Analysis
-
max time kernel
82s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-05-2023 07:17
Behavioral task
behavioral1
Sample
rundll64.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
rundll64.exe
Resource
win10v2004-20230220-en
General
-
Target
rundll64.exe
-
Size
236KB
-
MD5
4165a3dba3c7ac26b225f8623f70ebaa
-
SHA1
587df43d63da7dfd726a4bb8f39877647cc07da0
-
SHA256
523d97331fcef84ff767dbb01836766d8b1be9bbeb3d76e9fda3a02ad46fd976
-
SHA512
43ad74651aad95f16bd17f6fea857534c6c6502cb0c06262092e7b10ab59a27b663565668d6fd4436c72a114f632ab6940fc4f1914d165eba7e5a8a8b5743b8e
-
SSDEEP
6144:qb/A0SeQu0hL2cyBt2iOjese1HSCRhECwt6:q8D5P2ICsDCRhQ6
Malware Config
Signatures
-
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2032 bcdedit.exe 3040 bcdedit.exe -
Processes:
wbadmin.exepid process 2052 wbadmin.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Drops startup file 1 IoCs
Processes:
rundll64.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\rundll64.exe rundll64.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rundll64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll64 = "C:\\Users\\Admin\\AppData\\Local\\rundll64.exe" rundll64.exe Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll64 = "C:\\Users\\Admin\\AppData\\Local\\rundll64.exe" rundll64.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
rundll64.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI rundll64.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-144354903-2550862337-1367551827-1000\desktop.ini rundll64.exe File opened for modification C:\Program Files\desktop.ini rundll64.exe -
Drops file in Program Files directory 64 IoCs
Processes:
rundll64.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-phn.xrm-ms rundll64.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesstylish.dotx.id[669BE710-3093].[[email protected]].eking rundll64.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Grace-ppd.xrm-ms.id[669BE710-3093].[[email protected]].eking rundll64.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTest-ppd.xrm-ms.id[669BE710-3093].[[email protected]].eking rundll64.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_COL.HXC.id[669BE710-3093].[[email protected]].eking rundll64.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png rundll64.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml.id[669BE710-3093].[[email protected]].eking rundll64.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-windows_zh_CN.jar.id[669BE710-3093].[[email protected]].eking rundll64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar rundll64.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-pl.xrm-ms rundll64.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-phn.xrm-ms rundll64.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.id[669BE710-3093].[[email protected]].eking rundll64.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.id[669BE710-3093].[[email protected]].eking rundll64.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll rundll64.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\JAWTAccessBridge-64.dll.id[669BE710-3093].[[email protected]].eking rundll64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar rundll64.exe File created C:\Program Files\Microsoft Office\root\Office16\BIPLAT.DLL.id[669BE710-3093].[[email protected]].eking rundll64.exe File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART8.BDR.id[669BE710-3093].[[email protected]].eking rundll64.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.id[669BE710-3093].[[email protected]].eking rundll64.exe File created C:\Program Files\7-Zip\Lang\ext.txt.id[669BE710-3093].[[email protected]].eking rundll64.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe.id[669BE710-3093].