Overview
overview
10Static
static
10323389cde5...f3.exe
windows7-x64
1323389cde5...f3.exe
windows10-2004-x64
1365712147d...a7.exe
windows7-x64
9365712147d...a7.exe
windows10-2004-x64
105474e75872...06.exe
windows7-x64
105474e75872...06.exe
windows10-2004-x64
10out.exe
windows7-x64
3out.exe
windows10-2004-x64
359c59ef90d...4d.exe
windows7-x64
1059c59ef90d...4d.exe
windows10-2004-x64
1063fb410fc5...22.exe
windows7-x64
763fb410fc5...22.exe
windows10-2004-x64
79443472de4...e5.exe
windows7-x64
19443472de4...e5.exe
windows10-2004-x64
197a877b999...8d.exe
windows7-x64
1097a877b999...8d.exe
windows10-2004-x64
10a0f5def5aa...93.exe
windows7-x64
1a0f5def5aa...93.exe
windows10-2004-x64
1abfe442282...b1.exe
windows7-x64
1abfe442282...b1.exe
windows10-2004-x64
1b21f34ecfa...73.exe
windows7-x64
9b21f34ecfa...73.exe
windows10-2004-x64
9b4b97aa67e...a9.zip
windows7-x64
1b4b97aa67e...a9.zip
windows10-2004-x64
1svchost.exe
windows7-x64
9svchost.exe
windows10-2004-x64
9b8ce017478...a8.exe
windows7-x64
9b8ce017478...a8.exe
windows10-2004-x64
9bbb4627895...f2.exe
windows7-x64
1bbb4627895...f2.exe
windows10-2004-x64
1bdf06acf03...63.exe
windows7-x64
1bdf06acf03...63.exe
windows10-2004-x64
1Resubmissions
21-01-2024 14:52
240121-r8syqaeac7 1021-01-2024 14:51
240121-r8k8waeac5 1001-01-2024 13:55
240101-q776kscacp 10Analysis
-
max time kernel
181s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-01-2024 13:55
Behavioral task
behavioral1
Sample
323389cde5a3059c6c6e5c6c711d11e434a577b11dc07a9aeb7f8e1fb661ecf3.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
323389cde5a3059c6c6e5c6c711d11e434a577b11dc07a9aeb7f8e1fb661ecf3.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
365712147d687fb2eb2d5cb612586c7d3d7364277441491a3ab379a4a1128ba7.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
5474e75872eeb1e34cbe407c73409d4c65da7bd6aa9378b356bb3c12f316c506.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral7
Sample
out.exe
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
out.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
59c59ef90d1370297375d4e3195eabe2a031251bc939fae962a835d8336a8a4d.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral11
Sample
63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222.exe
Resource
win7-20231215-en
Behavioral task
behavioral12
Sample
63fb410fc5267c61c5099927af714a8f5f4ba6dcdeeb1f297b022879767c7222.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral13
Sample
9443472de461e9e7a9d7b7d89fa13815521db1ecebea5054643664953ee366e5.exe
Resource
win7-20231215-en
Behavioral task
behavioral14
Sample
9443472de461e9e7a9d7b7d89fa13815521db1ecebea5054643664953ee366e5.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral15
Sample
97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Resource
win7-20231215-en
Behavioral task
behavioral16
Sample
97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
a0f5def5aaaefa3ae538da9c643a5e381ea89cdee3e451ab1d0c52181d758593.exe
Resource
win7-20231215-en
Behavioral task
behavioral18
Sample
a0f5def5aaaefa3ae538da9c643a5e381ea89cdee3e451ab1d0c52181d758593.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral19
Sample
abfe4422828c6515e7b53c50a8f07dda0169f4ee34173357b6fa35b06fe144b1.exe
Resource
win7-20231215-en
Behavioral task
behavioral20
Sample
abfe4422828c6515e7b53c50a8f07dda0169f4ee34173357b6fa35b06fe144b1.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral21
Sample
b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe
Resource
win7-20231215-en
Behavioral task
behavioral22
Sample
b21f34ecfa7135153d506b3fde2a0d0bd23b44eccedc635cbfa474e321040273.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral23
Sample
b4b97aa67e2fbfa344053be1c101cbd6560b0a5cfe2de8e2e637ba90c4df2ca9.zip
Resource
win7-20231215-en
Behavioral task
behavioral24
Sample
b4b97aa67e2fbfa344053be1c101cbd6560b0a5cfe2de8e2e637ba90c4df2ca9.zip
Resource
win10v2004-20231215-en
Behavioral task
behavioral25
Sample
svchost.exe
Resource
win7-20231129-en
Behavioral task
behavioral26
Sample
svchost.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
Resource
win7-20231215-en
Behavioral task
behavioral28
Sample
b8ce0174783c9c7ec30f96f8857c356e61365562463457d3ef0d1f62f4d302a8.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral29
