Resubmissions
14-10-2023 09:40
231014-lnbaaabg5w 10Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
14-10-2023 09:40
Behavioral task
behavioral1
Sample
NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
-
Size
340KB
-
MD5
714870c33ba84e744b84b32e6e114ed9
-
SHA1
840f442d4466713becdf72b88846871330ac38e7
-
SHA256
51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51
-
SHA512
270c584cc9f696de3421429627a07bfbd7829a033cfdc16280e7e233e8ae09e2f1cd0341537a6b050811683d93a14a1465aa3ab96e9577c98ebea521faae65f2
-
SSDEEP
6144:PNs9prB0CnszdPZxMzk1ukSXa9bnuDOeFdGpBP7ENf3zcfUE:y9RaPZxMzk1uBXa9bu2JeAfUE
Malware Config
Extracted
\Device\HarddiskVolume1\Boot\de-DE\HOW_TO_BACK_FILES.html
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2196 created 1264 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 21 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2592 bcdedit.exe 2492 bcdedit.exe -
Renames multiple (7547) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2748 wbadmin.exe -
pid Process 1712 wbadmin.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe\"" NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe\"" NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\T: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\U: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\W: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\Z: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\H: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\I: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\O: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\G: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\L: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\N: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\Q: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\R: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\F: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\B: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\E: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\Y: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\J: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\S: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\X: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\V: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\A: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\K: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened (read-only) \??\M: NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CHECKER.POC NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\settings.css NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Java\jre7\lib\jfr\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0235319.WMF NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0280468.WMF NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5B.GIF NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46F.GIF NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Microsoft Games\Hearts\en-US\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0093905.WMF NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\.lastModified NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\VideoLAN\VLC\lua\sd\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Windows NT\TableTextService\es-ES\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files (x86)\Common Files\System\ado\es-ES\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_bottom.png NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thule NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0287005.WMF NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14982_.GIF NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Atikokan NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\shvlzm.exe.mui NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OUTGOING.ICO NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLTASKR.FAE NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialMergeLetter.dotx NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\HOW_TO_BACK_FILES.html NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Black Tie.eftx NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_ON.GIF NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ModifiedTelespace.ico NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2512 vssadmin.exe -
