Malware Analysis Report

2024-09-11 01:52

Sample ID 231014-lnbaaabg5w
Target NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe
SHA256 51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51
Tags
medusalocker evasion persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51

Threat Level: Known bad

The file NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe was found to be: Known bad.

Malicious Activity Summary

medusalocker evasion persistence ransomware

Suspicious use of NtCreateUserProcessOtherParentProcess

Medusalocker family

MedusaLocker payload

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (7547) files with added filename extension

Renames multiple (493) files with added filename extension

Deletes system backups

Deletes System State backups

Enumerates connected drives

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Uses Volume Shadow Copy service COM API

System policy modification

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2023-10-14 09:40

Signatures

MedusaLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Medusalocker family

medusalocker

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-14 09:40

Reported

2023-10-15 00:13

Platform

win7-20230831-en

Max time kernel

150s

Max time network

126s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2196 created 1264 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (7547) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host-views_ja.jar C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SCHOL_02.MID C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CHECKER.POC C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\0.png C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\settings.css C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Vostok C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Java\jre7\lib\jfr\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0235319.WMF C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\RSSFeeds.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Scene_loop_PAL.wmv C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Shanghai C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0280468.WMF C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5B.GIF C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\timeZones.js C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\weather.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46F.GIF C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\en-US\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\settings.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0093905.WMF C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\.lastModified C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\sd\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\THANKS.txt C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Windows NT\TableTextService\es-ES\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files (x86)\Common Files\System\ado\es-ES\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_bottom.png C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Thule C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0287005.WMF C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14982_.GIF C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\slideShow.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\redmenu.png C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Atikokan C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\shvlzm.exe.mui C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\Vdk10.lng C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\OUTGOING.ICO C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\1047_576black.png C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLTASKR.FAE C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialMergeLetter.dotx C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.xml_1.3.4.v201005080400.jar C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Black Tie.eftx C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ModifiedTelespace.ico C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2556 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2556 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2556 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2620 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2620 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2620 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2620 wrote to memory of 2712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2712 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2712 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2196 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2824 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2824 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2824 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2196 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2500 wrote to memory of 2944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2944 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2944 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2944 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2196 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2464 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2464 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2464 wrote to memory of 2440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2440 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2440 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2440 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2196 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2420 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2420 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2420 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1428 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1428 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1428 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2196 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe

\\?\C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe -network

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

N/A

Files

\Device\HarddiskVolume1\Boot\de-DE\HOW_TO_BACK_FILES.html

MD5 a8514fd9f3a52ab2a00f57494d03b2fe
SHA1 0e204aabbd8b5d6ee1b36d10429d65eb436afd14
SHA256 056ae301d1686bbf2355fd96ef3363e2b18d593f58f912498d87de3569fa9028
SHA512 6250481712b51d19e13bf148e3cb046fbf669398b06f8ce757a8583a0fec36ca22140cb90d4706a731f27d1419795ff37ec079d170e15e9e2985020c1e6a1d5b

C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl

MD5 3ebbddb9a3db85f757dfb6b02ea98770
SHA1 87d13958d9c3141ff04958b43b9fbf09be9f8e99
SHA256 09387014a778bb2f8ce099ee4196f36a2a1a3de7234a74aeffca4d5e2e3e1aa7
SHA512 0eb28694e803259c14692af109934e10e5aecbfab5597835b0ed59b2208561794ae3012c9ac96f9a40efdcd04887ecd6806557df5b72f163b874230af6838802

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 28aec1a7d5111e137f1dfca3ef29666e
SHA1 ce9b569a6a2a3eaf326dfdfc9ebad02ec1fe5cdd
SHA256 93591dcc9e61c945a91acbf4be26a3b59d251b782957bf0f159f9d00e8176eb9
SHA512 5ed350258859dec35a2e9c67c66ec450a947b3f95a918806664ebd6b0da751ff26e178a48c665d5bdcdc8aa2ea0048d272aeefce00f9b3e25426f09cbcaa3b6f

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT

MD5 a027be0bc7d101224210948183646399
SHA1 ac73b2f83b24d2aeed841cac67bb7ef0b66e4349
SHA256 ac5bc1006b4ad2353778854277dea8f2844244f4f5f2067f62d9ef55bf24490f
SHA512 0c2694d2a3094d5e3b3b049954ab07792260022504982cb6a21a541b3136ecd143a47472648bfdd775dff094af8c549bfc620b736dd097f194dcc317db3a359f