Sample
bbb46278959b4628106319457405a8cc04681c82c2c8afa30475d50ed63417f2.exe
Resource
win7-20231215-en
Behavioral task
behavioral30
Sample
bbb46278959b4628106319457405a8cc04681c82c2c8afa30475d50ed63417f2.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral31
Sample
bdf06acf03785275d01d4135b432b56b31c7f352f9be3cf8eca00286251aa163.exe
Resource
win7-20231215-en
Behavioral task
behavioral32
Sample
bdf06acf03785275d01d4135b432b56b31c7f352f9be3cf8eca00286251aa163.exe
Resource
win10v2004-20231215-en
General
-
Target
97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe
-
Size
333KB
-
MD5
db88a1bd11ca3aab7a0890a10a10f45d
-
SHA1
0e01e118613962e364b76869bcfb9d26cf0a6505
-
SHA256
97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d
-
SHA512
b6e374ea42e023d973baa2c8c3ce8c34a7c8ffa1aefd52f787eb51f980e1e1f8c2c6081d90cd0cf1b15166b86ed57dc2d7b9adde5021dd00cc629f8aae8df023
-
SSDEEP
6144:YemY9cZrt2pF+M9htFl/1M0lpj9G/OaZE8ABInatk1:/9cm+M9vFl/1HrNInatk1
Malware Config
Extracted
F:\How_to_back_files.html
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2816 created 1208 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 5 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2568 bcdedit.exe 2364 bcdedit.exe -
Renames multiple (1351) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
pid Process 2884 wbadmin.exe -
pid Process 2700 wbadmin.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\R: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\K: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\B: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\J: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\L: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\Q: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\F: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\I: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\T: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\X: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\Y: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\Z: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\G: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\E: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\H: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\M: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\O: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\P: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\S: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\U: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\A: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\W: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened (read-only) \??\V: 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\System\Ole DB\de-DE\msdasqlr.dll.mui 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\DVD Maker\directshowtap.ax 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.metadata.repository.prefs 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\MainMenuButtonIcon.png 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\How_to_back_files.html 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File created C:\Program Files\Common Files\System\Ole DB\de-DE\How_to_back_files.html 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\La_Paz 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861258748.profile.gz 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\button-highlight.png 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576_91n92.png 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Troll 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\How_to_back_files.html 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\MSTTSLoc.dll.mui 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG.wmv 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationLeft_ButtonGraphic.png 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File created C:\Program Files\Google\How_to_back_files.html 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Monaco 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_ButtonGraphic.png 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_ButtonGraphic.png 