Kills process with taskkill 14 IoCs
pid Process 1720 taskkill.exe 2256 taskkill.exe 2580 taskkill.exe 604 taskkill.exe 2280 taskkill.exe 2896 taskkill.exe 2628 taskkill.exe 1092 taskkill.exe 1376 taskkill.exe 2764 taskkill.exe 2848 taskkill.exe 2748 taskkill.exe 2988 taskkill.exe 2916 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2748 taskkill.exe Token: SeDebugPrivilege 2628 taskkill.exe Token: SeDebugPrivilege 2988 taskkill.exe Token: SeDebugPrivilege 2916 taskkill.exe Token: SeDebugPrivilege 2764 taskkill.exe Token: SeDebugPrivilege 1092 taskkill.exe Token: SeDebugPrivilege 604 taskkill.exe Token: SeDebugPrivilege 2280 taskkill.exe Token: SeDebugPrivilege 1720 taskkill.exe Token: SeDebugPrivilege 1376 taskkill.exe Token: SeDebugPrivilege 2256 taskkill.exe Token: SeDebugPrivilege 2848 taskkill.exe Token: SeIncreaseQuotaPrivilege 1628 WMIC.exe Token: SeSecurityPrivilege 1628 WMIC.exe Token: SeTakeOwnershipPrivilege 1628 WMIC.exe Token: SeLoadDriverPrivilege 1628 WMIC.exe Token: SeSystemProfilePrivilege 1628 WMIC.exe Token: SeSystemtimePrivilege 1628 WMIC.exe Token: SeProfSingleProcessPrivilege 1628 WMIC.exe Token: SeIncBasePriorityPrivilege 1628 WMIC.exe Token: SeCreatePagefilePrivilege 1628 WMIC.exe Token: SeBackupPrivilege 1628 WMIC.exe Token: SeRestorePrivilege 1628 WMIC.exe Token: SeShutdownPrivilege 1628 WMIC.exe Token: SeDebugPrivilege 1628 WMIC.exe Token: SeSystemEnvironmentPrivilege 1628 WMIC.exe Token: SeRemoteShutdownPrivilege 1628 WMIC.exe Token: SeUndockPrivilege 1628 WMIC.exe Token: SeManageVolumePrivilege 1628 WMIC.exe Token: 33 1628 WMIC.exe Token: 34 1628 WMIC.exe Token: 35 1628 WMIC.exe Token: SeBackupPrivilege 2672 vssvc.exe Token: SeRestorePrivilege 2672 vssvc.exe Token: SeAuditPrivilege 2672 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2556 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 29 PID 2196 wrote to memory of 2556 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 29 PID 2196 wrote to memory of 2556 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 29 PID 2196 wrote to memory of 2556 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 29 PID 2556 wrote to memory of 2592 2556 cmd.exe 31 PID 2556 wrote to memory of 2592 2556 cmd.exe 31 PID 2556 wrote to memory of 2592 2556 cmd.exe 31 PID 2556 wrote to memory of 2592 2556 cmd.exe 31 PID 2196 wrote to memory of 2620 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 32 PID 2196 wrote to memory of 2620 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 32 PID 2196 wrote to memory of 2620 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 32 PID 2196 wrote to memory of 2620 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 32 PID 2620 wrote to memory of 2712 2620 cmd.exe 34 PID 2620 wrote to memory of 2712 2620 cmd.exe 34 PID 2620 wrote to memory of 2712 2620 cmd.exe 34 PID 2620 wrote to memory of 2712 2620 cmd.exe 34 PID 2712 wrote to memory of 2748 2712 cmd.exe 35 PID 2712 wrote to memory of 2748 2712 cmd.exe 35 PID 2712 wrote to memory of 2748 2712 cmd.exe 35 PID 2196 wrote to memory of 2596 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 37 PID 2196 wrote to memory of 2596 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 37 PID 2196 wrote to memory of 2596 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 37 PID 2196 wrote to memory of 2596 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 37 PID 2596 wrote to memory of 2824 2596 cmd.exe 39 PID 2596 wrote to memory of 2824 2596 cmd.exe 39 PID 2596 wrote to memory of 2824 2596 cmd.exe 39 PID 2596 wrote