aa56514947bb9dc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
2KB

MD5
9628966e58adc8a53a902f30c648fcd9

SHA1
2400091c38b3a9ac72029e303990c9f8339e117c

SHA256
773481e3734e53bf19c417e0eb9b4a06f9b18c38acdffcc5831733d02778049f

SHA512
6fa4fd5b3ee1e67d28ad9cf029d3bb1205eaf5481a08f107da8b4a81fd5a5311065ec6df6db570b7b52483d4812e770a892f2657e0f9ffbabe62cae041e118ec

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
2KB

MD5
3471365a22e2a5eaed548a37c2fe39d1

SHA1
12a027bbade24fcb43d9aef3bb11b19161417603

SHA256
9af81250274089ada9ead5d19e70765e0d08221e270ee5e775f390d362eb93da

SHA512
9f1c412115ae30af7a0e3a2f33653ac16ffc71b7dfd19cc541304d9047530a238afe0254fa42eaa88650becafbdddc82b05ba25f1ba1a04a28dce8fda1721477

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
2KB

MD5
9ecdcb5ab1ea0840b460d1f861dcecfe

SHA1
09e7c9d6efe46daf57d88992f7280ccac3ffb25b

SHA256
4db1e5ca48372be18b922cd16c16ef7b2790833c5854e76c594d2ba72d3e11ba

SHA512
5383ec6d577eb55b5ee57e3dd126bf3737a9896843184eaf5fd7380b911a935b1ef46ace6427e807fcfa9fe1a69d44525c2cd5e1425f371f8974c2f850b23dac

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
2KB

MD5
d1c60073c1bb7d508967bd6dee6ca80a

SHA1
d14aade749cbaf2e6e6d3bf00bd0f96a9f861fc6

SHA256
0823c4cb7fdb3f92a4fd7e3095976ccce376935c2a1fa8ce919180f10b261583

SHA512
a4022010b6f0249eab4c36ace96541639bd175f07c7c57bf74abd6c968c98112683cbf71800de3dbb3d40701817d6603e56dc45fb8289964018f4a1739ebf784

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
2KB

MD5
c2b9da84527928ca0259590a7e61e8f8

SHA1
abd3c9ebd64bf54ee4c7b39b722b85d64197c6eb

SHA256
2d904377174f263443e0eff64641e0453e4eb98f46290821c79a49c6739ba612

SHA512
30d07d564a7801ae1b0ca856a53d9506b097f3ae6e6fede01eee5d9902f792976f2a89f9f7aa8fa6b26ebc504488de4a71bd72cfcfd8e3d60262e8caef30fa42

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
2KB

MD5
4a099d562c3ed15c63ff4e700ecf66a8

SHA1
993b58536783060b3988952a6fa23e2bacf9e0c6

SHA256
63a3f594a30f904f17aa998317b48371a0c1b60b4fccd595e1d1f8d55ebb5c10

SHA512
58eee3af710ed5e59d68e5f57abf3b0b7a86016bfa1d6efa8f5538fc2fe721908ab5b1b92f11c8934898f041c5cea8fb2f9ba018527c89abe3f561c8f6ae2d5b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
2KB

MD5
d76d96f426d4c1b19593db98bec7e6f5

SHA1
822191f6a0662204a63f2597fb2e081c66a06ce0

SHA256
edef00e17f494e7f8dbc50d5f1c9906d3d38a5e5607140a3dc2dd33491882e18

SHA512
87c3649468b62235c69f81c06bf1f1d5cb304690806b64ef505e593eef2748ecc7b6e348ba410b987af9d61759764ffdc4d791bbb09d67a5d75325f5810c40e6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
2KB

MD5
6cfc00658a2c848fe2507457c95e6bf3

SHA1
6bdaa41cf5016f7540a0ec5b44516b093b65fff1

SHA256
9d0a342d8d1ca142428076204225ffc4d17a8c0764f6f698dd5385aeca0c0d9b

SHA512
d4030823212ff1da5361a1b179f8e6ef65b7658d004e54f9ce6ce3de8b633d2ea086afbb24cb14ad4a81fd831ebf4d01e3be618879afb23d22fa634aaa65172d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
2KB