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\How_to_back_files.html 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\InputPersonalization.exe.mui 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfra.xml 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Common Files\System\ado\es-ES\msader15.dll.mui 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\How_to_back_files.html 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationRight_SelectionSubpicture.png 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Kwajalein 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\How_to_back_files.html 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipshrv.xml 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File created C:\Program Files\Common Files\System\ado\ja-JP\How_to_back_files.html 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\How_to_back_files.html 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Yakutsk 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Campo_Grande 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationLeft_ButtonGraphic.png 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme.nl_zh_4.4.0.v20140623020002.jar 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240389.profile.gz 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe File created C:\Program Files\Common Files\Microsoft Shared\ink\pt-PT\How_to_back_files.html 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2584 vssadmin.exe -
Kills process with taskkill 14 IoCs
pid Process 944 taskkill.exe 476 taskkill.exe 1668 taskkill.exe 380 taskkill.exe 1004 taskkill.exe 1144 taskkill.exe 1572 taskkill.exe 1576 taskkill.exe 2256 taskkill.exe 824 taskkill.exe 2988 taskkill.exe 2960 taskkill.exe 2424 taskkill.exe 2616 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
description pid Process Token: SeDebugPrivilege 2616 taskkill.exe Token: SeDebugPrivilege 2988 taskkill.exe Token: SeDebugPrivilege 824 taskkill.exe Token: SeDebugPrivilege 1576 taskkill.exe Token: SeDebugPrivilege 1668 taskkill.exe Token: SeDebugPrivilege 2960 taskkill.exe Token: SeDebugPrivilege 476 taskkill.exe Token: SeDebugPrivilege 2424 taskkill.exe Token: SeDebugPrivilege 380 taskkill.exe Token: SeDebugPrivilege 2256 taskkill.exe Token: SeDebugPrivilege 1004 taskkill.exe Token: SeDebugPrivilege 1144 taskkill.exe Token: SeIncreaseQuotaPrivilege 3008 WMIC.exe Token: SeSecurityPrivilege 3008 WMIC.exe Token: SeTakeOwnershipPrivilege 3008 WMIC.exe Token: SeLoadDriverPrivilege 3008 WMIC.exe Token: SeSystemProfilePrivilege 3008 WMIC.exe Token: SeSystemtimePrivilege 3008 WMIC.exe Token: SeProfSingleProcessPrivilege 3008 WMIC.exe Token: SeIncBasePriorityPrivilege 3008 WMIC.exe Token: SeCreatePagefilePrivilege 3008 WMIC.exe Token: SeBackupPrivilege 3008 WMIC.exe Token: SeRestorePrivilege 3008 WMIC.exe Token: SeShutdownPrivilege 3008 WMIC.exe Token: SeDebugPrivilege 3008 WMIC.exe Token: SeSystemEnvironmentPrivilege 3008 WMIC.exe Token: SeRemoteShutdownPrivilege 3008 WMIC.exe Token: SeUndockPrivilege 3008 WMIC.exe Token: SeManageVolumePrivilege 3008 WMIC.exe Token: 33 3008 WMIC.exe Token: 34 3008 WMIC.exe Token: 35 3008 WMIC.exe Token: SeBackupPrivilege 320 vssvc.exe Token: SeRestorePrivilege 320 vssvc.exe Token: SeAuditPrivilege 320 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2816 wrote to memory of 2832 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 30 PID 2816 wrote to memory of 2832 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 30 PID 2816 wrote to memory of 2832 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 30 PID 2816 wrote to memory of 2832 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 30 PID 2832 wrote to memory of 2640 2832 cmd.exe 32 PID 2832 wrote to memory of 2640 2832 cmd.exe 32 PID 2832 wrote to memory of 2640 2832 cmd.exe 32 PID 2832 wrote to memory of 2640 2832 cmd.exe 32 PID 2816 wrote to memory of 2004 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 33 PID 2816 wrote to memory of 2004 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 33 PID 2816 wrote to memory of 2004 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 