to memory of 2824 2596 cmd.exe 39 PID 2824 wrote to memory of 2580 2824 cmd.exe 40 PID 2824 wrote to memory of 2580 2824 cmd.exe 40 PID 2824 wrote to memory of 2580 2824 cmd.exe 40 PID 2196 wrote to memory of 2500 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 41 PID 2196 wrote to memory of 2500 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 41 PID 2196 wrote to memory of 2500 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 41 PID 2196 wrote to memory of 2500 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 41 PID 2500 wrote to memory of 2944 2500 cmd.exe 43 PID 2500 wrote to memory of 2944 2500 cmd.exe 43 PID 2500 wrote to memory of 2944 2500 cmd.exe 43 PID 2500 wrote to memory of 2944 2500 cmd.exe 43 PID 2944 wrote to memory of 2628 2944 cmd.exe 44 PID 2944 wrote to memory of 2628 2944 cmd.exe 44 PID 2944 wrote to memory of 2628 2944 cmd.exe 44 PID 2196 wrote to memory of 2464 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 45 PID 2196 wrote to memory of 2464 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 45 PID 2196 wrote to memory of 2464 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 45 PID 2196 wrote to memory of 2464 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 45 PID 2464 wrote to memory of 2440 2464 cmd.exe 47 PID 2464 wrote to memory of 2440 2464 cmd.exe 47 PID 2464 wrote to memory of 2440 2464 cmd.exe 47 PID 2464 wrote to memory of 2440 2464 cmd.exe 47 PID 2440 wrote to memory of 2988 2440 cmd.exe 48 PID 2440 wrote to memory of 2988 2440 cmd.exe 48 PID 2440 wrote to memory of 2988 2440 cmd.exe 48 PID 2196 wrote to memory of 2420 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 49 PID 2196 wrote to memory of 2420 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 49 PID 2196 wrote to memory of 2420 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 49 PID 2196 wrote to memory of 2420 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 49 PID 2420 wrote to memory of 1428 2420 cmd.exe 51 PID 2420 wrote to memory of 1428 2420 cmd.exe 51 PID 2420 wrote to memory of 1428 2420 cmd.exe 51 PID 2420 wrote to memory of 1428 2420 cmd.exe 51 PID 1428 wrote to memory of 2916 1428 cmd.exe 52 PID 1428 wrote to memory of 2916 1428 cmd.exe 52 PID 1428 wrote to memory of 2916 1428 cmd.exe 52 PID 2196 wrote to memory of 1420 2196 NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe 53 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1264
-
C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2196 -
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"3⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"4⤵PID:2592
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\taskkill.exetaskkill -f -im sql writer.exe5⤵
- Kills process with taskkill
PID:2580
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlserv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵PID:1420
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵PID:2808
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵PID:2324
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵PID:1984
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵PID:2372
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵PID:1916
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:604
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵PID:772
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵PID:1036
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2280
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵PID:2776
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵PID:572
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵PID:1744
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵PID:1380
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵PID:1232
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵PID:1964
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵PID:2052
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵PID:2856