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5

MD5 20946278f90aa8b93ef6e5bc52257e23
SHA1 95ed13cd68b1b793fb86ee2dff08f0d153e96793
SHA256 f11b89359ec77377927832ac094f37c8e0e39f33eff61df68902c08bedd87b9d
SHA512 77aa3d624a74374d95e7588f96cdf787147518d4b860f177b07f8131b2e3bf485cd189019f015a0a8436ae67b3a5a4a661253e2785e35bc3142dd0fdd7992d03

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10

MD5 8b4c3470cc8a360906844948527b2263
SHA1 129dc198941b42b1734fad6e7144042a780a7f10
SHA256 065ece26cdb80e256c647d1c05377518c80a78d9299412d253007a6921ad140a
SHA512 52b8c2dfcd7e01aa6543ad5a2f7af9ebdc44efe43d5dd128488b1452077d901fda54b27b5a2a6e3908b28521c3d15432a698d813248458aeb2a14fdbe47f47ea

C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7

MD5 030ed135741a0c45adf4609277b1ba3e
SHA1 b576d3cbe2ed36d23fd6f4f78ea9b7964340d23a
SHA256 bac5d5f71bb8e681936c3ef0433c9524e50e80bc849d29df79328da904fb12e9
SHA512 15e61c6066d7acca66742b4fe1a82a91795cc218b59f18cae14aa071d8c0274ddb8902d6788a33c8ef9e2adf980b7901712cb50fdb3ab3f08507619e8a8b702d

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 a9db9a44c3f5bdb7d87b36d40dceb6d0
SHA1 1e7cac3a45b4c409718d89077f160209e94701bb
SHA256 1f0f58d98ee113d861891ece93fea59f443d1b774981aa3d091901abb34016cd
SHA512 d3fd1a086cad7d3134d729a696b924cc3ebe48376e53e33c7bf93db5f92267ecb648ecc19e4cc7a833a6991e94c9750e5dedcf9bf4d4780fc9f66b63f2770592

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

MD5 a794a5ec45f7e4814244621c6c5d4fdf
SHA1 dbd37cd776fffaa1693bd0bd10e18f652bb062f2
SHA256 5775ef4fce435de2306df683eaacebab19f9081deb836974d63e4308295c9c10
SHA512 283f540c5dea45c5d14d3ab589de9fa1d3585d1094994ae4f77ce0ffe030084aa22e2cca4a515762d254a2aeb0d4e5c374e34dd1ef87716fab96824496cfdc5e

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

MD5 d3ffd498af7508b8c009953784ea3ad5
SHA1 3546137843d145773d77446675f36894c4e26416
SHA256 ed59b8dc45b56ff4c199a058070db699b5a995a60a44c7ba751239b85d2743e2
SHA512 225ce831f6d1da1354ea6282337a825620f9a27866f705cd79759846400e8a18fffda3dcd22d09063a7e45edbfaf866958e4d2dcba7164a1cf3d0b1bc990bcc5

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

MD5 da9161793f097002349b6945bd811b56
SHA1 a5f2e1a866dddeb2171cda67ed379652f3b63804
SHA256 06f5ef101d55661ae2a030afb1f363d7d5faf7e93c93b57065ad5e43f2181935
SHA512 60493cb3ea126ffd40ae34ef1f587311416db6fc47c20b7de23f5a45215054fd3b30374a5fd1126f9afd2dd5d4acf3360c8f3dbf1be064943aae36c5abdf496b

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA

MD5 95f935207cbd48624903f6a4baff4656
SHA1 b5849714a6678bdacec9d0db9f17d01cb8f4a077
SHA256 77da74f6af4339bb3e1aa0a4cfac06c86d9c338245472b84a6d127233620620b
SHA512 c946b601b75fd008b9e22df87be7b3ead9917a6dc24c8a2a1842ece6494529300f87e90766d6abf6ed6aa8080b47e588d99379c9a5f407ce00f2822a3d0e6bb4

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA

MD5 cfea348fea1f77b6301c80d580bbb872
SHA1 dee0cabbbfc2156f5f72b76e7e73b107c1d2651b
SHA256 47b0091178940d377519ff83d28182407f65dfee6eaf72be66fa99b87ef2105b
SHA512 6e0e4d4e608bb866e53de60c42cff0c73e528196361a5b15fdbca83e4dac65f7ccdc37f0ecf37bb8fdf43a879576d457ceb596f122ed5b22b8fcb18bd24964f1