33 PID 2816 wrote to memory of 2004 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 33 PID 2004 wrote to memory of 2604 2004 cmd.exe 35 PID 2004 wrote to memory of 2604 2004 cmd.exe 35 PID 2004 wrote to memory of 2604 2004 cmd.exe 35 PID 2004 wrote to memory of 2604 2004 cmd.exe 35 PID 2604 wrote to memory of 2616 2604 cmd.exe 36 PID 2604 wrote to memory of 2616 2604 cmd.exe 36 PID 2604 wrote to memory of 2616 2604 cmd.exe 36 PID 2816 wrote to memory of 2812 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 38 PID 2816 wrote to memory of 2812 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 38 PID 2816 wrote to memory of 2812 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 38 PID 2816 wrote to memory of 2812 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 38 PID 2812 wrote to memory of 1640 2812 cmd.exe 40 PID 2812 wrote to memory of 1640 2812 cmd.exe 40 PID 2812 wrote to memory of 1640 2812 cmd.exe 40 PID 2812 wrote to memory of 1640 2812 cmd.exe 40 PID 1640 wrote to memory of 1572 1640 cmd.exe 41 PID 1640 wrote to memory of 1572 1640 cmd.exe 41 PID 1640 wrote to memory of 1572 1640 cmd.exe 41 PID 2816 wrote to memory of 2956 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 42 PID 2816 wrote to memory of 2956 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 42 PID 2816 wrote to memory of 2956 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 42 PID 2816 wrote to memory of 2956 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 42 PID 2956 wrote to memory of 3016 2956 cmd.exe 44 PID 2956 wrote to memory of 3016 2956 cmd.exe 44 PID 2956 wrote to memory of 3016 2956 cmd.exe 44 PID 2956 wrote to memory of 3016 2956 cmd.exe 44 PID 3016 wrote to memory of 2988 3016 cmd.exe 45 PID 3016 wrote to memory of 2988 3016 cmd.exe 45 PID 3016 wrote to memory of 2988 3016 cmd.exe 45 PID 2816 wrote to memory of 2624 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 46 PID 2816 wrote to memory of 2624 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 46 PID 2816 wrote to memory of 2624 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 46 PID 2816 wrote to memory of 2624 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 46 PID 2624 wrote to memory of 2364 2624 cmd.exe 48 PID 2624 wrote to memory of 2364 2624 cmd.exe 48 PID 2624 wrote to memory of 2364 2624 cmd.exe 48 PID 2624 wrote to memory of 2364 2624 cmd.exe 48 PID 2364 wrote to memory of 824 2364 cmd.exe 49 PID 2364 wrote to memory of 824 2364 cmd.exe 49 PID 2364 wrote to memory of 824 2364 cmd.exe 49 PID 2816 wrote to memory of 1992 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 50 PID 2816 wrote to memory of 1992 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 50 PID 2816 wrote to memory of 1992 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 50 PID 2816 wrote to memory of 1992 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 50 PID 1992 wrote to memory of 1956 1992 cmd.exe 52 PID 1992 wrote to memory of 1956 1992 cmd.exe 52 PID 1992 wrote to memory of 1956 1992 cmd.exe 52 PID 1992 wrote to memory of 1956 1992 cmd.exe 52 PID 1956 wrote to memory of 1576 1956 cmd.exe 53 PID 1956 wrote to memory of 1576 1956 cmd.exe 53 PID 1956 wrote to memory of 1576 1956 cmd.exe 53 PID 2816 wrote to memory of 1724 2816 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe 54 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1208
-
C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe"C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2816 -
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c rem Kill "SQL"3⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c rem Kill "SQL"4⤵PID:2640
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlbrowser.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlbrowser.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sql writer.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sql writer.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\system32\taskkill.exetaskkill -f -im sql writer.exe5⤵
- Kills process with taskkill
PID:1572