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe3⤵PID:3020
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe4⤵PID:2992
-
C:\Windows\system32\taskkill.exetaskkill -f -impostgres.exe5⤵
- Kills process with taskkill
PID:2896
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵PID:2096
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵PID:2272
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵PID:2092
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵PID:1920
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵PID:1596
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵PID:1888
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵PID:3032
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵PID:2236
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵PID:3048
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW4⤵PID:840
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW5⤵PID:1156
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW6⤵PID:2360
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵PID:1752
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵PID:1796
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS5⤵PID:1560
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS6⤵PID:2308
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵PID:1224
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵PID:108
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵PID:2276
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵PID:2884
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵PID:1340
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵PID:2892
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵PID:544
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵PID:820
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS3⤵PID:908
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS4⤵PID:3052
-
C:\Windows\system32\net.exenet stop REportServer$ISARS5⤵PID:620
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop REportServer$ISARS6⤵PID:2872
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵PID:2864
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵PID:1612
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵PID:2172
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵PID:1932
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵PID:1776
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵PID:760
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:2512
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet3⤵PID:2868
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet4⤵PID:1748
-
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersion:0 -quiet5⤵
- Deletes system backups
PID:1712
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵PID:2180
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵PID:2956
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP5⤵
- Deletes System State backups
- Drops file in Windows directory
PID:2748
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest3⤵PID:2952
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest4⤵PID:896
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTABACKUP -deleteOldest5⤵PID:2752
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No3⤵PID:964
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No4⤵PID:2388
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoverynabled No5⤵
- Modifies boot configuration data using bcdedit
PID:2592
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive3⤵PID:1956
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive4⤵PID:2124
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵PID:2204
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵PID:1680
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:2492
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe\\?\C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe -network2⤵
- Adds Run key to start application
- System policy modification