[[email protected]].eking rundll64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar rundll64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-windows.xml rundll64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_ja.jar rundll64.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml rundll64.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms rundll64.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms rundll64.exe File opened for modification C:\Program Files\EditStop.xlsx rundll64.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ONBttnIELinkedNotes.dll rundll64.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe.id[669BE710-3093].[[email protected]].eking rundll64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png rundll64.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml rundll64.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.id[669BE710-3093].[[email protected]].eking rundll64.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR rundll64.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\sbicuuc58_64.dll.id[669BE710-3093].[[email protected]].eking rundll64.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML rundll64.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar.id[669BE710-3093].[[email protected]].eking rundll64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf rundll64.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-pl.xrm-ms.id[669BE710-3093].[[email protected]].eking rundll64.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcDemoR_BypassTrial365-ppd.xrm-ms rundll64.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul.xrm-ms.id[669BE710-3093].[[email protected]].eking rundll64.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ppd.xrm-ms.id[669BE710-3093].[[email protected]].eking rundll64.exe File created C:\Program Files\7-Zip\Lang\mn.txt.id[669BE710-3093].[[email protected]].eking rundll64.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\awt.dll rundll64.exe File opened for modification C:\Program Files\Microsoft Office\FileSystemMetadata.xml rundll64.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Retail-ul-phn.xrm-ms.id[669BE710-3093].[[email protected]].eking rundll64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\US_export_policy.jar rundll64.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\leftnav.gif.id[669BE710-3093].[[email protected]].eking rundll64.exe File created C:\Program Files\Microsoft Office\root\Client\vcruntime140.dll.id[669BE710-3093].[[email protected]].eking rundll64.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\id\msipc.dll.mui.id[669BE710-3093].[[email protected]].eking rundll64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\zipfs.jar rundll64.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Ion Boardroom.thmx.id[669BE710-3093].[[email protected]].eking rundll64.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial2-ul-oob.xrm-ms rundll64.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ppd.xrm-ms rundll64.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL020.XML.id[669BE710-3093].[[email protected]].eking rundll64.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties.id[669BE710-3093].[[email protected]].eking rundll64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar rundll64.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml.id[669BE710-3093].[[email protected]].eking rundll64.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-phn.xrm-ms.id[669BE710-3093].[[email protected]].eking rundll64.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\th\msipc.dll.mui rundll64.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Resources.pri rundll64.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF rundll64.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-options.xml.id[669BE710-3093].[[email protected]].eking rundll64.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml.id[669BE710-3093].[[email protected]].eking rundll64.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4692 4364 WerFault.exe rundll64.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4344 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll64.exepid process 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe 1016 rundll64.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