MD5
7d7e72bf067336b04a578447106c0abf

SHA1
4127fff5d032babc0ca968734b698e0b2d7a7c9c

SHA256
089c4c0f3f22fa99c955d1f3a2eec0b1745d92b2fd938962a52c2fb4e4dea4c2

SHA512
134c53c1ba6febabbdc97bcf31ec1a7b2da14f02999dae1e881d0fca5b41e10c210a51f1e1382ec48c1e45e10e2f9024f33eed76aca5b1c6f2e4d3c3eaaefb39

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml

Filesize
248KB

MD5
7408483362b6295247e3d0772f469d38

SHA1
33d72e9b9fffe6c402a121de30e56253a1d5da8a

SHA256
b0db29529749262b7c211d248e0f0604982ede370430343d28f7afdaa4ed7b68

SHA512
d6d5435f9746181cd9ab1cd7ad03627acdba2d05c08c44163fd136352014c310483fe4ce2a54ad28b7065b7943d7ba4a7dcfd9ec35d84cb75dad21481a1a7620

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

Filesize
2KB

MD5
7a0352593b3b59cfb0e11de135f635f1

SHA1
4697a31b2b27c2f9c5fe0bdc1dba16994f7f58b5

SHA256
5f55550c667d7247a0d31d6f0d8d421dd866d0092b2831b0305891099c2e0696

SHA512
6be5593d54af63b280718eee333c08aa7525ca5ee389dff344a37468dfae81d33b6c8e4578f9d63660555cb3d2983550ff17d1b655812a51e786c7338b481bb6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML

Filesize
2KB

MD5
6caaf5254a4573a37444bf01126a0cb1

SHA1
e8985857f33c928e43f09f6069dcb95e5961eb9d

SHA256
f04e386bf3edb54375d9b1746753313e6082eef6f33a256b8b0a3e1b2a0bf59f

SHA512
66179db3990c756d577767db1bc8fa901e7bf81f914f68b8762c5f96ecf191e165bc45fbbe783ae1e491496d3b5d613a1ea31801385054f3f11165c13b30677c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

Filesize
7KB

MD5
3ebbddb9a3db85f757dfb6b02ea98770

SHA1
87d13958d9c3141ff04958b43b9fbf09be9f8e99

SHA256
09387014a778bb2f8ce099ee4196f36a2a1a3de7234a74aeffca4d5e2e3e1aa7

SHA512
0eb28694e803259c14692af109934e10e5aecbfab5597835b0ed59b2208561794ae3012c9ac96f9a40efdcd04887ecd6806557df5b72f163b874230af6838802

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
1KB

MD5
28aec1a7d5111e137f1dfca3ef29666e

SHA1
ce9b569a6a2a3eaf326dfdfc9ebad02ec1fe5cdd

SHA256
93591dcc9e61c945a91acbf4be26a3b59d251b782957bf0f159f9d00e8176eb9

SHA512
5ed350258859dec35a2e9c67c66ec450a947b3f95a918806664ebd6b0da751ff26e178a48c665d5bdcdc8aa2ea0048d272aeefce00f9b3e25426f09cbcaa3b6f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT

Filesize
1KB

MD5
a027be0bc7d101224210948183646399

SHA1
ac73b2f83b24d2aeed841cac67bb7ef0b66e4349

SHA256
ac5bc1006b4ad2353778854277dea8f2844244f4f5f2067f62d9ef55bf24490f

SHA512
0c2694d2a3094d5e3b3b049954ab07792260022504982cb6a21a541b3136ecd143a47472648bfdd775dff094af8c549bfc620b736dd097f194dcc317db3a359f