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlserv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\system32\taskkill.exetaskkill -f -im sqlserv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msmdsrv.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\taskkill.exetaskkill -f -im msmdsrv.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:824
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im MsDtsSrvr.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\system32\taskkill.exetaskkill -f -im MsDtsSrvr.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe3⤵PID:1724
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im sqlceip.exe4⤵PID:1068
-
C:\Windows\system32\taskkill.exetaskkill -f -im sqlceip.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe3⤵PID:2888
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdlauncher.exe4⤵PID:2068
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdlauncher.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im Ssms.exe3⤵PID:1692
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im Ssms.exe4⤵PID:656
-
C:\Windows\system32\taskkill.exetaskkill -f -im Ssms.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:476
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE3⤵PID:1348
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im SQLAGENT.EXE4⤵PID:1076
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im fdhost.exe3⤵PID:3060
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im fdhost.exe4⤵PID:724
-
C:\Windows\system32\taskkill.exetaskkill -f -im fdhost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe3⤵PID:792
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im ReportingServicesService.exe4⤵PID:3056
-
C:\Windows\system32\taskkill.exetaskkill -f -im ReportingServicesService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2256
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im msftesql.exe3⤵PID:1828
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im msftesql.exe4⤵PID:2000
-
C:\Windows\system32\taskkill.exetaskkill -f -im msftesql.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1004
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe3⤵PID:2472
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -im pg_ctl.exe4⤵PID:2180
-
C:\Windows\system32\taskkill.exetaskkill -f -im pg_ctl.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c taskkill -f -impostgres.exe3⤵PID:1928
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c taskkill -f -impostgres.exe4⤵PID:744
-
C:\Windows\system32\taskkill.exetaskkill -f -impostgres.exe5⤵
- Kills process with taskkill
PID:944
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQLServerADHelper1003⤵PID:1608
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQLServerADHelper1004⤵PID:1048
-
C:\Windows\system32\net.exenet stop MSSQLServerADHelper1005⤵PID:2548
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQLServerADHelper1006⤵PID:864
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$ISARS3⤵PID:2796
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$ISARS4⤵PID:904
-
C:\Windows\system32\net.exenet stop MSSQL$ISARS5⤵PID:620
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$ISARS6⤵PID:3032
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop MSSQL$MSFW3⤵PID:684
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$ISARS3⤵PID:2500
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$ISARS4⤵PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLAgent$MSFW3⤵PID:984
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLAgent$MSFW4⤵PID:2040
-
C:\Windows\system32\net.exenet stop SQLAgent$MSFW5⤵PID:3028
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$MSFW6⤵PID:2212
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLBrowser3⤵PID:2108
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLBrowser4⤵PID:1936
-
C:\Windows\system32\net.exenet stop SQLBrowser5⤵PID:2192
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLBrowser6⤵PID:2336
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop REportServer$ISARS3⤵PID:2064
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop REportServer$ISARS4⤵PID:1332
-
C:\Windows\system32\net.exenet stop REportServer$ISARS5⤵PID:1728
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop REportServer$ISARS6⤵PID:1504