PID:2008
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD571fd2d73c14ce297df06dae39c6c49d9
SHA11433a424a710c1abee3868d0c10c560ded23d407
SHA256fee68e58227a3da22813c3ab528556c61e39c25330581bac29a1a7ef8ec332ef
SHA512daab6110b2507f02ed5e369796eb7d670292424501674d8f0c793332a3249aeea0e7ae16c05e143d66ce5d3d0662752f8a42588026a14be08ec54796cc640e74
-
Filesize
1KB
MD534d8b3c0f2877c500de2264caea6146c
SHA1bfb85a1f2c1d7e28719c7fcdf69218b770a94c2e
SHA256fdb73c4ad0f0aea67c092983ee66f0813c91cb44e8a3854bd27104d21fbede87
SHA5124a6bdb3236a0d685657b12a5668a40232838632c99ebd110d71e8531184aafa9e7bdf6410fca59f7f867e71935e325220c73d88d6d5ebe633f84e01eed5a475f
-
Filesize
1KB
MD537dc99e83256116c5c965b40f99c1c53
SHA1cddf70ba1f6ca9666e1f6ec9e07f564feb1fe549
SHA25667a49044671f13919a6355c41afbcc03ec24ee40bcdaa2d97611632a59cb4cca
SHA512e4a6553df16439aa8b3a75c008ef4535fc4127f1307a954438e33a98713fb975916a26ccaf534cba35ab3b910b0436f3dd3cd39eb7b60a958e7e1d2324669909
-
Filesize
1KB
MD5e6110efbbc0d98604e13a4fe95746ef6
SHA1e411fcb7af19a1444bc7fb41d8ac6b7976f3861b
SHA256a077112b95507d9f3c1354c7dde0cb27f2048b33f4132cdf19887496c84d6b09
SHA512c711a9860841bdd89c7c0e5d9c9d134fdc8e6038d3edbda42f98c8a7c955f3b2a0460f80193f786697b9e5716e592343536422c4c5b6f23d5119931f5d898630
-
Filesize
1KB
MD5b1ad98b216f6eb0b416f2dad72481242
SHA1ded296e07a2bef360ad3a5b6a7227808db9518de
SHA256b30d9ffe461f209bc0b47edd1db84df075aa54766309f178d1dbc7fbbe7f99b4
SHA512e89f9df4c02bad0776731a0a929f1ae283f44145d366295fee1baa0f923220f59573d544c3ae1b697273e4c735d6856b386dfd745fd3c9c580a6059d086d1dcc
-
Filesize
1KB
MD5e6e96853eff2de7e7277406450163832
SHA1ad30990a1bd8223b04d6dbb05eaa466043b04dad
SHA256aad01d899f9374c30f42aa049438098ab85333ebb5d8dff9c0674ab48208d747
SHA5126ad959624ba11c363fee071de168a8ea4c892956cc7c2bdcfcc15364b2cf5864ac266ff92eb6ca7c757e7fe37d5807982f811cb6526d55e4a9e115ec7b74af7f
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF.infected
Filesize1KB
MD543df997dc3bd96e2156c52f2791753a7
SHA1f141f04ca45eeb5043000aec6470b192421c215d
SHA2562fdffda46c9951da22f40abc6d1339586c4328eb4bf8d1f5be16951d5b21287d
SHA512b892daeb22035f760e5b173d1c85458fea312627eca4e3f5524c4b739c6729cfa090a75c05fb46a7b9812bed29d668a6c34fd243c33414d97b94ea00dae62685
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_ON.GIF.infected
Filesize1KB
MD50082c0bba1302891ef66f66d3f2b7840
SHA1702a50376461f47fb70d172089ada43101f5bfbc
SHA256d79030f0505cedcd7a4dd85da7caaa4481c6b7957c8352834b49b97086e56a1f
SHA512791f1e369f955e667b5b17f6d7d7383b1f0becf7c8fe44f72ee2d32ccc253b55ff2d91efa97fe388d877c24aaa11ae55b23f28cc3b30c9276ec6a8c79f90ad96
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_OFF.GIF
Filesize1KB
MD509895c51f4e430b7d18110790c696437
SHA1ae02a8a3cc1703f944252d79870d566ebd51acf0
SHA2563e804cb1c90e1f64952158f38e8e7627060ee8fb87649ee83c43156b40676fb6
SHA5129b3b5c0841070c24411138382b5411194d9e1d45b978ae0b77eb8ebd327b2c06ea608b99395a0384d18fd633850879ed80eec36c220830c80422041b813aeb28
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_ON.GIF
Filesize1KB
MD563b5d814ad7f5013fb160f5db125068e
SHA15b9552bab627c2e2d5e5a3ac2763e46fec1dcb4a
SHA2561a7a24b8ed1cbffe5630e8212804dd5edc34a0753881610e69a8ceea10f71f30
SHA51253d21f8bccee754301b9cdcf5a285581023e1c4a0f244ea8c453222b9b88e134ed698dd88e535f1d797028be9fce991fd34efeff23bc0cce4aa56514947bb9dc
-
Filesize
2KB
MD59628966e58adc8a53a902f30c648fcd9
SHA12400091c38b3a9ac72029e303990c9f8339e117c
SHA256773481e3734e53bf19c417e0eb9b4a06f9b18c38acdffcc5831733d02778049f
SHA5126fa4fd5b3ee1e67d28ad9cf029d3bb1205eaf5481a08f107da8b4a81fd5a5311065ec6df6db570b7b52483d4812e770a892f2657e0f9ffbabe62cae041e118ec
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif
Filesize2KB
MD53471365a22e2a5eaed548a37c2fe39d1
SHA112a027bbade24fcb43d9aef3bb11b19161417603
SHA2569af81250274089ada9ead5d19e70765e0d08221e270ee5e775f390d362eb93da
SHA5129f1c412115ae30af7a0e3a2f33653ac16ffc71b7dfd19cc541304d9047530a238afe0254fa42eaa88650becafbdddc82b05ba25f1ba1a04a28dce8fda1721477