rundll64.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 1016 rundll64.exe Token: SeBackupPrivilege 2660 vssvc.exe Token: SeRestorePrivilege 2660 vssvc.exe Token: SeAuditPrivilege 2660 vssvc.exe Token: SeIncreaseQuotaPrivilege 3292 WMIC.exe Token: SeSecurityPrivilege 3292 WMIC.exe Token: SeTakeOwnershipPrivilege 3292 WMIC.exe Token: SeLoadDriverPrivilege 3292 WMIC.exe Token: SeSystemProfilePrivilege 3292 WMIC.exe Token: SeSystemtimePrivilege 3292 WMIC.exe Token: SeProfSingleProcessPrivilege 3292 WMIC.exe Token: SeIncBasePriorityPrivilege 3292 WMIC.exe Token: SeCreatePagefilePrivilege 3292 WMIC.exe Token: SeBackupPrivilege 3292 WMIC.exe Token: SeRestorePrivilege 3292 WMIC.exe Token: SeShutdownPrivilege 3292 WMIC.exe Token: SeDebugPrivilege 3292 WMIC.exe Token: SeSystemEnvironmentPrivilege 3292 WMIC.exe Token: SeRemoteShutdownPrivilege 3292 WMIC.exe Token: SeUndockPrivilege 3292 WMIC.exe Token: SeManageVolumePrivilege 3292 WMIC.exe Token: 33 3292 WMIC.exe Token: 34 3292 WMIC.exe Token: 35 3292 WMIC.exe Token: 36 3292 WMIC.exe Token: SeIncreaseQuotaPrivilege 3292 WMIC.exe Token: SeSecurityPrivilege 3292 WMIC.exe Token: SeTakeOwnershipPrivilege 3292 WMIC.exe Token: SeLoadDriverPrivilege 3292 WMIC.exe Token: SeSystemProfilePrivilege 3292 WMIC.exe Token: SeSystemtimePrivilege 3292 WMIC.exe Token: SeProfSingleProcessPrivilege 3292 WMIC.exe Token: SeIncBasePriorityPrivilege 3292 WMIC.exe Token: SeCreatePagefilePrivilege 3292 WMIC.exe Token: SeBackupPrivilege 3292 WMIC.exe Token: SeRestorePrivilege 3292 WMIC.exe Token: SeShutdownPrivilege 3292 WMIC.exe Token: SeDebugPrivilege 3292 WMIC.exe Token: SeSystemEnvironmentPrivilege 3292 WMIC.exe Token: SeRemoteShutdownPrivilege 3292 WMIC.exe Token: SeUndockPrivilege 3292 WMIC.exe Token: SeManageVolumePrivilege 3292 WMIC.exe Token: 33 3292 WMIC.exe Token: 34 3292 WMIC.exe Token: 35 3292 WMIC.exe Token: 36 3292 WMIC.exe Token: SeBackupPrivilege 1008 wbengine.exe Token: SeRestorePrivilege 1008 wbengine.exe Token: SeSecurityPrivilege 1008 wbengine.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
rundll64.execmd.execmd.exedescription pid process target process PID 1016 wrote to memory of 2156 1016 rundll64.exe cmd.exe PID 1016 wrote to memory of 2156 1016 rundll64.exe cmd.exe PID 1016 wrote to memory of 2152 1016 rundll64.exe cmd.exe PID 1016 wrote to memory of 2152 1016 rundll64.exe cmd.exe PID 2152 wrote to memory of 4332 2152 cmd.exe netsh.exe PID 2152 wrote to memory of 4332 2152 cmd.exe netsh.exe PID 2156 wrote to memory of 4344 2156 cmd.exe vssadmin.exe PID 2156 wrote to memory of 4344 2156 cmd.exe vssadmin.exe PID 2152 wrote to memory of 772 2152 cmd.exe netsh.exe PID 2152 wrote to memory of 772 2152 cmd.exe netsh.exe PID 2156 wrote to memory of 3292 2156 cmd.exe WMIC.exe PID 2156 wrote to memory of 3292 2156 cmd.exe WMIC.exe PID 2156 wrote to memory of 2032 2156 cmd.exe bcdedit.exe PID 2156 wrote to memory of 2032 2156 cmd.exe bcdedit.exe PID 2156 wrote to memory of 3040 2156 cmd.exe bcdedit.exe PID 2156 wrote to memory of 3040 2156 cmd.exe bcdedit.exe PID 2156 wrote to memory of 2052 2156 cmd.exe wbadmin.exe PID 2156 wrote to memory of 2052 2156 cmd.exe wbadmin.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\rundll64.exe"C:\Users\Admin\AppData\Local\Temp\rundll64.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\rundll64.exe"C:\Users\Admin\AppData\Local\Temp\rundll64.exe"2⤵PID:4364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 4603⤵