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF

MD5 8580a558ef3d5c5d12ddd7bf778a3930
SHA1 8bc7628f1d22d164610301319002d1139773641c
SHA256 3c9961f8b13d1dc25ca72ea734cd394c80fa39a535eb227efadbdf28f192710b
SHA512 76afe2a20fc4691982197e0e7ab2621adeeadfaf48288399434ca993e618101451c31f950d07c1dbc995beb50ef0b2f20027d401694d6b465e83f79a0b43042b

C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden

MD5 5c6b27942dfabd5061fbe352091812ac
SHA1 1200f955d9cfefe677eebcdeafea06e14c51731c
SHA256 91b67fffe04d80045e1334910a8999a020b13b261a38d90ac0f3535c74a45d49
SHA512 285c58061e7774569fe061230b56700ea235aa626d9e11db49fd326ad455356e27686818f7586f2afe6c4b318af56e2c03b813ef7173285769ac8e6ef7a15560

C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 c2d489a57c95120a8886baca3cdb6cd0
SHA1 5cd31f5002e3ee0a4edbda671994dca2171ecaff
SHA256 5148ec4a5809c84258b7a6443fba21db1d29ef40a51709f4a339a1bb389a99d3
SHA512 919f4204fcdb373cf44874b581a3e4eb49a88a1e7accfbae9e254eb67a223743ac4b0d1a605f412043d1e526ed75e6e42f65bf5eeec7762b21cc4efe75bf2ceb

C:\Program Files\Java\jre7\lib\zi\Etc\UTC.infected

MD5 bbd6c223f4db56fdd19b5f57a30a3887
SHA1 c3c303e29fde48c6457e25845812fc1fc4e42ed9
SHA256 d3132db40f0141cf7fa4adf2e17c304f83be81e3326b9127a213f689af97fee9
SHA512 19fbdbca25d891f7f44124757653de82b3533b6eda4d1c2100d4e196d3d14750390ac4422abae23d071187763cc3ce6427457b6648b8d1ebbeeddf7743d1f934

C:\Program Files\Java\jre7\lib\zi\SystemV\HST10

MD5 0113e513042ff75e361ddd2a8e012085
SHA1 e3a997c8dcce29eaf9b8a7e8dc28fbf13966515b
SHA256 e4bd27889fe0f26df446dddae4181329ffd0d293efe00258af7e34e4b6751a7c
SHA512 e2329643203606024511e719537e571107dfb6dbfb5b24998aca4f41588bec0abf5a290971cea3f29260418513d2435ac2cd8f70e6649850b1fc575179e0c0c3

C:\Program Files\Java\jre7\lib\zi\SystemV\EST5

MD5 1c324901cf7a76e34b8e411258c6225c
SHA1 a06bd0e80ed91c4c4902a16b9159cbc23da93e74
SHA256 f6e0640b6ab89bef875a4931ce7303ee8e585c7925cc34a0b5c0f8b5e2a87fc9
SHA512 4360818907292eddf3b344696e23722829acd846c45558043ab352fc49d64b52cd5919fbf06a9299c9e2e550a9a7f8295ba685d0bccbd46ce99bd8debf15a88d

C:\Program Files\Java\jre7\lib\zi\SystemV\MST7

MD5 a07b83735c07d793879d09d47c18f959
SHA1 94a01d77f21194aea2354d06b1844235c7ca8f72
SHA256 3f62d789cd05279121f0d3b31a9579eb3f35163255c821f6155d2600036f77e3
SHA512 90cf453fc34353580d91b875afe222a8b0d54e039665d7dee8e9eeb7dbf8401980748be9d0651fc3e696bbdad68829cfa3191194c0328bb535052d64619ec423

C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo

MD5 59f05604e1339bedd1ceab2e638fbc2f
SHA1 f9ef358dc52af7e68a386ef68cc119bb0ce015a9
SHA256 fe36b0dd4e8efbe4debaf8113b91e0f1b2cbb9e481f0dbaba0470513fe5bb520
SHA512 4787e898d094810bfcf74b0973ac40d54c09b7e413247ca38d015440f0f5b10309bc3951b72be6595e272720de0eb27426fdd7872b858e78141c0ccd752fcfea