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif
Filesize2KB
MD59ecdcb5ab1ea0840b460d1f861dcecfe
SHA109e7c9d6efe46daf57d88992f7280ccac3ffb25b
SHA2564db1e5ca48372be18b922cd16c16ef7b2790833c5854e76c594d2ba72d3e11ba
SHA5125383ec6d577eb55b5ee57e3dd126bf3737a9896843184eaf5fd7380b911a935b1ef46ace6427e807fcfa9fe1a69d44525c2cd5e1425f371f8974c2f850b23dac
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif
Filesize2KB
MD5d1c60073c1bb7d508967bd6dee6ca80a
SHA1d14aade749cbaf2e6e6d3bf00bd0f96a9f861fc6
SHA2560823c4cb7fdb3f92a4fd7e3095976ccce376935c2a1fa8ce919180f10b261583
SHA512a4022010b6f0249eab4c36ace96541639bd175f07c7c57bf74abd6c968c98112683cbf71800de3dbb3d40701817d6603e56dc45fb8289964018f4a1739ebf784
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif
Filesize2KB
MD5c2b9da84527928ca0259590a7e61e8f8
SHA1abd3c9ebd64bf54ee4c7b39b722b85d64197c6eb
SHA2562d904377174f263443e0eff64641e0453e4eb98f46290821c79a49c6739ba612
SHA51230d07d564a7801ae1b0ca856a53d9506b097f3ae6e6fede01eee5d9902f792976f2a89f9f7aa8fa6b26ebc504488de4a71bd72cfcfd8e3d60262e8caef30fa42
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif
Filesize2KB
MD54a099d562c3ed15c63ff4e700ecf66a8
SHA1993b58536783060b3988952a6fa23e2bacf9e0c6
SHA25663a3f594a30f904f17aa998317b48371a0c1b60b4fccd595e1d1f8d55ebb5c10
SHA51258eee3af710ed5e59d68e5f57abf3b0b7a86016bfa1d6efa8f5538fc2fe721908ab5b1b92f11c8934898f041c5cea8fb2f9ba018527c89abe3f561c8f6ae2d5b
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif
Filesize2KB
MD5d76d96f426d4c1b19593db98bec7e6f5
SHA1822191f6a0662204a63f2597fb2e081c66a06ce0
SHA256edef00e17f494e7f8dbc50d5f1c9906d3d38a5e5607140a3dc2dd33491882e18
SHA51287c3649468b62235c69f81c06bf1f1d5cb304690806b64ef505e593eef2748ecc7b6e348ba410b987af9d61759764ffdc4d791bbb09d67a5d75325f5810c40e6
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif
Filesize2KB
MD56cfc00658a2c848fe2507457c95e6bf3
SHA16bdaa41cf5016f7540a0ec5b44516b093b65fff1
SHA2569d0a342d8d1ca142428076204225ffc4d17a8c0764f6f698dd5385aeca0c0d9b
SHA512d4030823212ff1da5361a1b179f8e6ef65b7658d004e54f9ce6ce3de8b633d2ea086afbb24cb14ad4a81fd831ebf4d01e3be618879afb23d22fa634aaa65172d
-
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif
Filesize2KB
MD57d7e72bf067336b04a578447106c0abf
SHA14127fff5d032babc0ca968734b698e0b2d7a7c9c
SHA256089c4c0f3f22fa99c955d1f3a2eec0b1745d92b2fd938962a52c2fb4e4dea4c2
SHA512134c53c1ba6febabbdc97bcf31ec1a7b2da14f02999dae1e881d0fca5b41e10c210a51f1e1382ec48c1e45e10e2f9024f33eed76aca5b1c6f2e4d3c3eaaefb39
-
Filesize
248KB
MD57408483362b6295247e3d0772f469d38
SHA133d72e9b9fffe6c402a121de30e56253a1d5da8a
SHA256b0db29529749262b7c211d248e0f0604982ede370430343d28f7afdaa4ed7b68
SHA512d6d5435f9746181cd9ab1cd7ad03627acdba2d05c08c44163fd136352014c310483fe4ce2a54ad28b7065b7943d7ba4a7dcfd9ec35d84cb75dad21481a1a7620
-
Filesize
2KB
MD57a0352593b3b59cfb0e11de135f635f1
SHA14697a31b2b27c2f9c5fe0bdc1dba16994f7f58b5
SHA2565f55550c667d7247a0d31d6f0d8d421dd866d0092b2831b0305891099c2e0696
SHA5126be5593d54af63b280718eee333c08aa7525ca5ee389dff344a37468dfae81d33b6c8e4578f9d63660555cb3d2983550ff17d1b655812a51e786c7338b481bb6
-
Filesize
2KB
MD56caaf5254a4573a37444bf01126a0cb1
SHA1e8985857f33c928e43f09f6069dcb95e5961eb9d
SHA256f04e386bf3edb54375d9b1746753313e6082eef6f33a256b8b0a3e1b2a0bf59f
SHA51266179db3990c756d577767db1bc8fa901e7bf81f914f68b8762c5f96ecf191e165bc45fbbe783ae1e491496d3b5d613a1ea31801385054f3f11165c13b30677c
-
Filesize
7KB
MD53ebbddb9a3db85f757dfb6b02ea98770
SHA187d13958d9c3141ff04958b43b9fbf09be9f8e99
SHA25609387014a778bb2f8ce099ee4196f36a2a1a3de7234a74aeffca4d5e2e3e1aa7
SHA5120eb28694e803259c14692af109934e10e5aecbfab5597835b0ed59b2208561794ae3012c9ac96f9a40efdcd04887ecd6806557df5b72f163b874230af6838802
-
Filesize
1KB
MD528aec1a7d5111e137f1dfca3ef29666e
SHA1ce9b569a6a2a3eaf326dfdfc9ebad02ec1fe5cdd
SHA25693591dcc9e61c945a91acbf4be26a3b59d251b782957bf0f159f9d00e8176eb9