- Program crash
PID:4692
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
PID:4332
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:772
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4344
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3292
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:2032
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:3040
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:2052
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4364 -ip 43641⤵PID:1212
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2768
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76KB
MD54fcf65d3ad9691efc0f5963c0c85cc67
SHA10da9b686bba7d3ac17038068a26697568eddd563
SHA25693b750cdaba989a539174cb4412e859a62f568a8d1ea1c5c8f1a257d5981404c
SHA51223e1ccf0403f193119ab18321956e4887bce6d6352324ece0eb1577207d18a510efba26a71c6b6328f1ab9ed80ed97c5d2609fbb508009ed38ee694f2d591279
-
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf
Filesize57B
MD5ab9d8ef2ffa9145d6c325cefa41d5d4e
SHA10f2bf6d5e1a0209d19f8f6e7d08b3e2d9cf4c5ab
SHA25665a16cb7861335d5ace3c60718b5052e44660726da4cd13bb745381b235a1785
SHA512904f1892ec5c43c557199325fda79cacaee2e8f1b4a1d41b85c893d967c3209f0c58081c0c9a6083f85fd4866611dfeb490c11f3163c12f4f0579adda2c68100
-
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png
Filesize138B
MD5a2bb242dc046bacdc58e7fbbe03cce85
SHA1052ab788f1646b958e0ea2c0ef47d00141fc1004
SHA256486a8212c0d6860840d883981ca52daaad3bf3b2ab5be56cdc47ed9b42daba22
SHA512d9bb4c0658f79fbcf22697c24bc32f4ef27ddf934e8f41cf73a2990d18cdb38379f6b61e50edef8ebdf5a2f59a0f8fa40e000b24f1c55a06cfa161db658326ad
-
C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml
Filesize431B
MD52c16868331f82ff43059dcb0ea178af3
SHA1983589535e05c495ffeae4b0b31ddcfafe92a763
SHA256be9ceb4464b22203feffd3700c5570b7d6d44c5d0d357148e1e6d5be5e694376
SHA512184653d3e40df84cd0052e5d9477201f276ce0e8cbb5e4b7bfac86fc7da325eef476982910be24c20725a6db6617fffd88998d6053c1b694718bc7ab0bde9ea1
-
Filesize
411B
MD5f7c78514872f9cb5585f8d69532cd2d0
SHA1ff9dfbb62a3b48c85b6434ee831fb33a8dba9526
SHA2565f7bcd85900e62abb00ce739eaad53d80170a4a6152d951b6825110d2fc17965
SHA51250ee6ae916ea0e806b73c2e5bb727f6ee4837a696c5bd8559ede78148b40a5d5cdd135e28c8b5153a8fef568fd21ef0708ca198ace89e7120ffb84fd9bc91c01
-
C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml
Filesize429B
MD5d7d2fed9b7c55fe72a6cda66725cb7e8
SHA12cb154a1c4a0553658801a088edf87b5816cbbd2
SHA256a6df5cb2b51fa56609c7daf08d28f0e41801b96f9514a9d179992a63afd516b5
SHA5120ba4d570d624cc5aa6af629260668ad805285fcedd61002999734fe04cae47016cf52022c327cf22935ded99b30c52d9f041ead60a3425365116bf1bf4cbcf5e
-
C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml
Filesize400B
MD5a75d7d422fd00bf31208b013e74d8394
SHA13d59f8de55a42cc13fb2ebda6de3a5193f2ee561
SHA2567a12e561363385e9dfeeab326368731c030ed4b374e7f5897ac819159d2884c5
SHA512af3a1e15594a0bf08ae34a5948037ef492e71ee33d5d4ac9f24b18adf99a34563ab40ba8f47f2adff5d928f18d8a8cd60fc78e654e4d6cf962292d2f606def66
-
C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml
Filesize437B
MD5ceb1e6764a28b208d51a7801052118d7
SHA12719eea8bde44ff35dd7b274df167c103483b895
SHA25699d48b66d590c07b14f4cd68adac79e92616afcf00503a846b6bf4599bfeabc0
SHA512f4a2df6229bca6c6ef9ef9f432847683238715eddcb1f89c291da5f5900c9a3461204d8495c3450c8bae1c1a661424089554d316468ba1b039a2c50d6e69bf29
-
C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml
Filesize463B
MD548e296d8287ae11c252e4277ee885161
SHA18a75b573549c2791d38acb3a4d215fa2153b37eb
SHA256c94a9a55369ccc4b41a71b9c18b04e1778a0913447ca6b5a630135f7a7ac0c1b
SHA512b17a5a8a6009bfde681829bd7be3b550d8b8bf6bfee19bdd55567163890550980ac0633fd956f117006892638f408c63449d4520b0716e6866ab0858cc3f743b
-
C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml
Filesize473B