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

Filesize
1KB

MD5
20946278f90aa8b93ef6e5bc52257e23

SHA1
95ed13cd68b1b793fb86ee2dff08f0d153e96793

SHA256
f11b89359ec77377927832ac094f37c8e0e39f33eff61df68902c08bedd87b9d

SHA512
77aa3d624a74374d95e7588f96cdf787147518d4b860f177b07f8131b2e3bf485cd189019f015a0a8436ae67b3a5a4a661253e2785e35bc3142dd0fdd7992d03

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

Filesize
1KB

MD5
8b4c3470cc8a360906844948527b2263

SHA1
129dc198941b42b1734fad6e7144042a780a7f10

SHA256
065ece26cdb80e256c647d1c05377518c80a78d9299412d253007a6921ad140a

SHA512
52b8c2dfcd7e01aa6543ad5a2f7af9ebdc44efe43d5dd128488b1452077d901fda54b27b5a2a6e3908b28521c3d15432a698d813248458aeb2a14fdbe47f47ea

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

Filesize
1KB

MD5
030ed135741a0c45adf4609277b1ba3e

SHA1
b576d3cbe2ed36d23fd6f4f78ea9b7964340d23a

SHA256
bac5d5f71bb8e681936c3ef0433c9524e50e80bc849d29df79328da904fb12e9

SHA512
15e61c6066d7acca66742b4fe1a82a91795cc218b59f18cae14aa071d8c0274ddb8902d6788a33c8ef9e2adf980b7901712cb50fdb3ab3f08507619e8a8b702d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
13KB

MD5
d3ffd498af7508b8c009953784ea3ad5

SHA1
3546137843d145773d77446675f36894c4e26416

SHA256
ed59b8dc45b56ff4c199a058070db699b5a995a60a44c7ba751239b85d2743e2

SHA512
225ce831f6d1da1354ea6282337a825620f9a27866f705cd79759846400e8a18fffda3dcd22d09063a7e45edbfaf866958e4d2dcba7164a1cf3d0b1bc990bcc5

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
10KB

MD5
a9db9a44c3f5bdb7d87b36d40dceb6d0

SHA1
1e7cac3a45b4c409718d89077f160209e94701bb

SHA256
1f0f58d98ee113d861891ece93fea59f443d1b774981aa3d091901abb34016cd

SHA512
d3fd1a086cad7d3134d729a696b924cc3ebe48376e53e33c7bf93db5f92267ecb648ecc19e4cc7a833a6991e94c9750e5dedcf9bf4d4780fc9f66b63f2770592

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

Filesize
1KB

MD5
a794a5ec45f7e4814244621c6c5d4fdf

SHA1
dbd37cd776fffaa1693bd0bd10e18f652bb062f2

SHA256
5775ef4fce435de2306df683eaacebab19f9081deb836974d63e4308295c9c10

SHA512
283f540c5dea45c5d14d3ab589de9fa1d3585d1094994ae4f77ce0ffe030084aa22e2cca4a515762d254a2aeb0d4e5c374e34dd1ef87716fab96824496cfdc5e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
95f935207cbd48624903f6a4baff4656

SHA1
b5849714a6678bdacec9d0db9f17d01cb8f4a077

SHA256
77da74f6af4339bb3e1aa0a4cfac06c86d9c338245472b84a6d127233620620b

SHA512
c946b601b75fd008b9e22df87be7b3ead9917a6dc24c8a2a1842ece6494529300f87e90766d6abf6ed6aa8080b47e588d99379c9a5f407ce00f2822a3d0e6bb4

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
12KB

MD5
da9161793f097002349b6945bd811b56

SHA1
a5f2e1a866dddeb2171cda67ed379652f3b63804

SHA256
06f5ef101d55661ae2a030afb1f363d7d5faf7e93c93b57065ad5e43f2181935

SHA512
60493cb3ea126ffd40ae34ef1f587311416db6fc47c20b7de23f5a45215054fd3b30374a5fd1126f9afd2dd5d4acf3360c8f3dbf1be064943aae36c5abdf496b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