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c net stop SQLWriter3⤵PID:2400
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop SQLWriter4⤵PID:2120
-
C:\Windows\system32\net.exenet stop SQLWriter5⤵PID:2528
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLWriter6⤵PID:2308
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet3⤵PID:2692
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet4⤵PID:1564
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet5⤵
- Interacts with shadow copies
PID:2584
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet3⤵PID:2728
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin delete backup -keepVersion:0 -quiet4⤵PID:2504
-
C:\Windows\system32\wbadmin.exewbadmin delete backup -keepVersion:0 -quiet5⤵
- Deletes system backups
- Drops file in Windows directory
PID:2700
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP3⤵PID:2840
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP4⤵PID:2600
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTATEBACKUP5⤵
- Deletes System State backups
PID:2884
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures3⤵PID:796
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures4⤵PID:2596
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
PID:2364
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No3⤵PID:2516
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c bcdedit.exe /set {default} recoverynabled No4⤵PID:2752
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} recoverynabled No5⤵
- Modifies boot configuration data using bcdedit
PID:2568
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive3⤵PID:1816
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wmic.exe SHADOWCOPY /nointeractive4⤵PID:1872
-
C:\Windows\System32\Wbem\WMIC.exewmic.exe SHADOWCOPY /nointeractive5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
-
-
C:\Windows\SysWOW64\cmd.exe\\?\C:\Windows\SysWOW64\cmd.exe /c %windir%\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest3⤵PID:2856
-
-
-
C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe\\?\C:\Users\Admin\AppData\Local\Temp\97a877b999fb2a3c8286548ac4b20f364a862b132a87272fe273c670a654ba8d.exe -network2⤵
- System policy modification
PID:1688 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵PID:2928
-
-
-
C:\Windows\system32\taskkill.exetaskkill -f -im SQLAGENT.EXE1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
C:\Windows\system32\net.exenet stop MSSQL$MSFW1⤵PID:1616
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop MSSQL$MSFW2⤵PID:2496
-
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c net stop MSSQL$MSFW1⤵PID:836
-
C:\Windows\system32\net.exenet stop SQLAgent$ISARS1⤵PID:2532
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop SQLAgent$ISARS2⤵PID:2900
-
-
C:\Windows\system32\cmd.exeC:\Windows\sysnative\cmd.exe /c wbadmin DELETE SYSTEMSTABACKUP -deleteOldest1⤵PID:2732
-
C:\Windows\system32\wbadmin.exewbadmin DELETE SYSTEMSTABACKUP -deleteOldest2⤵PID:3004
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:320
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD58a1668338b2571681eaab178076ede83
SHA131582a6be003b3a59e5234b2d4d479ed74eebe98
SHA2569415e0945a3afa467dfb305b983fcca8deada58d61bf9f77a50e1d79d9215290
SHA5122753139d6b5425741f920ca1b7d3f5223903f955b5017a3e2b6a306946a894c2acc77afe9642ccc454a2fc1c92a112cd4f7ef26c87768e52b010ae155232e0b2
-
Filesize
1KB
MD5873ac0de2e9dd3f7b3115499d90051aa
SHA1573c092687f234d2cbfbff5015f4805446772c6b
SHA2560364be209519b91a83007260c59eb02f38f3a6e715dca953d0507c3c31ad4964
SHA512b0627052889599f083b6b91005b4baf513f46b135f95b0ecdba920d78e1ce958fe37e968cb2b019175f683989f6b3da77dd0ac6a6baa233a586572498ca185b9
-
Filesize
1KB
MD5c2b792dc173343406433c289df00aef1
SHA1b141523ce842270d600787993fb24d306b6879a5
SHA25630e3be687c9738f79d7e048d8ad6bb07dc5b8dac140bd0f30a46a5f52a7b8f12
SHA512b5fd2d21721bc7a09157c2ced681af3334e4b90681e3a8a016eff517e8b2ae65ee2993c4fbd186c8cefc4377edb2d38664028c521348c8c65d47b1d09dfcc0c2
-
Filesize
1KB
MD50138afdd45f64ba58c517f0875249cd8
SHA120ab8a7b0146d90b43c404ead9edb19e462e74c2
SHA256f5770f846214e505b12fd9c3bb8eb346bbdc4d46c7990f2129b5f65017f45729