C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\vlc.mo

MD5 b8fd2562e68e98b596f2a51a19b98ca5
SHA1 b942f7ce77fbda604aadb191e6acf8a063c6b369
SHA256 c908f15d88ba7a0a097d92f87c0b989f86e4faae6c538a376abcf29bbc9f5b90
SHA512 f0faf263393bb23e866dc79b03415df8ece95f3a6ffcca7802fdaf36b9e6628494983ac86ac53f240c7517d281914ad9d0a2921c37ae3a3f671f5a239e0a8d09

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_K_COL.HXK

MD5 34d8b3c0f2877c500de2264caea6146c
SHA1 bfb85a1f2c1d7e28719c7fcdf69218b770a94c2e
SHA256 fdb73c4ad0f0aea67c092983ee66f0813c91cb44e8a3854bd27104d21fbede87
SHA512 4a6bdb3236a0d685657b12a5668a40232838632c99ebd110d71e8531184aafa9e7bdf6410fca59f7f867e71935e325220c73d88d6d5ebe633f84e01eed5a475f

C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_F_COL.HXK

MD5 71fd2d73c14ce297df06dae39c6c49d9
SHA1 1433a424a710c1abee3868d0c10c560ded23d407
SHA256 fee68e58227a3da22813c3ab528556c61e39c25330581bac29a1a7ef8ec332ef
SHA512 daab6110b2507f02ed5e369796eb7d670292424501674d8f0c793332a3249aeea0e7ae16c05e143d66ce5d3d0662752f8a42588026a14be08ec54796cc640e74

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

MD5 e6110efbbc0d98604e13a4fe95746ef6
SHA1 e411fcb7af19a1444bc7fb41d8ac6b7976f3861b
SHA256 a077112b95507d9f3c1354c7dde0cb27f2048b33f4132cdf19887496c84d6b09
SHA512 c711a9860841bdd89c7c0e5d9c9d134fdc8e6038d3edbda42f98c8a7c955f3b2a0460f80193f786697b9e5716e592343536422c4c5b6f23d5119931f5d898630

C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

MD5 37dc99e83256116c5c965b40f99c1c53
SHA1 cddf70ba1f6ca9666e1f6ec9e07f564feb1fe549
SHA256 67a49044671f13919a6355c41afbcc03ec24ee40bcdaa2d97611632a59cb4cca
SHA512 e4a6553df16439aa8b3a75c008ef4535fc4127f1307a954438e33a98713fb975916a26ccaf534cba35ab3b910b0436f3dd3cd39eb7b60a958e7e1d2324669909

C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_F_COL.HXK

MD5 e6e96853eff2de7e7277406450163832
SHA1 ad30990a1bd8223b04d6dbb05eaa466043b04dad
SHA256 aad01d899f9374c30f42aa049438098ab85333ebb5d8dff9c0674ab48208d747
SHA512 6ad959624ba11c363fee071de168a8ea4c892956cc7c2bdcfcc15364b2cf5864ac266ff92eb6ca7c757e7fe37d5807982f811cb6526d55e4a9e115ec7b74af7f

C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_K_COL.HXK.infected

MD5 b1ad98b216f6eb0b416f2dad72481242
SHA1 ded296e07a2bef360ad3a5b6a7227808db9518de
SHA256 b30d9ffe461f209bc0b47edd1db84df075aa54766309f178d1dbc7fbbe7f99b4
SHA512 e89f9df4c02bad0776731a0a929f1ae283f44145d366295fee1baa0f923220f59573d544c3ae1b697273e4c735d6856b386dfd745fd3c9c580a6059d086d1dcc

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_ON.GIF.infected

MD5 0082c0bba1302891ef66f66d3f2b7840
SHA1 702a50376461f47fb70d172089ada43101f5bfbc
SHA256 d79030f0505cedcd7a4dd85da7caaa4481c6b7957c8352834b49b97086e56a1f
SHA512 791f1e369f955e667b5b17f6d7d7383b1f0becf7c8fe44f72ee2d32ccc253b55ff2d91efa97fe388d877c24aaa11ae55b23f28cc3b30c9276ec6a8c79f90ad96

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\TAB_OFF.GIF.infected

MD5 43df997dc3bd96e2156c52f2791753a7
SHA1 f141f04ca45eeb5043000aec6470b192421c215d
SHA256 2fdffda46c9951da22f40abc6d1339586c4328eb4bf8d1f5be16951d5b21287d
SHA512 b892daeb22035f760e5b173d1c85458fea312627eca4e3f5524c4b739c6729cfa090a75c05fb46a7b9812bed29d668a6c34fd243c33414d97b94ea00dae62685