SHA5125ed350258859dec35a2e9c67c66ec450a947b3f95a918806664ebd6b0da751ff26e178a48c665d5bdcdc8aa2ea0048d272aeefce00f9b3e25426f09cbcaa3b6f
-
Filesize
1KB
MD5a027be0bc7d101224210948183646399
SHA1ac73b2f83b24d2aeed841cac67bb7ef0b66e4349
SHA256ac5bc1006b4ad2353778854277dea8f2844244f4f5f2067f62d9ef55bf24490f
SHA5120c2694d2a3094d5e3b3b049954ab07792260022504982cb6a21a541b3136ecd143a47472648bfdd775dff094af8c549bfc620b736dd097f194dcc317db3a359f
-
Filesize
1KB
MD520946278f90aa8b93ef6e5bc52257e23
SHA195ed13cd68b1b793fb86ee2dff08f0d153e96793
SHA256f11b89359ec77377927832ac094f37c8e0e39f33eff61df68902c08bedd87b9d
SHA51277aa3d624a74374d95e7588f96cdf787147518d4b860f177b07f8131b2e3bf485cd189019f015a0a8436ae67b3a5a4a661253e2785e35bc3142dd0fdd7992d03
-
Filesize
1KB
MD58b4c3470cc8a360906844948527b2263
SHA1129dc198941b42b1734fad6e7144042a780a7f10
SHA256065ece26cdb80e256c647d1c05377518c80a78d9299412d253007a6921ad140a
SHA51252b8c2dfcd7e01aa6543ad5a2f7af9ebdc44efe43d5dd128488b1452077d901fda54b27b5a2a6e3908b28521c3d15432a698d813248458aeb2a14fdbe47f47ea
-
Filesize
1KB
MD5030ed135741a0c45adf4609277b1ba3e
SHA1b576d3cbe2ed36d23fd6f4f78ea9b7964340d23a
SHA256bac5d5f71bb8e681936c3ef0433c9524e50e80bc849d29df79328da904fb12e9
SHA51215e61c6066d7acca66742b4fe1a82a91795cc218b59f18cae14aa071d8c0274ddb8902d6788a33c8ef9e2adf980b7901712cb50fdb3ab3f08507619e8a8b702d
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize13KB
MD5d3ffd498af7508b8c009953784ea3ad5
SHA13546137843d145773d77446675f36894c4e26416
SHA256ed59b8dc45b56ff4c199a058070db699b5a995a60a44c7ba751239b85d2743e2
SHA512225ce831f6d1da1354ea6282337a825620f9a27866f705cd79759846400e8a18fffda3dcd22d09063a7e45edbfaf866958e4d2dcba7164a1cf3d0b1bc990bcc5
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize10KB
MD5a9db9a44c3f5bdb7d87b36d40dceb6d0
SHA11e7cac3a45b4c409718d89077f160209e94701bb
SHA2561f0f58d98ee113d861891ece93fea59f443d1b774981aa3d091901abb34016cd
SHA512d3fd1a086cad7d3134d729a696b924cc3ebe48376e53e33c7bf93db5f92267ecb648ecc19e4cc7a833a6991e94c9750e5dedcf9bf4d4780fc9f66b63f2770592
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf
Filesize1KB
MD5a794a5ec45f7e4814244621c6c5d4fdf
SHA1dbd37cd776fffaa1693bd0bd10e18f652bb062f2
SHA2565775ef4fce435de2306df683eaacebab19f9081deb836974d63e4308295c9c10
SHA512283f540c5dea45c5d14d3ab589de9fa1d3585d1094994ae4f77ce0ffe030084aa22e2cca4a515762d254a2aeb0d4e5c374e34dd1ef87716fab96824496cfdc5e
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA
Filesize9KB
MD595f935207cbd48624903f6a4baff4656
SHA1b5849714a6678bdacec9d0db9f17d01cb8f4a077
SHA25677da74f6af4339bb3e1aa0a4cfac06c86d9c338245472b84a6d127233620620b
SHA512c946b601b75fd008b9e22df87be7b3ead9917a6dc24c8a2a1842ece6494529300f87e90766d6abf6ed6aa8080b47e588d99379c9a5f407ce00f2822a3d0e6bb4
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize12KB
MD5da9161793f097002349b6945bd811b56
SHA1a5f2e1a866dddeb2171cda67ed379652f3b63804
SHA25606f5ef101d55661ae2a030afb1f363d7d5faf7e93c93b57065ad5e43f2181935
SHA51260493cb3ea126ffd40ae34ef1f587311416db6fc47c20b7de23f5a45215054fd3b30374a5fd1126f9afd2dd5d4acf3360c8f3dbf1be064943aae36c5abdf496b
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA
Filesize9KB
MD5cfea348fea1f77b6301c80d580bbb872
SHA1dee0cabbbfc2156f5f72b76e7e73b107c1d2651b
SHA25647b0091178940d377519ff83d28182407f65dfee6eaf72be66fa99b87ef2105b
SHA5126e0e4d4e608bb866e53de60c42cff0c73e528196361a5b15fdbca83e4dac65f7ccdc37f0ecf37bb8fdf43a879576d457ceb596f122ed5b22b8fcb18bd24964f1
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF
Filesize1KB
MD58580a558ef3d5c5d12ddd7bf778a3930
SHA18bc7628f1d22d164610301319002d1139773641c
SHA2563c9961f8b13d1dc25ca72ea734cd394c80fa39a535eb227efadbdf28f192710b
SHA51276afe2a20fc4691982197e0e7ab2621adeeadfaf48288399434ca993e618101451c31f950d07c1dbc995beb50ef0b2f20027d401694d6b465e83f79a0b43042b
-
C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden
Filesize1KB
MD55c6b27942dfabd5061fbe352091812ac
SHA11200f955d9cfefe677eebcdeafea06e14c51731c
SHA25691b67fffe04d80045e1334910a8999a020b13b261a38d90ac0f3535c74a45d49