Filesize
9KB

MD5
cfea348fea1f77b6301c80d580bbb872

SHA1
dee0cabbbfc2156f5f72b76e7e73b107c1d2651b

SHA256
47b0091178940d377519ff83d28182407f65dfee6eaf72be66fa99b87ef2105b

SHA512
6e0e4d4e608bb866e53de60c42cff0c73e528196361a5b15fdbca83e4dac65f7ccdc37f0ecf37bb8fdf43a879576d457ceb596f122ed5b22b8fcb18bd24964f1

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

Filesize
1KB

MD5
8580a558ef3d5c5d12ddd7bf778a3930

SHA1
8bc7628f1d22d164610301319002d1139773641c

SHA256
3c9961f8b13d1dc25ca72ea734cd394c80fa39a535eb227efadbdf28f192710b

SHA512
76afe2a20fc4691982197e0e7ab2621adeeadfaf48288399434ca993e618101451c31f950d07c1dbc995beb50ef0b2f20027d401694d6b465e83f79a0b43042b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden

Filesize
1KB

MD5
5c6b27942dfabd5061fbe352091812ac

SHA1
1200f955d9cfefe677eebcdeafea06e14c51731c

SHA256
91b67fffe04d80045e1334910a8999a020b13b261a38d90ac0f3535c74a45d49

SHA512
285c58061e7774569fe061230b56700ea235aa626d9e11db49fd326ad455356e27686818f7586f2afe6c4b318af56e2c03b813ef7173285769ac8e6ef7a15560

Download Submit
C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
1KB

MD5
c2d489a57c95120a8886baca3cdb6cd0

SHA1
5cd31f5002e3ee0a4edbda671994dca2171ecaff

SHA256
5148ec4a5809c84258b7a6443fba21db1d29ef40a51709f4a339a1bb389a99d3

SHA512
919f4204fcdb373cf44874b581a3e4eb49a88a1e7accfbae9e254eb67a223743ac4b0d1a605f412043d1e526ed75e6e42f65bf5eeec7762b21cc4efe75bf2ceb

Download Submit
C:\Program Files\Java\jre7\lib\zi\Etc\UTC.infected

Filesize
1KB

MD5
bbd6c223f4db56fdd19b5f57a30a3887

SHA1
c3c303e29fde48c6457e25845812fc1fc4e42ed9

SHA256
d3132db40f0141cf7fa4adf2e17c304f83be81e3326b9127a213f689af97fee9

SHA512
19fbdbca25d891f7f44124757653de82b3533b6eda4d1c2100d4e196d3d14750390ac4422abae23d071187763cc3ce6427457b6648b8d1ebbeeddf7743d1f934

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\EST5

Filesize
1KB

MD5
1c324901cf7a76e34b8e411258c6225c

SHA1
a06bd0e80ed91c4c4902a16b9159cbc23da93e74

SHA256
f6e0640b6ab89bef875a4931ce7303ee8e585c7925cc34a0b5c0f8b5e2a87fc9

SHA512
4360818907292eddf3b344696e23722829acd846c45558043ab352fc49d64b52cd5919fbf06a9299c9e2e550a9a7f8295ba685d0bccbd46ce99bd8debf15a88d

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\HST10

Filesize
1KB

MD5
0113e513042ff75e361ddd2a8e012085

SHA1
e3a997c8dcce29eaf9b8a7e8dc28fbf13966515b

SHA256
e4bd27889fe0f26df446dddae4181329ffd0d293efe00258af7e34e4b6751a7c

SHA512
e2329643203606024511e719537e571107dfb6dbfb5b24998aca4f41588bec0abf5a290971cea3f29260418513d2435ac2cd8f70e6649850b1fc575179e0c0c3

Download Submit
C:\Program Files\Java\jre7\lib\zi\SystemV\MST7

Filesize
1KB

MD5
a07b83735c07d793879d09d47c18f959

SHA1
94a01d77f21194aea2354d06b1844235c7ca8f72

SHA256
3f62d789cd05279121f0d3b31a9579eb3f35163255c821f6155d2600036f77e3

SHA512
90cf453fc34353580d91b875afe222a8b0d54e039665d7dee8e9eeb7dbf8401980748be9d0651fc3e696bbdad68829cfa3191194c0328bb535052d64619ec423