MD5437687da72730cf42ce36bd093b78b3e
SHA1693e31dc362426bc4d7a6b2954f7c80267476d66
SHA256d0d0b1face19fe4a88c6b51f6ced55ae0e00ac548b75809d88089ad431da5d3a
SHA5127d05e270926dcb452ce405dac9dab6e9e1a0dd247bc93f0940826eb4abecf827acb6f42ef32d3b6f6ac4b46b28d522e0b25f6b8b679affb9a198db8ba4fe2daa
-
C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml
Filesize417B
MD59f89b49e6e4b81eb9a3ef6a5d8924461
SHA117ee8eae11a1fb327f3344cc549bef305de408c5
SHA256d739aa103e35aa5efd0fe49dd14d9360b5a83261b164d6d3277a24fed97ff8fc
SHA512ef2f26b00ee4dccdb28fc1bb6c960cab9ae6f72f126bee21104b865b8e7833b35a64abf464b71cc34e954a8ccdb805544729368caee2a84b8ab97914c30fa761
-
C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml
Filesize405B
MD5bb95a9de280c528c32806d0d5231de6d
SHA1bbffb8596f1bc68df5603a10a3672a02ebd3ea8b
SHA256a7ca0125b93e1a5681d5a9c294ec3a4e5680cc58e44fd223d2dac04232b7367c
SHA512ac4cad4f24495aa6b0d5ed8aa439554f479cc2fdba4d5dd256f1983fa43a4121c8fdf79ad7ec9d9a396a73fd480bf2f5141ab5303d50c8b6d2ce47d158010a80
-
C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml
Filesize407B
MD50188bed9647ab3c0f81dc3e4b5589baa
SHA105493cad7050ee0cba5255847941736898503dd3
SHA256f5d3f822a8435f91f7a5d54b720aa637f8b8f8102c7670d1b52d98f2d0123beb
SHA51220e40619e02c24acd461fe07a7d7e448bdd03f423221ecde05ec206eb7b520d3d500e3b5988122b97a8752fe2cc7b305417692ec73d4568dcf49b2c3c4fb8d0b
-
Filesize
153B
MD5d13b5ffdeb538f15ee1d30f2788601d5
SHA18dc4da8e4efca07472b08b618bc059dcbfd03efa
SHA256f1663cceeb67ba35c5a5cbf58b56050ddbe5ec5680ea9e55837b57524f29b876
SHA51258e6b66d1e6a9858e3b2ff1c90333d804d80a98dad358bb666b0332013c0c0c7444d9cb7297eff3aeee7de66d01b3b180629f1b5258af19165abd5e013574b46
-
Filesize
527B
MD5ff9a2d3be0b1b401f5bbae30ab62a24d
SHA129d8cda271ced9cf1d430029fa4ab0d6ba5948c0
SHA256fd13695474bc8227057e56cb7013cea630c9ad3a2a134b7b412293f850c1df43
SHA5120dd906600b44350136079b23488fd72b0f1a8a4eed594b26a692a725a62a741707b2811005dc11a389e5da89ebfd7040519342813035047bbee906a20beff2e1
-
C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml
Filesize1KB
MD50b783b2c6d8aa254f3e90187725263aa
SHA1df2e49e32c8e1d25b17d410addf35badc22ef90f
SHA256590de671f8b144c3ec28a4e953a91685bb6c2a97c7c25c08d44003445bc2fe3e
SHA512ef532a7213505f49d95b05cf27d64e1b45ef9ded6b057ba0501fb0b62631784f21f235a0842c58b2b27522e06bb383afefd3220c85064b729b45131692fa2461
-
Filesize
744B
MD5809457c05fe696f5d34ac5ac8768cdd4
SHA1a2c3e4966415100c7d24f7f3dc7e27d2a60d20c9
SHA2561b66520d471367f736d50c070a2e2bba8ad88ac58743394a764b888e9cb6f6be
SHA512cf38e01d3e174ff4b8070fb88ead7e787143ce7cf60b91365fafd01cacc1420337654083a14dfb2caa900141a578717f5d24fa3cadd17c1a992d09280fd8dc44
-
Filesize
42B
MD5c183857770364b05c2011bdebb914ed3
SHA1040e5ac904de86328cca053a15596e118fc5da24
SHA256094c4931fdb2f2af417c9e0322a9716006e8211fe9017f671ac6e3251300acca
SHA5128ac7790c0687f86d2d0ca82cfc9921c8cd6e6f5392594317d5ee6f3661500de58ebd5ef6300a412c23ed1cd2748c5eadeeb9719f32758590bd4168a0259bbd70
-
Filesize
114B
MD5301657e2669b4c76979a15f801cc2adf
SHA1f7430efc590e79b847ab97b6e429cd07ef886726
SHA256802bbf1167e97e336bc7e1d1574466db744c7021efe0f0ff01ff7e352c44f56b
SHA512e94480d20b6665599c4ed1bc3fc6949c9be332fd91a14cef14b3e263ab1000666e706b51869bc93b4f479bb6389351674e707e79562020510c1b6dfe4b90cc51
-
Filesize
113B
MD5b9205d5c0a413e022f6c36d4bdfa0750
SHA1f16acd929b52b77b7dad02dbceff25992f4ba95e
SHA256951b1c95584b91fd8776e1d26b25d745ad5d508f6337686b9f7131d7c2f7096a
SHA5120e67910bcf0f9ccde5464c63b9c850a12a759227d16b040d98986d54253f9f34322318e56b8feb86c5fb2270ed87f31252f7f68493ee759743909bd75e4bb544
-
Filesize
24B
MD51681ffc6e046c7af98c9e6c232a3fe0a
SHA1d3399b7262fb56cb9ed053d68db9291c410839c4
SHA2569d908ecfb6b256def8b49a7c504e6c889c4b0e41fe6ce3e01863dd7b61a20aa0
SHA51211bb994b5d2eab48b18667c7d8943e82c9011cb1d974304b8f2b6247a7e6b7f55ca2f7c62893644c3728d17dafd74ae3ba46271cf6287bb9e751c779a26fefc5