SHA512285c58061e7774569fe061230b56700ea235aa626d9e11db49fd326ad455356e27686818f7586f2afe6c4b318af56e2c03b813ef7173285769ac8e6ef7a15560
-
Filesize
1KB
MD5c2d489a57c95120a8886baca3cdb6cd0
SHA15cd31f5002e3ee0a4edbda671994dca2171ecaff
SHA2565148ec4a5809c84258b7a6443fba21db1d29ef40a51709f4a339a1bb389a99d3
SHA512919f4204fcdb373cf44874b581a3e4eb49a88a1e7accfbae9e254eb67a223743ac4b0d1a605f412043d1e526ed75e6e42f65bf5eeec7762b21cc4efe75bf2ceb
-
Filesize
1KB
MD5bbd6c223f4db56fdd19b5f57a30a3887
SHA1c3c303e29fde48c6457e25845812fc1fc4e42ed9
SHA256d3132db40f0141cf7fa4adf2e17c304f83be81e3326b9127a213f689af97fee9
SHA51219fbdbca25d891f7f44124757653de82b3533b6eda4d1c2100d4e196d3d14750390ac4422abae23d071187763cc3ce6427457b6648b8d1ebbeeddf7743d1f934
-
Filesize
1KB
MD51c324901cf7a76e34b8e411258c6225c
SHA1a06bd0e80ed91c4c4902a16b9159cbc23da93e74
SHA256f6e0640b6ab89bef875a4931ce7303ee8e585c7925cc34a0b5c0f8b5e2a87fc9
SHA5124360818907292eddf3b344696e23722829acd846c45558043ab352fc49d64b52cd5919fbf06a9299c9e2e550a9a7f8295ba685d0bccbd46ce99bd8debf15a88d
-
Filesize
1KB
MD50113e513042ff75e361ddd2a8e012085
SHA1e3a997c8dcce29eaf9b8a7e8dc28fbf13966515b
SHA256e4bd27889fe0f26df446dddae4181329ffd0d293efe00258af7e34e4b6751a7c
SHA512e2329643203606024511e719537e571107dfb6dbfb5b24998aca4f41588bec0abf5a290971cea3f29260418513d2435ac2cd8f70e6649850b1fc575179e0c0c3
-
Filesize
1KB
MD5a07b83735c07d793879d09d47c18f959
SHA194a01d77f21194aea2354d06b1844235c7ca8f72
SHA2563f62d789cd05279121f0d3b31a9579eb3f35163255c821f6155d2600036f77e3
SHA51290cf453fc34353580d91b875afe222a8b0d54e039665d7dee8e9eeb7dbf8401980748be9d0651fc3e696bbdad68829cfa3191194c0328bb535052d64619ec423
-
Filesize
609KB
MD559f05604e1339bedd1ceab2e638fbc2f
SHA1f9ef358dc52af7e68a386ef68cc119bb0ce015a9
SHA256fe36b0dd4e8efbe4debaf8113b91e0f1b2cbb9e481f0dbaba0470513fe5bb520
SHA5124787e898d094810bfcf74b0973ac40d54c09b7e413247ca38d015440f0f5b10309bc3951b72be6595e272720de0eb27426fdd7872b858e78141c0ccd752fcfea
-
Filesize
606KB
MD5b8fd2562e68e98b596f2a51a19b98ca5
SHA1b942f7ce77fbda604aadb191e6acf8a063c6b369
SHA256c908f15d88ba7a0a097d92f87c0b989f86e4faae6c538a376abcf29bbc9f5b90
SHA512f0faf263393bb23e866dc79b03415df8ece95f3a6ffcca7802fdaf36b9e6628494983ac86ac53f240c7517d281914ad9d0a2921c37ae3a3f671f5a239e0a8d09
-
Filesize
1KB
MD57e200443122b40506bd79a166a87451c
SHA158c987b7fd025e65f1ce7cb9145b88048571e809
SHA2567da9d3e6ba6f518a7872e551d6497d5d127436c31ef8dfc1dfa76b771c2416eb
SHA512f84e414d4fcf633441253afd22ef8c66872cf7dd9a411e867a2dc4b6df29e51109bd30f422f795d76fb2e91d5a4f10072b1cba184ada924bb052214734e9ccf0
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001
Filesize1KB
MD5d823440a414b7dc563a88dc0d9fcde8a
SHA189a60ecd4d8896854af96b102c6b251ae2dd5fd9
SHA2564866f5194170287e9faa426b7a8eb638e35c4345557dafa2ba6864fbaaef51c8
SHA512a722fd9b468d5c5bd8307d0dba1794f7436aad35c86411843e2be3854379787e5654d8afba22d7cbbf2b4fe57166814c6bfaf06a45061204e598d840a61dc085
-
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000
Filesize1KB
MD51141963709aef7ebddc8a5675732ad1a
SHA198bd490a2553ae4e746a65844d827a33ce3a8eac
SHA256701c4c2592885274637652fefc1ef26b150c760e5a0e9439b21fc9aa693f0379
SHA5121480f7578b93c00f22f41db367b864b96fd6a8f38cddf3f0891b18bc9a6166803d6db9993c677df7ac412560a21bf5c0f1833e60edf65b04bc8720c4fd71a4d2
-
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi
Filesize181KB
MD50bc621f6a22d7c0f3888c30a7a94a0e1
SHA1127c22310c4ca8402580fccf4bc5344693bc4ca0
SHA256b7590fbec0af3f40259ae5686a5b7bce1f5f1b21a90a7777452e8ec9e0d6f0e1
SHA512ebd2459430adf84003f1df113d2d819ba8f77e29ae4306bc85f7ffd0da6f3c14034c81956ef8bf27a6c83376c435edf5e1b969d3123c32771569ec4adcccd933
-
Filesize
3KB
MD5a8514fd9f3a52ab2a00f57494d03b2fe
SHA10e204aabbd8b5d6ee1b36d10429d65eb436afd14
SHA256056ae301d1686bbf2355fd96ef3363e2b18d593f58f912498d87de3569fa9028
SHA5126250481712b51d19e13bf148e3cb046fbf669398b06f8ce757a8583a0fec36ca22140cb90d4706a731f27d1419795ff37ec079d170e15e9e2985020c1e6a1d5b