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_ON.GIF

MD5 63b5d814ad7f5013fb160f5db125068e
SHA1 5b9552bab627c2e2d5e5a3ac2763e46fec1dcb4a
SHA256 1a7a24b8ed1cbffe5630e8212804dd5edc34a0753881610e69a8ceea10f71f30
SHA512 53d21f8bccee754301b9cdcf5a285581023e1c4a0f244ea8c453222b9b88e134ed698dd88e535f1d797028be9fce991fd34efeff23bc0cce4aa56514947bb9dc

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\TAB_OFF.GIF

MD5 09895c51f4e430b7d18110790c696437
SHA1 ae02a8a3cc1703f944252d79870d566ebd51acf0
SHA256 3e804cb1c90e1f64952158f38e8e7627060ee8fb87649ee83c43156b40676fb6
SHA512 9b3b5c0841070c24411138382b5411194d9e1d45b978ae0b77eb8ebd327b2c06ea608b99395a0384d18fd633850879ed80eec36c220830c80422041b813aeb28

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

MD5 9628966e58adc8a53a902f30c648fcd9
SHA1 2400091c38b3a9ac72029e303990c9f8339e117c
SHA256 773481e3734e53bf19c417e0eb9b4a06f9b18c38acdffcc5831733d02778049f
SHA512 6fa4fd5b3ee1e67d28ad9cf029d3bb1205eaf5481a08f107da8b4a81fd5a5311065ec6df6db570b7b52483d4812e770a892f2657e0f9ffbabe62cae041e118ec

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

MD5 d1c60073c1bb7d508967bd6dee6ca80a
SHA1 d14aade749cbaf2e6e6d3bf00bd0f96a9f861fc6
SHA256 0823c4cb7fdb3f92a4fd7e3095976ccce376935c2a1fa8ce919180f10b261583
SHA512 a4022010b6f0249eab4c36ace96541639bd175f07c7c57bf74abd6c968c98112683cbf71800de3dbb3d40701817d6603e56dc45fb8289964018f4a1739ebf784

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

MD5 3471365a22e2a5eaed548a37c2fe39d1
SHA1 12a027bbade24fcb43d9aef3bb11b19161417603
SHA256 9af81250274089ada9ead5d19e70765e0d08221e270ee5e775f390d362eb93da
SHA512 9f1c412115ae30af7a0e3a2f33653ac16ffc71b7dfd19cc541304d9047530a238afe0254fa42eaa88650becafbdddc82b05ba25f1ba1a04a28dce8fda1721477

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

MD5 4a099d562c3ed15c63ff4e700ecf66a8
SHA1 993b58536783060b3988952a6fa23e2bacf9e0c6
SHA256 63a3f594a30f904f17aa998317b48371a0c1b60b4fccd595e1d1f8d55ebb5c10
SHA512 58eee3af710ed5e59d68e5f57abf3b0b7a86016bfa1d6efa8f5538fc2fe721908ab5b1b92f11c8934898f041c5cea8fb2f9ba018527c89abe3f561c8f6ae2d5b

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

MD5 9ecdcb5ab1ea0840b460d1f861dcecfe
SHA1 09e7c9d6efe46daf57d88992f7280ccac3ffb25b
SHA256 4db1e5ca48372be18b922cd16c16ef7b2790833c5854e76c594d2ba72d3e11ba
SHA512 5383ec6d577eb55b5ee57e3dd126bf3737a9896843184eaf5fd7380b911a935b1ef46ace6427e807fcfa9fe1a69d44525c2cd5e1425f371f8974c2f850b23dac

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

MD5 c2b9da84527928ca0259590a7e61e8f8
SHA1 abd3c9ebd64bf54ee4c7b39b722b85d64197c6eb
SHA256 2d904377174f263443e0eff64641e0453e4eb98f46290821c79a49c6739ba612
SHA512 30d07d564a7801ae1b0ca856a53d9506b097f3ae6e6fede01eee5d9902f792976f2a89f9f7aa8fa6b26ebc504488de4a71bd72cfcfd8e3d60262e8caef30fa42

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

MD5 7d7e72bf067336b04a578447106c0abf
SHA1 4127fff5d032babc0ca968734b698e0b2d7a7c9c
SHA256 089c4c0f3f22fa99c955d1f3a2eec0b1745d92b2fd938962a52c2fb4e4dea4c2
SHA512 134c53c1ba6febabbdc97bcf31ec1a7b2da14f02999dae1e881d0fca5b41e10c210a51f1e1382ec48c1e45e10e2f9024f33eed76aca5b1c6f2e4d3c3eaaefb39