Download Submit
C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

Filesize
609KB

MD5
59f05604e1339bedd1ceab2e638fbc2f

SHA1
f9ef358dc52af7e68a386ef68cc119bb0ce015a9

SHA256
fe36b0dd4e8efbe4debaf8113b91e0f1b2cbb9e481f0dbaba0470513fe5bb520

SHA512
4787e898d094810bfcf74b0973ac40d54c09b7e413247ca38d015440f0f5b10309bc3951b72be6595e272720de0eb27426fdd7872b858e78141c0ccd752fcfea

Download Submit
C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

Filesize
606KB

MD5
b8fd2562e68e98b596f2a51a19b98ca5

SHA1
b942f7ce77fbda604aadb191e6acf8a063c6b369

SHA256
c908f15d88ba7a0a097d92f87c0b989f86e4faae6c538a376abcf29bbc9f5b90

SHA512
f0faf263393bb23e866dc79b03415df8ece95f3a6ffcca7802fdaf36b9e6628494983ac86ac53f240c7517d281914ad9d0a2921c37ae3a3f671f5a239e0a8d09

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

Filesize
1KB

MD5
7e200443122b40506bd79a166a87451c

SHA1
58c987b7fd025e65f1ce7cb9145b88048571e809

SHA256
7da9d3e6ba6f518a7872e551d6497d5d127436c31ef8dfc1dfa76b771c2416eb

SHA512
f84e414d4fcf633441253afd22ef8c66872cf7dd9a411e867a2dc4b6df29e51109bd30f422f795d76fb2e91d5a4f10072b1cba184ada924bb052214734e9ccf0

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

Filesize
1KB

MD5
d823440a414b7dc563a88dc0d9fcde8a

SHA1
89a60ecd4d8896854af96b102c6b251ae2dd5fd9

SHA256
4866f5194170287e9faa426b7a8eb638e35c4345557dafa2ba6864fbaaef51c8

SHA512
a722fd9b468d5c5bd8307d0dba1794f7436aad35c86411843e2be3854379787e5654d8afba22d7cbbf2b4fe57166814c6bfaf06a45061204e598d840a61dc085

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

Filesize
1KB

MD5
1141963709aef7ebddc8a5675732ad1a

SHA1
98bd490a2553ae4e746a65844d827a33ce3a8eac

SHA256
701c4c2592885274637652fefc1ef26b150c760e5a0e9439b21fc9aa693f0379

SHA512
1480f7578b93c00f22f41db367b864b96fd6a8f38cddf3f0891b18bc9a6166803d6db9993c677df7ac412560a21bf5c0f1833e60edf65b04bc8720c4fd71a4d2

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

Filesize
181KB

MD5
0bc621f6a22d7c0f3888c30a7a94a0e1

SHA1
127c22310c4ca8402580fccf4bc5344693bc4ca0

SHA256
b7590fbec0af3f40259ae5686a5b7bce1f5f1b21a90a7777452e8ec9e0d6f0e1

SHA512
ebd2459430adf84003f1df113d2d819ba8f77e29ae4306bc85f7ffd0da6f3c14034c81956ef8bf27a6c83376c435edf5e1b969d3123c32771569ec4adcccd933

Download Submit
\Device\HarddiskVolume1\Boot\de-DE\HOW_TO_BACK_FILES.html

Filesize
3KB

MD5
a8514fd9f3a52ab2a00f57494d03b2fe

SHA1
0e204aabbd8b5d6ee1b36d10429d65eb436afd14

SHA256
056ae301d1686bbf2355fd96ef3363e2b18d593f58f912498d87de3569fa9028

SHA512
6250481712b51d19e13bf148e3cb046fbf669398b06f8ce757a8583a0fec36ca22140cb90d4706a731f27d1419795ff37ec079d170e15e9e2985020c1e6a1d5b

Download Submit