SHA512f67c6b9bd503463b957dc817fd4fa17bf085c7fe29002e1194efef7403ab3de97e7046e0d7810ca7aec89f5e1cfa0eaefdbacc6bf7ed04d30ffa063258e04752
-
Filesize
1KB
MD579e54ecc489702a359c5567d9fc55213
SHA1c9f634f06fc656110deba6276ab943a9218a1e73
SHA2568ecd5da238fd2c97a794e3453fcc96e55b49afc905cf2a631ebb3127fc02d201
SHA512f808e3bfcbcb276f8a538824a97400487d139676f13326ea26dbf1e6f159c93f22fa027dc98542a3cae686b2f8eba549d64ec37d4962747d3ad81a0b304fa4a6
-
Filesize
1KB
MD5ce5b883f175ac22cab166ebb506a780d
SHA137b238a6f9a6fb0ac7ed2dc579804e4fbf09c259
SHA256b794441ea28281d77a48612ec79683c43b574a98bc63c54f72cab943c5d5e485
SHA512c1a9588844ec25c500973431f42b88286c2a453cdac954445fe8c25877811deb5dd93af32cc85cd7ef86b46ed448b71633dbfa759ca79e7b92ea5cfed4bbdb50
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize13KB
MD5747c281dd719858b03ec82d6ea942030
SHA14410c4d983a53a61fdcda596f1b2ab4518c0a93c
SHA2561fe9326573af969c03eab3f79fe004cdf857c61440653f27a5b39808fc5c6f36
SHA5120a6adec6b067bca911ede59709d0a65fd24853e828595d97aea1f36a68dc6beae2940e75a8073fb69dd7d990eea24aeceb143085b57ef917c8ddc6183cab1a3b
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize10KB
MD59c4fc99f52cccc09ced7a167b0ca89cc
SHA134279adb2eb23985c5a2951a83eb0f2cfdcec413
SHA25634fcf90adc20f13e1fdfdcabd5e8e6e33b7663b311e4328c7f2733b17ddbff47
SHA512a5a9ca78ea2d305ed153f08132e6f5fb344a8d255e90580f2630fdcad59fa0da4d2fae518f25317c7bb117fae8e1466136f1c801c7202d48aaa17029d0b91840
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA
Filesize9KB
MD574626644833cd4810465286b1f1286ad
SHA1324ef8ab4dffae221879211bc55fc3c4a7c5f7bc
SHA256a4b4e74b61cded33141319530379171c2620fe8b5fabc8988c3c3521c394b9c3
SHA512b0da6b225f6b39f099e3b8bbce3d4d19f6be4984acd1a221452d4bb9eaa63373303a999fd4361bcadad83669e9196ffcea92a11452853d3af55d0d84326b6d7d
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf
Filesize1KB
MD51a497ca074e54d7bfc02e0b9d68b74a8
SHA1925efe6b6366014b42ffa2e10fcd0bf745fec948
SHA2566e76c313e322e9e2273a027c843a3ab947ac44dd407eb32d47bcc73315f074b9
SHA5125d7e5b4e76ca5bed7edd1ba059c4735cdf30c91bdc14f07e100a26d1aaadc43d856681af68172913a60c7d953627f8976f899955ed92f436bb5295f6229ffffe
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt
Filesize12KB
MD555450f1bc34ad4ef8288b0fac863776c
SHA1f0b0053725535658d37f9f437ef8304e5d2f94ad
SHA2566afa3c5ba25327fbd39026f889fb81079fb074776d28f9039b8a95edb97f7e07
SHA512523241b7306b63f8beb2b087056199b80b26911417f39ba6986fdeb3735297966e7797e7adbb629fee05bc35376a680693e663f38ca468215f2cb64077320193
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize13KB
MD56cbf99beda0046bccc27af369d50656d
SHA1662820132c4bcced91a6da2470a7ba1729f77365
SHA2560302a6c315bd9f4d34c3f3e4096ac62aa99526edd543279a14167d3cc34d12c1
SHA512ac433b9a9887f663e5e5b4420570a3f0eff7dea9c8e490bb159ff37ab642c0ea9c1aa937f462158dd46caa3cd7855e9b1fa2156acd7b7c47952d1f745311a2fd
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize10KB
MD5f1447bfc5ab2c16f4b6d3a300d251801
SHA1a1f81a232987df8431d4ff15e17bfd2b97a5b03a
SHA256f7fa5f197557bef79a01ad8203be40778f0a54e61ea5583316128d3e9108c239
SHA5129c70eb066657a2c7bfdedfca23c362249ae86905aa9807d45cd310147d779a936701c7f11f699281ab270fef4b4525f6e62d313b01d6f373d0b766415dbb7ac8
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html
Filesize10KB
MD54403f25f9b249a6f3253321011813ea5
SHA176768ada791d8a124c0b2dab57953fc2bbe2e381
SHA25611ca9e32616628c2a5408eca3541f445ecd0aebbf9530e37c09d98518d9d315d
SHA512a50e64567bb0c0ef9904436239fa0dea5905d8540cec26493ddcbd236ff6eb89e47d2beea139db60689c4cf4d77c32637fa57ed2b11bb0c8b977c41c75d283fd
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\epl-v10.html
Filesize13KB
MD54d8e1ee186da54070da0f487f2fffae3
SHA161a46f90fb5d582db1b8193994cd7770d7e9e651
SHA256e9905ff70129193d86740e671badce30704462d8d506b0af0565f35123b7893a
SHA512b68a828938ae02acba4bbfb6b3dee8fe27d9ed241767649e828e24cfd4c4486219fb91d4e7ea89c6374b466519d95bc4965130ac16b193dde9b0759f66cb9b77
-
Filesize
5KB
MD5740bbabd47bf81732aafa1fba9ca2e88
SHA194f115f3e10501cf5156459222b67aaccf1ba9aa
SHA2569c57eef1c15886196b0db61e17d767a8c48b5d512b224eb376943425e2f75314
SHA512e7f5dc357ef89e73466aa085bb255bfd7fa3714564f9469605fd5de26202677cfbcc4fa84446a339a1be31bdd99182430ee7ad762d7c39f90a1db60a7d9fd9ee