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

MD5 6cfc00658a2c848fe2507457c95e6bf3
SHA1 6bdaa41cf5016f7540a0ec5b44516b093b65fff1
SHA256 9d0a342d8d1ca142428076204225ffc4d17a8c0764f6f698dd5385aeca0c0d9b
SHA512 d4030823212ff1da5361a1b179f8e6ef65b7658d004e54f9ce6ce3de8b633d2ea086afbb24cb14ad4a81fd831ebf4d01e3be618879afb23d22fa634aaa65172d

C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

MD5 d76d96f426d4c1b19593db98bec7e6f5
SHA1 822191f6a0662204a63f2597fb2e081c66a06ce0
SHA256 edef00e17f494e7f8dbc50d5f1c9906d3d38a5e5607140a3dc2dd33491882e18
SHA512 87c3649468b62235c69f81c06bf1f1d5cb304690806b64ef505e593eef2748ecc7b6e348ba410b987af9d61759764ffdc4d791bbb09d67a5d75325f5810c40e6

C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml

MD5 7408483362b6295247e3d0772f469d38
SHA1 33d72e9b9fffe6c402a121de30e56253a1d5da8a
SHA256 b0db29529749262b7c211d248e0f0604982ede370430343d28f7afdaa4ed7b68
SHA512 d6d5435f9746181cd9ab1cd7ad03627acdba2d05c08c44163fd136352014c310483fe4ce2a54ad28b7065b7943d7ba4a7dcfd9ec35d84cb75dad21481a1a7620

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\TALK21.COM.XML

MD5 7a0352593b3b59cfb0e11de135f635f1
SHA1 4697a31b2b27c2f9c5fe0bdc1dba16994f7f58b5
SHA256 5f55550c667d7247a0d31d6f0d8d421dd866d0092b2831b0305891099c2e0696
SHA512 6be5593d54af63b280718eee333c08aa7525ca5ee389dff344a37468dfae81d33b6c8e4578f9d63660555cb3d2983550ff17d1b655812a51e786c7338b481bb6

C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.HK.XML

MD5 6caaf5254a4573a37444bf01126a0cb1
SHA1 e8985857f33c928e43f09f6069dcb95e5961eb9d
SHA256 f04e386bf3edb54375d9b1746753313e6082eef6f33a256b8b0a3e1b2a0bf59f
SHA512 66179db3990c756d577767db1bc8fa901e7bf81f914f68b8762c5f96ecf191e165bc45fbbe783ae1e491496d3b5d613a1ea31801385054f3f11165c13b30677c

C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck

MD5 7e200443122b40506bd79a166a87451c
SHA1 58c987b7fd025e65f1ce7cb9145b88048571e809
SHA256 7da9d3e6ba6f518a7872e551d6497d5d127436c31ef8dfc1dfa76b771c2416eb
SHA512 f84e414d4fcf633441253afd22ef8c66872cf7dd9a411e867a2dc4b6df29e51109bd30f422f795d76fb2e91d5a4f10072b1cba184ada924bb052214734e9ccf0

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAB0002.001

MD5 d823440a414b7dc563a88dc0d9fcde8a
SHA1 89a60ecd4d8896854af96b102c6b251ae2dd5fd9
SHA256 4866f5194170287e9faa426b7a8eb638e35c4345557dafa2ba6864fbaaef51c8
SHA512 a722fd9b468d5c5bd8307d0dba1794f7436aad35c86411843e2be3854379787e5654d8afba22d7cbbf2b4fe57166814c6bfaf06a45061204e598d840a61dc085

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.000

MD5 1141963709aef7ebddc8a5675732ad1a
SHA1 98bd490a2553ae4e746a65844d827a33ce3a8eac
SHA256 701c4c2592885274637652fefc1ef26b150c760e5a0e9439b21fc9aa693f0379
SHA512 1480f7578b93c00f22f41db367b864b96fd6a8f38cddf3f0891b18bc9a6166803d6db9993c677df7ac412560a21bf5c0f1833e60edf65b04bc8720c4fd71a4d2

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

MD5 0bc621f6a22d7c0f3888c30a7a94a0e1
SHA1 127c22310c4ca8402580fccf4bc5344693bc4ca0
SHA256 b7590fbec0af3f40259ae5686a5b7bce1f5f1b21a90a7777452e8ec9e0d6f0e1
SHA512 ebd2459430adf84003f1df113d2d819ba8f77e29ae4306bc85f7ffd0da6f3c14034c81956ef8bf27a6c83376c435edf5e1b969d3123c32771569ec4adcccd933

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-14 09:40

Reported

2023-10-15 00:15

Platform

win10v2004-20230915-en

Max time kernel

202s

Max time network

220s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1776 created 3212 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\Explorer.EXE

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (493) files with added filename extension

ransomware

Deletes System State backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Deletes system backups

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BabyLockerKZ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe\"" C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\management-agent.jar C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Common Files\microsoft shared\TextConv\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.bat C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\ij C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\nb.txt C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\te.pak C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\ro-RO\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\va.txt C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TipRes.dll.mui C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpredbase.xml C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\tabskb.dll.mui C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\v8_context_snapshot.bin C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\pl-PL\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\zh-TW\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Google\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Internet Explorer\ja-JP\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\rt.jar C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jaccess.jar C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\he.txt C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\TabTip.exe.mui C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Common Files\System\Ole DB\ja-JP\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\accessibility.properties C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fi-FI\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\hu-HU\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ja-JP\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_de_DE.jar C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\en-GB.pak C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Common Files\System\fr-FR\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\it-IT\oledb32r.dll.mui C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\net.properties C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\insert\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sl.txt C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsfin.xml C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipshi.xml C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\eo.txt C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File created C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\HOW_TO_BACK_FILES.html C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\system32\wbadmin.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1776 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4980 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1776 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2984 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2592 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2592 wrote to memory of 5068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1776 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4304 wrote to memory of 3928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3928 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3928 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1776 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2692 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2360 wrote to memory of 3752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2360 wrote to memory of 3752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1776 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 2564 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4744 wrote to memory of 3832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4744 wrote to memory of 3832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1776 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1612 wrote to memory of 3916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3916 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3916 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1776 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3220 wrote to memory of 4168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4168 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4168 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1776 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 1456 wrote to memory of 4292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 4292 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4292 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1776 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 3872 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 3872 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
PID 8 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 8 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1776 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe C:\Windows\SysWOW64\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlbrowser.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sql writer.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlserv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msmdsrv.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im MsDtsSrvr.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im sqlceip.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdlauncher.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im Ssms.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE

C:\Windows\system32\taskkill.exe

taskkill -f -im SQLAGENT.EXE

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im fdhost.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im ReportingServicesService.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im msftesql.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe

C:\Windows\system32\taskkill.exe

taskkill -f -im pg_ctl.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe

C:\Windows\system32\taskkill.exe

taskkill -f -impostgres.exe

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100

C:\Windows\system32\net.exe

net stop MSSQLServerADHelper100

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLServerADHelper100

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS

C:\Windows\system32\net.exe

net stop MSSQL$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW

C:\Windows\system32\net.exe

net stop MSSQL$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQL$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$ISARS

C:\Windows\system32\net.exe

net stop SQLAgent$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLAgent$MSFW

C:\Windows\system32\net.exe

net stop SQLAgent$MSFW

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser

C:\Windows\system32\net.exe

net stop SQLBrowser

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLBrowser

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS

C:\Windows\system32\net.exe

net stop REportServer$ISARS

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop REportServer$ISARS

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c net stop SQLWriter

C:\Windows\system32\net.exe

net stop SQLWriter

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop SQLWriter

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\SysWOW64\cmd.exe

\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\cmd.exe

C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\System32\Wbem\WMIC.exe

wmic.exe SHADOWCOPY /nointeractive

C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe

\\?\C:\Users\Admin\AppData\Local\Temp\NEAS.51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51exe_JC.exe -network

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTATEBACKUP

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbadmin.exe

wbadmin delete backup -keepVersion:0 -quiet

C:\Windows\system32\bcdedit.exe

bcdedit.exe /set {default} recoverynabled No

C:\Windows\system32\wbadmin.exe

wbadmin DELETE SYSTEMSTABACKUP -deleteOldest

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp

Files

C:\Program Files\7-Zip\HOW_TO_BACK_FILES.html

MD5 a8514fd9f3a52ab2a00f57494d03b2fe
SHA1 0e204aabbd8b5d6ee1b36d10429d65eb436afd14
SHA256 056ae301d1686bbf2355fd96ef3363e2b18d593f58f912498d87de3569fa9028
SHA512 6250481712b51d19e13bf148e3cb046fbf669398b06f8ce757a8583a0fec36ca22140cb90d4706a731f27d1419795ff37ec079d170e15e9e2985020c1e6a1d5b

C:\Program Files\Java\jdk1.8.0_66\db\bin\ij.infected

MD5 5aa2c892c656c7c250e7a1dd1df3e652
SHA1 6c2c3cceba2b9f84da46743abcc54be390386c29
SHA256 0d1b81fd2bf87a062b0943398dc2ce1bd274e0f42e72eed7e696e9b60fc13e8a
SHA512 bd80170cc7d795493f9ab66257e2fa7768790ae0afb12dffe215538ac328344f7cfe923b41d94841a5096b9b50c65051ab2ac5fdeface7730e2416e3ff3c886a

C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

MD5 2d41116c2fa41e5524ee8b3bfff25d9d
SHA1 ac76d35825265ba9d0da3cb39a13f3481cf4c987
SHA256 013b2a850396a508b99cc19929743b8b984864f3a1336bf7e1e0d3f2de7d30ce
SHA512 98646d8cd4c80770a19396bba4fd34bdc3808a901971c7815b8b9601f3e59ff5fe9162e273c3e7ac4b1f20a12096a3ac0187b1426bfe9cc8f55a726a4404f58e

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\epl-v10.html

MD5 ee574016ad8afb6ec8ff595001dbf3d2
SHA1 857fa46cf3650c39fb3487afa887990ce8d69674
SHA256 6991a69e647dc425d1fb8989e2c1936d31399a972c6866521479e5a0ee0def77
SHA512 d7fe3a3cc74f51942c27850c445dd048b4d97c16419291e81856f73b0daf4a1e6fcf682eebbf630386fdcf385b6544628f4b6bf4755967685e07f6c93a364f29

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

MD5 aacdea28fd718479c90b33a6a38f1b20
SHA1 e64e1394f755fdbd7000de19967bb2c1247209b7
SHA256 bae9f4e936bc751c9a4160f3e5588799efc4cb1379c3c1c964a6e4060ec19d45
SHA512 f740e39fa961cd4be9ab1cdb5c3a20b27242786ca2e86f23a2e2bd3d62cde1054152a6c26f0973ca2df2dd6ef5414689755f746b463de1616a08632d2f2b702d

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf

MD5 446e0d3938425af282ab18355a6cc8f5
SHA1 07f0807a4f9f7649045322be1f4c33d3622856bf
SHA256 4f17dda3abad57e93e7343becfc042b95f8aba62578db278d8c6ac691e1dd279
SHA512 4095a6128cd1d208fc0a8cf8ce09f666749aba4ed27dd1b9f6c7ff2e8f51e19b2ca171805de5ae92c0a44d7eab0a5f9b23446bf3e41cb2bbe3633b5eabbfd249

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\epl-v10.html

MD5 1543401a683252c3b2646751a32013de
SHA1 541cc968e8dc191b44cbb56abbe808536e83b58a
SHA256 150f065ba69af41934047bd02087a417c5e18878f7bde7a99df1c2e56c92b3ac
SHA512 2042dea6b2012a47e706eac80bec3eaba7574b21972d610dc16b429bfc18425c5d6253a575f1c2e90c93666433ccf7239ea75f7f0376f8d9eb08b2a95bf183af

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html

MD5 fbd94147b854f170f40a089cd40d4aaf
SHA1 9b612c175db37081021571623df5835227c681ac
SHA256 25d993fcfccdb5701746a7a01f214fa1351070de67b770b05cc07589b4145d10
SHA512 d62739b026ed4c36c7ff0f0854882858805a148d4ef5d0046b385f0c3865cdab473e025cc21c4c7544dc27ed20ca9f11c41d3d9bb2e4fccbf3a9d0de47f37f54

C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\eclipse.inf

MD5 0c21fab5c49497846272ec828f119d58
SHA1 cb24d043076886232b3115a62f491924b559ea9e
SHA256 14152262d9742615d377b3d06c7608c70e7911dbb36e22c344fed5f6acfbd927
SHA512 ba0de99312b8d79131a372106ca1463a064b77e9f6f9023008224a6e65a2424176a288e0065feca623ebc9814545f378a232e9be5197e8fd13154a5305ff0473